init
This commit is contained in:
@@ -0,0 +1,474 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Config;
|
||||
|
||||
use CodeIgniter\Shield\Config\Auth as ShieldAuth;
|
||||
use CodeIgniter\Shield\Authentication\Actions\ActionInterface;
|
||||
use CodeIgniter\Shield\Authentication\AuthenticatorInterface;
|
||||
use CodeIgniter\Shield\Authentication\Authenticators\AccessTokens;
|
||||
use CodeIgniter\Shield\Authentication\Authenticators\Session;
|
||||
use CodeIgniter\Shield\Authentication\Passwords\CompositionValidator;
|
||||
use CodeIgniter\Shield\Authentication\Passwords\DictionaryValidator;
|
||||
use CodeIgniter\Shield\Authentication\Passwords\NothingPersonalValidator;
|
||||
use CodeIgniter\Shield\Authentication\Passwords\PwnedValidator;
|
||||
use CodeIgniter\Shield\Authentication\Passwords\ValidatorInterface;
|
||||
use CodeIgniter\Shield\Models\UserModel;
|
||||
|
||||
class Auth extends ShieldAuth
|
||||
{
|
||||
/**
|
||||
* ////////////////////////////////////////////////////////////////////
|
||||
* AUTHENTICATION
|
||||
* ////////////////////////////////////////////////////////////////////
|
||||
*/
|
||||
public array $views = [
|
||||
'login' => '\App\Views\auth\login',
|
||||
'register' => '\App\Views\auth\register',
|
||||
'layout' => '\App\Views\templates\header',
|
||||
'action_email_2fa' => '\App\Views\auth\email_2fa_show',
|
||||
'action_email_2fa_verify' => '\App\Views\auth\email_2fa_verify',
|
||||
'action_email_2fa_email' => '\App\Views\auth\email\email_2fa_email',
|
||||
'action_email_activate_show' => '\App\Views\auth\email_activate_show',
|
||||
'action_email_activate_email' => '\App\Views\auth\email\email_activate_email',
|
||||
'magic-link-login' => '\App\Views\auth\magic_link_form',
|
||||
'magic-link-message' => '\App\Views\auth\magic_link_message',
|
||||
'magic-link-email' => '\App\Views\auth\email\magic_link_email',
|
||||
'set-password' => '\App\Views\auth\set_password',
|
||||
];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Redirect URLs
|
||||
* --------------------------------------------------------------------
|
||||
* The default URL that a user will be redirected to after various auth
|
||||
* auth actions. This can be either of the following:
|
||||
*
|
||||
* 1. An absolute URL. E.g. http://example.com OR https://example.com
|
||||
* 2. A named route that can be accessed using `route_to()` or `url_to()`
|
||||
* 3. A URI path within the application. e.g 'admin', 'login', 'expath'
|
||||
*
|
||||
* If you need more flexibility you can override the `getUrl()` method
|
||||
* to apply any logic you may need.
|
||||
*/
|
||||
public array $redirects = [
|
||||
'register' => '/',
|
||||
'login' => '/',
|
||||
'logout' => 'login',
|
||||
'force_reset' => '/set-password',
|
||||
'permission_denied' => '/',
|
||||
'group_denied' => '/',
|
||||
];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Authentication Actions
|
||||
* --------------------------------------------------------------------
|
||||
* Specifies the class that represents an action to take after
|
||||
* the user logs in or registers a new account at the site.
|
||||
*
|
||||
* You must register actions in the order of the actions to be performed.
|
||||
*
|
||||
* Available actions with Shield:
|
||||
* - register: \CodeIgniter\Shield\Authentication\Actions\EmailActivator::class
|
||||
* - login: \CodeIgniter\Shield\Authentication\Actions\Email2FA::class
|
||||
*
|
||||
* @var array<string, class-string<ActionInterface>|null>
|
||||
*/
|
||||
public array $actions = [
|
||||
'register' => null,//\CodeIgniter\Shield\Authentication\Actions\EmailActivator::class
|
||||
'login' => null,
|
||||
];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Authenticators
|
||||
* --------------------------------------------------------------------
|
||||
* The available authentication systems, listed
|
||||
* with alias and class name. These can be referenced
|
||||
* by alias in the auth helper:
|
||||
* auth('tokens')->attempt($credentials);
|
||||
*
|
||||
* @var array<string, class-string<AuthenticatorInterface>>
|
||||
*/
|
||||
public array $authenticators = [
|
||||
'tokens' => AccessTokens::class,
|
||||
'session' => Session::class,
|
||||
];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Name of Authenticator Header
|
||||
* --------------------------------------------------------------------
|
||||
* The name of Header that the Authorization token should be found.
|
||||
* According to the specs, this should be `Authorization`, but rare
|
||||
* circumstances might need a different header.
|
||||
*/
|
||||
public array $authenticatorHeader = [
|
||||
'tokens' => 'Authorization',
|
||||
];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Unused Token Lifetime
|
||||
* --------------------------------------------------------------------
|
||||
* Determines the amount of time, in seconds, that an unused
|
||||
* access token can be used.
|
||||
*/
|
||||
public int $unusedTokenLifetime = YEAR;
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Default Authenticator
|
||||
* --------------------------------------------------------------------
|
||||
* The Authenticator to use when none is specified.
|
||||
* Uses the $key from the $authenticators array above.
|
||||
*/
|
||||
public string $defaultAuthenticator = 'session';
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Authentication Chain
|
||||
* --------------------------------------------------------------------
|
||||
* The Authenticators to test logged in status against
|
||||
* when using the 'chain' filter. Each Authenticator listed will be checked.
|
||||
* If no match is found, then the next in the chain will be checked.
|
||||
*
|
||||
* @var string[]
|
||||
* @phpstan-var list<string>
|
||||
*/
|
||||
public array $authenticationChain = [
|
||||
'session',
|
||||
'tokens',
|
||||
];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Allow Registration
|
||||
* --------------------------------------------------------------------
|
||||
* Determines whether users can register for the site.
|
||||
*/
|
||||
public bool $allowRegistration = true;
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Record Last Active Date
|
||||
* --------------------------------------------------------------------
|
||||
* If true, will always update the `last_active` datetime for the
|
||||
* logged in user on every page request.
|
||||
*/
|
||||
public bool $recordActiveDate = true;
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Allow Magic Link Logins
|
||||
* --------------------------------------------------------------------
|
||||
* If true, will allow the use of "magic links" sent via the email
|
||||
* as a way to log a user in without the need for a password.
|
||||
* By default, this is used in place of a password reset flow, but
|
||||
* could be modified as the only method of login once an account
|
||||
* has been set up.
|
||||
*/
|
||||
public bool $allowMagicLinkLogins = true;
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Magic Link Lifetime
|
||||
* --------------------------------------------------------------------
|
||||
* Specifies the amount of time, in seconds, that a magic link is valid.
|
||||
* You can use Time Constants or any desired number.
|
||||
*/
|
||||
public int $magicLinkLifetime = HOUR;
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Session Authenticator Configuration
|
||||
* --------------------------------------------------------------------
|
||||
* These settings only apply if you are using the Session Authenticator
|
||||
* for authentication.
|
||||
*
|
||||
* - field The name of the key the current user info is stored in session
|
||||
* - allowRemembering Does the system allow use of "remember-me"
|
||||
* - rememberCookieName The name of the cookie to use for "remember-me"
|
||||
* - rememberLength The length of time, in seconds, to remember a user.
|
||||
*
|
||||
* @var array<string, bool|int|string>
|
||||
*/
|
||||
public array $sessionConfig = [
|
||||
'field' => 'user',
|
||||
'allowRemembering' => true,
|
||||
'rememberCookieName' => 'remember',
|
||||
'rememberLength' => 30 * DAY,
|
||||
];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Minimum Password Length
|
||||
* --------------------------------------------------------------------
|
||||
* The minimum length that a password must be to be accepted.
|
||||
* Recommended minimum value by NIST = 8 characters.
|
||||
*/
|
||||
public int $minimumPasswordLength = 8;
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Password Check Helpers
|
||||
* --------------------------------------------------------------------
|
||||
* The PasswordValidator class runs the password through all of these
|
||||
* classes, each getting the opportunity to pass/fail the password.
|
||||
* You can add custom classes as long as they adhere to the
|
||||
* CodeIgniter\Shield\Authentication\Passwords\ValidatorInterface.
|
||||
*
|
||||
* @var class-string<ValidatorInterface>[]
|
||||
*/
|
||||
public array $passwordValidators = [
|
||||
CompositionValidator::class, // 비밀번호가 8자리 이상
|
||||
NothingPersonalValidator::class, // 비밀번호에 개인 정보(예: 이메일, 사용자 이름)가 포함되지 않았는지 확인합니다.
|
||||
DictionaryValidator::class, // 비밀번호가 사전에 있는 단어와 일치하지 않는지 확인합니다.
|
||||
// PwnedValidator::class,
|
||||
];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Valid login fields
|
||||
* --------------------------------------------------------------------
|
||||
* Fields that are available to be used as credentials for login.
|
||||
*/
|
||||
public array $validFields = [
|
||||
'email',
|
||||
'username',
|
||||
];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Additional Fields for "Nothing Personal"
|
||||
* --------------------------------------------------------------------
|
||||
* The NothingPersonalValidator prevents personal information from
|
||||
* being used in passwords. The email and username fields are always
|
||||
* considered by the validator. Do not enter those field names here.
|
||||
*
|
||||
* An extended User Entity might include other personal info such as
|
||||
* first and/or last names. $personalFields is where you can add
|
||||
* fields to be considered as "personal" by the NothingPersonalValidator.
|
||||
* For example:
|
||||
* $personalFields = ['firstname', 'lastname'];
|
||||
*/
|
||||
public array $personalFields = [];
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Password / Username Similarity
|
||||
* --------------------------------------------------------------------
|
||||
* Among other things, the NothingPersonalValidator checks the
|
||||
* amount of sameness between the password and username.
|
||||
* Passwords that are too much like the username are invalid.
|
||||
*
|
||||
* The value set for $maxSimilarity represents the maximum percentage
|
||||
* of similarity at which the password will be accepted. In other words, any
|
||||
* calculated similarity equal to, or greater than $maxSimilarity
|
||||
* is rejected.
|
||||
*
|
||||
* The accepted range is 0-100, with 0 (zero) meaning don't check similarity.
|
||||
* Using values at either extreme of the *working range* (1-100) is
|
||||
* not advised. The low end is too restrictive and the high end is too permissive.
|
||||
* The suggested value for $maxSimilarity is 50.
|
||||
*
|
||||
* You may be thinking that a value of 100 should have the effect of accepting
|
||||
* everything like a value of 0 does. That's logical and probably true,
|
||||
* but is unproven and untested. Besides, 0 skips the work involved
|
||||
* making the calculation unlike when using 100.
|
||||
*
|
||||
* The (admittedly limited) testing that's been done suggests a useful working range
|
||||
* of 50 to 60. You can set it lower than 50, but site users will probably start
|
||||
* to complain about the large number of proposed passwords getting rejected.
|
||||
* At around 60 or more it starts to see pairs like 'captain joe' and 'joe*captain' as
|
||||
* perfectly acceptable which clearly they are not.
|
||||
*
|
||||
* To disable similarity checking set the value to 0.
|
||||
* public $maxSimilarity = 0;
|
||||
*/
|
||||
public int $maxSimilarity = 50;
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* Hashing Algorithm to use
|
||||
* --------------------------------------------------------------------
|
||||
* Valid values are
|
||||
* - PASSWORD_DEFAULT (default)
|
||||
* - PASSWORD_BCRYPT
|
||||
* - PASSWORD_ARGON2I - As of PHP 7.2 only if compiled with support for it
|
||||
* - PASSWORD_ARGON2ID - As of PHP 7.3 only if compiled with support for it
|
||||
*/
|
||||
public string $hashAlgorithm = PASSWORD_DEFAULT;
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* ARGON2I/ARGON2ID Algorithm options
|
||||
* --------------------------------------------------------------------
|
||||
* The ARGON2I method of hashing allows you to define the "memory_cost",
|
||||
* the "time_cost" and the number of "threads", whenever a password hash is
|
||||
* created.
|
||||
*/
|
||||
public int $hashMemoryCost = 65536; // PASSWORD_ARGON2_DEFAULT_MEMORY_COST;
|
||||
|
||||
public int $hashTimeCost = 4; // PASSWORD_ARGON2_DEFAULT_TIME_COST;
|
||||
public int $hashThreads = 1; // PASSWORD_ARGON2_DEFAULT_THREADS;
|
||||
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* BCRYPT Algorithm options
|
||||
* --------------------------------------------------------------------
|
||||
* The BCRYPT method of hashing allows you to define the "cost"
|
||||
* or number of iterations made, whenever a password hash is created.
|
||||
* This defaults to a value of 10 which is an acceptable number.
|
||||
* However, depending on the security needs of your application
|
||||
* and the power of your hardware, you might want to increase the
|
||||
* cost. This makes the hashing process takes longer.
|
||||
*
|
||||
* Valid range is between 4 - 31.
|
||||
*/
|
||||
public int $hashCost = 10;
|
||||
|
||||
/**
|
||||
* ////////////////////////////////////////////////////////////////////
|
||||
* OTHER SETTINGS
|
||||
* ////////////////////////////////////////////////////////////////////
|
||||
*/
|
||||
/**
|
||||
* --------------------------------------------------------------------
|
||||
* User Provider
|
||||
* --------------------------------------------------------------------
|
||||
* The name of the class that handles user persistence.
|
||||
* By default, this is the included UserModel, which
|
||||
* works with any of the database engines supported by CodeIgniter.
|
||||
* You can change it as long as they adhere to the
|
||||
* CodeIgniter\Shield\Models\UserModel.
|
||||
*
|
||||
* @var class-string<UserModel>
|
||||
*/
|
||||
public string $userProvider = UserModel::class;
|
||||
|
||||
/**
|
||||
* Returns the URL that a user should be redirected
|
||||
* to after a successful login.
|
||||
*/
|
||||
public function loginRedirect(): string
|
||||
{
|
||||
if(auth()->user()->inGroup('guest')){
|
||||
return $this->getUrl('/guest');
|
||||
}
|
||||
|
||||
if(auth()->user()->inGroup('advertiser', 'agency')){
|
||||
return $this->getUrl('/integrate');
|
||||
}
|
||||
|
||||
$url = setting('Auth.redirects')['login'];
|
||||
|
||||
return $this->getUrl($url);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the URL that a user should be redirected
|
||||
* to after they are logged out.
|
||||
*/
|
||||
public function logoutRedirect(): string
|
||||
{
|
||||
$url = setting('Auth.redirects')['logout'];
|
||||
|
||||
return $this->getUrl($url);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the URL the user should be redirected to
|
||||
* after a successful registration.
|
||||
*/
|
||||
public function registerRedirect(): string
|
||||
{
|
||||
if(auth()->user()->inGroup('guest')){
|
||||
return $this->getUrl('/guest');
|
||||
}
|
||||
$url = setting('Auth.redirects')['register'];
|
||||
|
||||
return $this->getUrl($url);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the URL the user should be redirected to
|
||||
* if force_reset identity is set to true.
|
||||
*/
|
||||
public function forcePasswordResetRedirect(): string
|
||||
{
|
||||
$url = setting('Auth.redirects')['force_reset'];
|
||||
|
||||
return $this->getUrl($url);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the URL the user should be redirected to
|
||||
* if permission denied.
|
||||
*/
|
||||
public function permissionDeniedRedirect(): string
|
||||
{
|
||||
if(auth()->user()->inGroup('guest')){
|
||||
return $this->getUrl('/guest');
|
||||
}
|
||||
|
||||
if(auth()->user()->inGroup('advertiser', 'agency')){
|
||||
return $this->getUrl('/integrate');
|
||||
}
|
||||
|
||||
$url = setting('Auth.redirects')['permission_denied'];
|
||||
|
||||
return $this->getUrl($url);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the URL the user should be redirected to
|
||||
* if group denied.
|
||||
*/
|
||||
public function groupDeniedRedirect(): string
|
||||
{
|
||||
if(auth()->user()->inGroup('guest')){
|
||||
return $this->getUrl('/guest');
|
||||
}
|
||||
|
||||
if(auth()->user()->inGroup('advertiser', 'agency')){
|
||||
return $this->getUrl('/integrate');
|
||||
}
|
||||
|
||||
$url = setting('Auth.redirects')['group_denied'];
|
||||
|
||||
return $this->getUrl($url);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Accepts a string which can be an absolute URL or
|
||||
* a named route or just a URI path, and returns the
|
||||
* full path.
|
||||
*
|
||||
* @param string $url an absolute URL or a named route or just URI path
|
||||
*/
|
||||
protected function getUrl(string $url): string
|
||||
{
|
||||
// To accommodate all url patterns
|
||||
$final_url = '';
|
||||
|
||||
switch (true) {
|
||||
case strpos($url, 'http://') === 0 || strpos($url, 'https://') === 0: // URL begins with 'http' or 'https'. E.g. http://example.com
|
||||
$final_url = $url;
|
||||
break;
|
||||
|
||||
case route_to($url) !== false: // URL is a named-route
|
||||
$final_url = rtrim(url_to($url), '/ ');
|
||||
break;
|
||||
|
||||
default: // URL is a route (URI path)
|
||||
$final_url = rtrim(site_url($url), '/ ');
|
||||
break;
|
||||
}
|
||||
|
||||
return $final_url;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user