Files
2025-03-05 14:02:29 +09:00

475 lines
18 KiB
PHP

<?php
declare(strict_types=1);
namespace Config;
use CodeIgniter\Shield\Config\Auth as ShieldAuth;
use CodeIgniter\Shield\Authentication\Actions\ActionInterface;
use CodeIgniter\Shield\Authentication\AuthenticatorInterface;
use CodeIgniter\Shield\Authentication\Authenticators\AccessTokens;
use CodeIgniter\Shield\Authentication\Authenticators\Session;
use CodeIgniter\Shield\Authentication\Passwords\CompositionValidator;
use CodeIgniter\Shield\Authentication\Passwords\DictionaryValidator;
use CodeIgniter\Shield\Authentication\Passwords\NothingPersonalValidator;
use CodeIgniter\Shield\Authentication\Passwords\PwnedValidator;
use CodeIgniter\Shield\Authentication\Passwords\ValidatorInterface;
use CodeIgniter\Shield\Models\UserModel;
class Auth extends ShieldAuth
{
/**
* ////////////////////////////////////////////////////////////////////
* AUTHENTICATION
* ////////////////////////////////////////////////////////////////////
*/
public array $views = [
'login' => '\App\Views\auth\login',
'register' => '\App\Views\auth\register',
'layout' => '\App\Views\templates\header',
'action_email_2fa' => '\App\Views\auth\email_2fa_show',
'action_email_2fa_verify' => '\App\Views\auth\email_2fa_verify',
'action_email_2fa_email' => '\App\Views\auth\email\email_2fa_email',
'action_email_activate_show' => '\App\Views\auth\email_activate_show',
'action_email_activate_email' => '\App\Views\auth\email\email_activate_email',
'magic-link-login' => '\App\Views\auth\magic_link_form',
'magic-link-message' => '\App\Views\auth\magic_link_message',
'magic-link-email' => '\App\Views\auth\email\magic_link_email',
'set-password' => '\App\Views\auth\set_password',
];
/**
* --------------------------------------------------------------------
* Redirect URLs
* --------------------------------------------------------------------
* The default URL that a user will be redirected to after various auth
* auth actions. This can be either of the following:
*
* 1. An absolute URL. E.g. http://example.com OR https://example.com
* 2. A named route that can be accessed using `route_to()` or `url_to()`
* 3. A URI path within the application. e.g 'admin', 'login', 'expath'
*
* If you need more flexibility you can override the `getUrl()` method
* to apply any logic you may need.
*/
public array $redirects = [
'register' => '/',
'login' => '/',
'logout' => 'login',
'force_reset' => '/set-password',
'permission_denied' => '/',
'group_denied' => '/',
];
/**
* --------------------------------------------------------------------
* Authentication Actions
* --------------------------------------------------------------------
* Specifies the class that represents an action to take after
* the user logs in or registers a new account at the site.
*
* You must register actions in the order of the actions to be performed.
*
* Available actions with Shield:
* - register: \CodeIgniter\Shield\Authentication\Actions\EmailActivator::class
* - login: \CodeIgniter\Shield\Authentication\Actions\Email2FA::class
*
* @var array<string, class-string<ActionInterface>|null>
*/
public array $actions = [
'register' => null,//\CodeIgniter\Shield\Authentication\Actions\EmailActivator::class
'login' => null,
];
/**
* --------------------------------------------------------------------
* Authenticators
* --------------------------------------------------------------------
* The available authentication systems, listed
* with alias and class name. These can be referenced
* by alias in the auth helper:
* auth('tokens')->attempt($credentials);
*
* @var array<string, class-string<AuthenticatorInterface>>
*/
public array $authenticators = [
'tokens' => AccessTokens::class,
'session' => Session::class,
];
/**
* --------------------------------------------------------------------
* Name of Authenticator Header
* --------------------------------------------------------------------
* The name of Header that the Authorization token should be found.
* According to the specs, this should be `Authorization`, but rare
* circumstances might need a different header.
*/
public array $authenticatorHeader = [
'tokens' => 'Authorization',
];
/**
* --------------------------------------------------------------------
* Unused Token Lifetime
* --------------------------------------------------------------------
* Determines the amount of time, in seconds, that an unused
* access token can be used.
*/
public int $unusedTokenLifetime = YEAR;
/**
* --------------------------------------------------------------------
* Default Authenticator
* --------------------------------------------------------------------
* The Authenticator to use when none is specified.
* Uses the $key from the $authenticators array above.
*/
public string $defaultAuthenticator = 'session';
/**
* --------------------------------------------------------------------
* Authentication Chain
* --------------------------------------------------------------------
* The Authenticators to test logged in status against
* when using the 'chain' filter. Each Authenticator listed will be checked.
* If no match is found, then the next in the chain will be checked.
*
* @var string[]
* @phpstan-var list<string>
*/
public array $authenticationChain = [
'session',
'tokens',
];
/**
* --------------------------------------------------------------------
* Allow Registration
* --------------------------------------------------------------------
* Determines whether users can register for the site.
*/
public bool $allowRegistration = true;
/**
* --------------------------------------------------------------------
* Record Last Active Date
* --------------------------------------------------------------------
* If true, will always update the `last_active` datetime for the
* logged in user on every page request.
*/
public bool $recordActiveDate = true;
/**
* --------------------------------------------------------------------
* Allow Magic Link Logins
* --------------------------------------------------------------------
* If true, will allow the use of "magic links" sent via the email
* as a way to log a user in without the need for a password.
* By default, this is used in place of a password reset flow, but
* could be modified as the only method of login once an account
* has been set up.
*/
public bool $allowMagicLinkLogins = true;
/**
* --------------------------------------------------------------------
* Magic Link Lifetime
* --------------------------------------------------------------------
* Specifies the amount of time, in seconds, that a magic link is valid.
* You can use Time Constants or any desired number.
*/
public int $magicLinkLifetime = HOUR;
/**
* --------------------------------------------------------------------
* Session Authenticator Configuration
* --------------------------------------------------------------------
* These settings only apply if you are using the Session Authenticator
* for authentication.
*
* - field The name of the key the current user info is stored in session
* - allowRemembering Does the system allow use of "remember-me"
* - rememberCookieName The name of the cookie to use for "remember-me"
* - rememberLength The length of time, in seconds, to remember a user.
*
* @var array<string, bool|int|string>
*/
public array $sessionConfig = [
'field' => 'user',
'allowRemembering' => true,
'rememberCookieName' => 'remember',
'rememberLength' => 30 * DAY,
];
/**
* --------------------------------------------------------------------
* Minimum Password Length
* --------------------------------------------------------------------
* The minimum length that a password must be to be accepted.
* Recommended minimum value by NIST = 8 characters.
*/
public int $minimumPasswordLength = 8;
/**
* --------------------------------------------------------------------
* Password Check Helpers
* --------------------------------------------------------------------
* The PasswordValidator class runs the password through all of these
* classes, each getting the opportunity to pass/fail the password.
* You can add custom classes as long as they adhere to the
* CodeIgniter\Shield\Authentication\Passwords\ValidatorInterface.
*
* @var class-string<ValidatorInterface>[]
*/
public array $passwordValidators = [
CompositionValidator::class, // 비밀번호가 8자리 이상
NothingPersonalValidator::class, // 비밀번호에 개인 정보(예: 이메일, 사용자 이름)가 포함되지 않았는지 확인합니다.
DictionaryValidator::class, // 비밀번호가 사전에 있는 단어와 일치하지 않는지 확인합니다.
// PwnedValidator::class,
];
/**
* --------------------------------------------------------------------
* Valid login fields
* --------------------------------------------------------------------
* Fields that are available to be used as credentials for login.
*/
public array $validFields = [
'email',
'username',
];
/**
* --------------------------------------------------------------------
* Additional Fields for "Nothing Personal"
* --------------------------------------------------------------------
* The NothingPersonalValidator prevents personal information from
* being used in passwords. The email and username fields are always
* considered by the validator. Do not enter those field names here.
*
* An extended User Entity might include other personal info such as
* first and/or last names. $personalFields is where you can add
* fields to be considered as "personal" by the NothingPersonalValidator.
* For example:
* $personalFields = ['firstname', 'lastname'];
*/
public array $personalFields = [];
/**
* --------------------------------------------------------------------
* Password / Username Similarity
* --------------------------------------------------------------------
* Among other things, the NothingPersonalValidator checks the
* amount of sameness between the password and username.
* Passwords that are too much like the username are invalid.
*
* The value set for $maxSimilarity represents the maximum percentage
* of similarity at which the password will be accepted. In other words, any
* calculated similarity equal to, or greater than $maxSimilarity
* is rejected.
*
* The accepted range is 0-100, with 0 (zero) meaning don't check similarity.
* Using values at either extreme of the *working range* (1-100) is
* not advised. The low end is too restrictive and the high end is too permissive.
* The suggested value for $maxSimilarity is 50.
*
* You may be thinking that a value of 100 should have the effect of accepting
* everything like a value of 0 does. That's logical and probably true,
* but is unproven and untested. Besides, 0 skips the work involved
* making the calculation unlike when using 100.
*
* The (admittedly limited) testing that's been done suggests a useful working range
* of 50 to 60. You can set it lower than 50, but site users will probably start
* to complain about the large number of proposed passwords getting rejected.
* At around 60 or more it starts to see pairs like 'captain joe' and 'joe*captain' as
* perfectly acceptable which clearly they are not.
*
* To disable similarity checking set the value to 0.
* public $maxSimilarity = 0;
*/
public int $maxSimilarity = 50;
/**
* --------------------------------------------------------------------
* Hashing Algorithm to use
* --------------------------------------------------------------------
* Valid values are
* - PASSWORD_DEFAULT (default)
* - PASSWORD_BCRYPT
* - PASSWORD_ARGON2I - As of PHP 7.2 only if compiled with support for it
* - PASSWORD_ARGON2ID - As of PHP 7.3 only if compiled with support for it
*/
public string $hashAlgorithm = PASSWORD_DEFAULT;
/**
* --------------------------------------------------------------------
* ARGON2I/ARGON2ID Algorithm options
* --------------------------------------------------------------------
* The ARGON2I method of hashing allows you to define the "memory_cost",
* the "time_cost" and the number of "threads", whenever a password hash is
* created.
*/
public int $hashMemoryCost = 65536; // PASSWORD_ARGON2_DEFAULT_MEMORY_COST;
public int $hashTimeCost = 4; // PASSWORD_ARGON2_DEFAULT_TIME_COST;
public int $hashThreads = 1; // PASSWORD_ARGON2_DEFAULT_THREADS;
/**
* --------------------------------------------------------------------
* BCRYPT Algorithm options
* --------------------------------------------------------------------
* The BCRYPT method of hashing allows you to define the "cost"
* or number of iterations made, whenever a password hash is created.
* This defaults to a value of 10 which is an acceptable number.
* However, depending on the security needs of your application
* and the power of your hardware, you might want to increase the
* cost. This makes the hashing process takes longer.
*
* Valid range is between 4 - 31.
*/
public int $hashCost = 10;
/**
* ////////////////////////////////////////////////////////////////////
* OTHER SETTINGS
* ////////////////////////////////////////////////////////////////////
*/
/**
* --------------------------------------------------------------------
* User Provider
* --------------------------------------------------------------------
* The name of the class that handles user persistence.
* By default, this is the included UserModel, which
* works with any of the database engines supported by CodeIgniter.
* You can change it as long as they adhere to the
* CodeIgniter\Shield\Models\UserModel.
*
* @var class-string<UserModel>
*/
public string $userProvider = UserModel::class;
/**
* Returns the URL that a user should be redirected
* to after a successful login.
*/
public function loginRedirect(): string
{
if(auth()->user()->inGroup('guest')){
return $this->getUrl('/guest');
}
if(auth()->user()->inGroup('advertiser', 'agency')){
return $this->getUrl('/integrate');
}
$url = setting('Auth.redirects')['login'];
return $this->getUrl($url);
}
/**
* Returns the URL that a user should be redirected
* to after they are logged out.
*/
public function logoutRedirect(): string
{
$url = setting('Auth.redirects')['logout'];
return $this->getUrl($url);
}
/**
* Returns the URL the user should be redirected to
* after a successful registration.
*/
public function registerRedirect(): string
{
if(auth()->user()->inGroup('guest')){
return $this->getUrl('/guest');
}
$url = setting('Auth.redirects')['register'];
return $this->getUrl($url);
}
/**
* Returns the URL the user should be redirected to
* if force_reset identity is set to true.
*/
public function forcePasswordResetRedirect(): string
{
$url = setting('Auth.redirects')['force_reset'];
return $this->getUrl($url);
}
/**
* Returns the URL the user should be redirected to
* if permission denied.
*/
public function permissionDeniedRedirect(): string
{
if(auth()->user()->inGroup('guest')){
return $this->getUrl('/guest');
}
if(auth()->user()->inGroup('advertiser', 'agency')){
return $this->getUrl('/integrate');
}
$url = setting('Auth.redirects')['permission_denied'];
return $this->getUrl($url);
}
/**
* Returns the URL the user should be redirected to
* if group denied.
*/
public function groupDeniedRedirect(): string
{
if(auth()->user()->inGroup('guest')){
return $this->getUrl('/guest');
}
if(auth()->user()->inGroup('advertiser', 'agency')){
return $this->getUrl('/integrate');
}
$url = setting('Auth.redirects')['group_denied'];
return $this->getUrl($url);
}
/**
* Accepts a string which can be an absolute URL or
* a named route or just a URI path, and returns the
* full path.
*
* @param string $url an absolute URL or a named route or just URI path
*/
protected function getUrl(string $url): string
{
// To accommodate all url patterns
$final_url = '';
switch (true) {
case strpos($url, 'http://') === 0 || strpos($url, 'https://') === 0: // URL begins with 'http' or 'https'. E.g. http://example.com
$final_url = $url;
break;
case route_to($url) !== false: // URL is a named-route
$final_url = rtrim(url_to($url), '/ ');
break;
default: // URL is a route (URI path)
$final_url = rtrim(site_url($url), '/ ');
break;
}
return $final_url;
}
}