Merge pull request #181 from kenjis/add-id-type-logins-table

feat: add `id_type` in logins table

Author: kenjis

src/Authentication/Actions/Email2FA.php

@@ -16,7 +16,7 @@
  */
 class Email2FA implements ActionInterface
 {
-    private string $type = 'email_2fa';
+    private string $type = Session::ID_TYPE_EMAIL_2FA;
 
     /**
      * Displays the "Hey we're going to send you a number to your email"

src/Authentication/Actions/EmailActivator.php

@@ -13,7 +13,7 @@
 
 class EmailActivator implements ActionInterface
 {
-    private string $type = 'email_activate';
+    private string $type = Session::ID_TYPE_EMAIL_ACTIVATE;
 
     /**
      * Shows the initial screen to the user telling them

src/Authentication/Authenticators/AccessTokens.php

@@ -15,6 +15,8 @@
 
 class AccessTokens implements AuthenticatorInterface
 {
+    public const ID_TYPE_ACCESS_TOKEN = 'access_token';
+
     /**
      * The persistence engine
      */
@@ -51,7 +53,8 @@ public function attempt(array $credentials): Result
         if (! $result->isOK()) {
             // Always record a login attempt, whether success or not.
             $this->loginModel->recordLoginAttempt(
-                'token: ' . ($credentials['token'] ?? ''),
+                self::ID_TYPE_ACCESS_TOKEN,
+                $credentials['token'] ?? '',
                 false,
                 $ipAddress,
                 $userAgent
@@ -69,7 +72,8 @@ public function attempt(array $credentials): Result
         $this->login($user);
 
         $this->loginModel->recordLoginAttempt(
-            'token: ' . ($credentials['token'] ?? ''),
+            self::ID_TYPE_ACCESS_TOKEN,
+            $credentials['token'] ?? '',
             true,
             $ipAddress,
             $userAgent,

src/Authentication/Authenticators/Session.php

@@ -25,10 +25,20 @@
 
 class Session implements AuthenticatorInterface
 {
-    private const STATE_UNKNOWN   = 0;
-    private const STATE_ANONYMOUS = 1;
-    private const STATE_PENDING   = 2;
-    private const STATE_LOGGED_IN = 3;
+    /**
+     * @var string Special ID Type.
+     *             `username` is stored in `users` table, so no `auth_identities` record.
+     */
+    public const ID_TYPE_USERNAME = 'username';
+
+    public const ID_TYPE_EMAIL_PASSWORD = 'email_password';
+    public const ID_TYPE_MAGIC_LINK     = 'magic-link';
+    public const ID_TYPE_EMAIL_2FA      = 'email_2fa';
+    public const ID_TYPE_EMAIL_ACTIVATE = 'email_activate';
+    private const STATE_UNKNOWN         = 0;
+    private const STATE_ANONYMOUS       = 1;
+    private const STATE_PENDING         = 2;
+    private const STATE_LOGGED_IN       = 3;
 
     /**
      * The persistence engine
@@ -239,7 +249,12 @@ private function recordLoginAttempt(
         string $userAgent,
         $userId = null
     ): void {
+        $idType = (! isset($credentials['email']) && isset($credentials['username']))
+            ? self::ID_TYPE_USERNAME
+            : self::ID_TYPE_EMAIL_PASSWORD;
+
         $this->loginModel->recordLoginAttempt(
+            $idType,
             $credentials['email'] ?? $credentials['username'],
             $success,
             $ipAddress,

src/Controllers/MagicLinkController.php

@@ -62,15 +62,15 @@ public function loginAction()
         $identityModel = model(UserIdentityModel::class);
 
         // Delete any previous magic-link identities
-        $identityModel->deleteIdentitiesByType($user, 'magic-link');
+        $identityModel->deleteIdentitiesByType($user, Session::ID_TYPE_MAGIC_LINK);
 
         // Generate the code and save it as an identity
         helper('text');
         $token = random_string('crypto', 20);
 
         $identityModel->insert([
             'user_id' => $user->id,
-            'type'    => 'magic-link',
+            'type'    => Session::ID_TYPE_MAGIC_LINK,
             'secret'  => $token,
             'expires' => Time::now()->addSeconds(setting('Auth.magicLinkLifetime'))->toDateTimeString(),
         ]);
@@ -105,9 +105,9 @@ public function verify(): RedirectResponse
         /** @var UserIdentityModel $identityModel */
         $identityModel = model(UserIdentityModel::class);
 
-        $identity = $identityModel->getIdentityBySecret('magic-link', $token);
+        $identity = $identityModel->getIdentityBySecret(Session::ID_TYPE_MAGIC_LINK, $token);
 
-        $identifier = 'magic-link: ' . $token;
+        $identifier = $token ?? '';
 
         // No token found?
         if ($identity === null) {
@@ -158,6 +158,7 @@ private function recordLoginAttempt(
         $loginModel = model(LoginModel::class);
 
         $loginModel->recordLoginAttempt(
+            Session::ID_TYPE_MAGIC_LINK,
             $identifier,
             $success,
             $this->request->getIPAddress(),

src/Database/Migrations/2020-12-28-223112_create_auth_tables.php

@@ -57,13 +57,14 @@ public function up(): void
             'id'         => ['type' => 'int', 'constraint' => 11, 'unsigned' => true, 'auto_increment' => true],
             'ip_address' => ['type' => 'varchar', 'constraint' => 255],
             'user_agent' => ['type' => 'varchar', 'constraint' => 255, 'null' => true],
+            'id_type'    => ['type' => 'varchar', 'constraint' => 255],
             'identifier' => ['type' => 'varchar', 'constraint' => 255],
             'user_id'    => ['type' => 'int', 'constraint' => 11, 'unsigned' => true, 'null' => true], // Only for successful logins
             'date'       => ['type' => 'datetime'],
             'success'    => ['type' => 'tinyint', 'constraint' => 1],
         ]);
         $this->forge->addPrimaryKey('id');
-        $this->forge->addKey('identifier');
+        $this->forge->addKey(['id_type', 'identifier']);
         $this->forge->addKey('user_id');
         // NOTE: Do NOT delete the user_id or identifier when the user is deleted for security audits
         $this->forge->createTable('auth_logins', true);
@@ -76,13 +77,14 @@ public function up(): void
             'id'         => ['type' => 'int', 'constraint' => 11, 'unsigned' => true, 'auto_increment' => true],
             'ip_address' => ['type' => 'varchar', 'constraint' => 255],
             'user_agent' => ['type' => 'varchar', 'constraint' => 255, 'null' => true],
+            'id_type'    => ['type' => 'varchar', 'constraint' => 255],
             'identifier' => ['type' => 'varchar', 'constraint' => 255],
             'user_id'    => ['type' => 'int', 'constraint' => 11, 'unsigned' => true, 'null' => true], // Only for successful logins
             'date'       => ['type' => 'datetime'],
             'success'    => ['type' => 'tinyint', 'constraint' => 1],
         ]);
         $this->forge->addPrimaryKey('id');
-        $this->forge->addKey('identifier');
+        $this->forge->addKey(['id_type', 'identifier']);
         $this->forge->addKey('user_id');
         // NOTE: Do NOT delete the user_id or identifier when the user is deleted for security audits
         $this->forge->createTable('auth_token_logins', true);

src/Entities/User.php

@@ -3,6 +3,7 @@
 namespace CodeIgniter\Shield\Entities;
 
 use CodeIgniter\Entity\Entity;
+use CodeIgniter\Shield\Authentication\Authenticators\Session;
 use CodeIgniter\Shield\Authentication\Traits\HasAccessTokens;
 use CodeIgniter\Shield\Authorization\Traits\Authorizable;
 use CodeIgniter\Shield\Models\LoginModel;
@@ -47,7 +48,8 @@ class User extends Entity
     /**
      * Returns the first identity of the given $type for this user.
      *
-     * @param string $type 'email_2fa'|'email_activate'|'email_password'|'magic-link'
+     * @param string $type See const ID_TYPE_* in Authenticator.
+     *                     'email_2fa'|'email_activate'|'email_password'|'magic-link'|'access_token'
      */
     public function getIdentity(string $type): ?UserIdentity
     {
@@ -116,7 +118,7 @@ public function createEmailIdentity(array $credentials): void
      */
     public function getEmailIdentity(): ?UserIdentity
     {
-        return $this->getIdentity('email_password');
+        return $this->getIdentity(Session::ID_TYPE_EMAIL_PASSWORD);
     }
 
     /**

src/Models/CheckQueryReturnTrait.php

@@ -2,6 +2,7 @@
 
 namespace CodeIgniter\Shield\Models;
 
+use CodeIgniter\Shield\Exceptions\RuntimeException;
 use ReflectionObject;
 use ReflectionProperty;
 
@@ -13,6 +14,8 @@ private function checkQueryReturn(bool $return): void
     {
         $this->restoreDBDebug();
 
+        $this->checkValidationError();
+
         if ($return === false) {
             $error   = $this->db->error();
             $message = 'Query error: ' . $error['code'] . ', '
@@ -22,6 +25,21 @@ private function checkQueryReturn(bool $return): void
         }
     }
 
+    private function checkValidationError(): void
+    {
+        $validationErrors = $this->validation->getErrors();
+
+        if ($validationErrors !== []) {
+            $message = 'Validation error:';
+
+            foreach ($validationErrors as $field => $error) {
+                $message .= ' [' . $field . '] ' . $error;
+            }
+
+            throw new RuntimeException($message);
+        }
+    }
+
     private function disableDBDebug(): void
     {
         if (! $this->db->DBDebug) {

src/Models/LoginModel.php

@@ -4,6 +4,7 @@
 
 use CodeIgniter\I18n\Time;
 use CodeIgniter\Model;
+use CodeIgniter\Shield\Authentication\Authenticators\Session;
 use CodeIgniter\Shield\Entities\Login;
 use CodeIgniter\Shield\Entities\User;
 use Exception;
@@ -20,6 +21,7 @@ class LoginModel extends Model
     protected $allowedFields  = [
         'ip_address',
         'user_agent',
+        'id_type',
         'identifier',
         'user_id',
         'date',
@@ -28,7 +30,8 @@ class LoginModel extends Model
     protected $useTimestamps   = false;
     protected $validationRules = [
         'ip_address' => 'required',
-        'identifier' => 'required',
+        'id_type'    => 'required',
+        'identifier' => 'permit_empty|string',
         'user_agent' => 'permit_empty|string',
         'user_id'    => 'permit_empty|integer',
         'date'       => 'required|valid_date',
@@ -37,9 +40,15 @@ class LoginModel extends Model
     protected $skipValidation     = false;
 
     /**
+     * Records login attempt.
+     *
+     * @param string          $idType Identifier type. See const ID_YPE_* in Authenticator.
+     *                                auth_logins: 'email_password'|'username'|'magic-link'
+     *                                auth_token_logins: 'access-token'
      * @param int|string|null $userId
      */
     public function recordLoginAttempt(
+        string $idType,
         string $identifier,
         bool $success,
         ?string $ipAddress = null,
@@ -49,6 +58,7 @@ public function recordLoginAttempt(
         $return = $this->insert([
             'ip_address' => $ipAddress,
             'user_agent' => $userAgent,
+            'id_type'    => $idType,
             'identifier' => $identifier,
             'user_id'    => $userId,
             'date'       => date('Y-m-d H:i:s'),
@@ -78,6 +88,7 @@ public function fake(Generator &$faker): Login
     {
         return new Login([
             'ip_address' => $faker->ipv4,
+            'id_type'    => Session::ID_TYPE_EMAIL_PASSWORD,
             'identifier' => $faker->email,
             'user_id'    => null,
             'date'       => Time::parse('-1 day')->toDateTimeString(),

src/Models/UserIdentityModel.php

@@ -3,6 +3,8 @@
 namespace CodeIgniter\Shield\Models;
 
 use CodeIgniter\Model;
+use CodeIgniter\Shield\Authentication\Authenticators\AccessTokens;
+use CodeIgniter\Shield\Authentication\Authenticators\Session;
 use CodeIgniter\Shield\Authentication\Passwords;
 use CodeIgniter\Shield\Entities\AccessToken;
 use CodeIgniter\Shield\Entities\User;
@@ -59,7 +61,7 @@ public function createEmailIdentity(User $user, array $credentials): void
 
         $return = $this->insert([
             'user_id' => $user->id,
-            'type'    => 'email_password',
+            'type'    => Session::ID_TYPE_EMAIL_PASSWORD,
             'secret'  => $credentials['email'],
             'secret2' => $passwords->hash($credentials['password']),
         ]);
@@ -119,7 +121,7 @@ public function generateAccessToken(User $user, string $name, array $scopes = ['
         helper('text');
 
         $return = $this->insert([
-            'type'    => 'access_token',
+            'type'    => AccessTokens::ID_TYPE_ACCESS_TOKEN,
             'user_id' => $user->id,
             'name'    => $name,
             'secret'  => hash('sha256', $rawToken = random_string('crypto', 64)),
@@ -141,7 +143,7 @@ public function generateAccessToken(User $user, string $name, array $scopes = ['
     public function getAccessTokenByRawToken(string $rawToken): ?AccessToken
     {
         return $this
-            ->where('type', 'access_token')
+            ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->where('secret', hash('sha256', $rawToken))
             ->asObject(AccessToken::class)
             ->first();
@@ -150,7 +152,7 @@ public function getAccessTokenByRawToken(string $rawToken): ?AccessToken
     public function getAccessToken(User $user, string $rawToken): ?AccessToken
     {
         return $this->where('user_id', $user->id)
-            ->where('type', 'access_token')
+            ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->where('secret', hash('sha256', $rawToken))
             ->asObject(AccessToken::class)
             ->first();
@@ -164,7 +166,7 @@ public function getAccessToken(User $user, string $rawToken): ?AccessToken
     public function getAccessTokenById($id, User $user): ?AccessToken
     {
         return $this->where('user_id', $user->id)
-            ->where('type', 'access_token')
+            ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->where('id', $id)
             ->asObject(AccessToken::class)
             ->first();
@@ -177,7 +179,7 @@ public function getAllAccessTokens(User $user): array
     {
         return $this
             ->where('user_id', $user->id)
-            ->where('type', 'access_token')
+            ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->orderBy($this->primaryKey)
             ->asObject(AccessToken::class)
             ->findAll();
@@ -267,7 +269,7 @@ public function deleteIdentitiesByType(User $user, string $type): void
     public function revokeAccessToken(User $user, string $rawToken): void
     {
         $return = $this->where('user_id', $user->id)
-            ->where('type', 'access_token')
+            ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->where('secret', hash('sha256', $rawToken))
             ->delete();
 
@@ -280,7 +282,7 @@ public function revokeAccessToken(User $user, string $rawToken): void
     public function revokeAllAccessTokens(User $user): void
     {
         $return = $this->where('user_id', $user->id)
-            ->where('type', 'access_token')
+            ->where('type', AccessTokens::ID_TYPE_ACCESS_TOKEN)
             ->delete();
 
         $this->checkQueryReturn($return);
@@ -290,7 +292,7 @@ public function fake(Generator &$faker): UserIdentity
     {
         return new UserIdentity([
             'user_id'      => fake(UserModel::class)->id,
-            'type'         => 'email_password',
+            'type'         => Session::ID_TYPE_EMAIL_PASSWORD,
             'name'         => null,
             'secret'       => 'info@example.com',
             'secret2'      => password_hash('secret', PASSWORD_DEFAULT),