php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-08-06 14:19:23 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
yii2/docs/guide/security-authentication.md
tom-- 2c5c2c101b Fixes #4131: Security adjustments
2014-07-26 03:29:30 +04:00

3.0 KiB
Raw Blame History

Authentication

Note: This section is under development.

Authentication is the act of verifying who a user is, and is the basis of the login process. Typically, authentication uses the combination of an identifier--a username or email address--and a password. The user submits these values through a form, and the application then compares the submitted information against that previously stored (e.g., upon registration).

In Yii, this entire process is performed semi-automatically, leaving the developer to merely implement yii\web\IdentityInterface, the most important class in the authentication system. Typically, implementation of IdentityInterface is accomplished using the User model.

You can find a fully featured example of authentication in the advanced application template. Below, only the interface methods are listed:

class User extends ActiveRecord implements IdentityInterface
{
    // ...

    /**
     * Finds an identity by the given ID.
     *
     * @param string|integer $id the ID to be looked for
     * @return IdentityInterface|null the identity object that matches the given ID.
     */
    public static function findIdentity($id)
    {
        return static::findOne($id);
    }

    /**
     * Finds an identity by the given token.
     *
     * @param string $token the token to be looked for
     * @return IdentityInterface|null the identity object that matches the given token.
     */
    public static function findIdentityByAccessToken($token, $type = null)
    {
        return static::findOne(['access_token' => $token]);
    }

    /**
     * @return int|string current user ID
     */
    public function getId()
    {
        return $this->id;
    }

    /**
     * @return string current user auth key
     */
    public function getAuthKey()
    {
        return $this->auth_key;
    }

    /**
     * @param string $authKey
     * @return boolean if auth key is valid for current user
     */
    public function validateAuthKey($authKey)
    {
        return $this->getAuthKey() === $authKey;
    }
}

Two of the outlined methods are simple: findIdentity is provided with an ID value and returns a model instance associated with that ID. The getId method returns the ID itself. Two of the other methods getAuthKey and validateAuthKey are used to provide extra security to the "remember me" cookie. The getAuthKey method should return a string that is unique for each user. You can reliably create a unique string using Yii::$app->getSecurity()->generateRandomString(). It's a good idea to also save this as part of the user's record:

public function beforeSave($insert)
{
    if (parent::beforeSave($insert)) {
        if ($this->isNewRecord) {
            $this->auth_key = Yii::$app->getSecurity()->generateRandomString();
        }
        return true;
    }
    return false;
}

The validateAuthKey method just needs to compare the $authKey variable, passed as parameter (itself retrieved from a cookie), with the value fetched from database.