Add OneTimetokenAuthenticator as part of the magic link feature

.github/workflows/ci.yml

@@ -7,30 +7,35 @@ on:
 
 jobs:
   testsuite:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
-        php-version: ['8.1', '8.2']
+        php-version: ['8.2', '8.3', '8.4']
         db-type: [sqlite, mysql, pgsql]
         prefer-lowest: ['']
 
     steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - name: Setup MySQL latest
         if: matrix.db-type == 'mysql'
-        run: docker run --rm --name=mysqld -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=cakephp -p 3306:3306 -d mysql --default-authentication-plugin=mysql_native_password --disable-log-bin
+        run: |
+          sudo service mysql start
+          mysql -h 127.0.0.1 -u root -proot -e 'CREATE DATABASE cakephp;'
+
 
       - name: Setup PostgreSQL latest
         if: matrix.db-type == 'pgsql'
         run: docker run --rm --name=postgres -e POSTGRES_PASSWORD=postgres -e POSTGRES_DB=cakephp -p 5432:5432 -d postgres
 
-      - uses: actions/checkout@v2
-
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php-version }}
-          extensions: mbstring, intl, apcu, memcached, redis, pdo_${{ matrix.db-type }}
+          extensions: mbstring, intl, apcu, memcached, redis, pdo_${{ matrix.db-type }}, ${{ matrix.db-type }}
           ini-values: apc.enable_cli = 1
           coverage: pcov
 
@@ -57,22 +62,22 @@ jobs:
           fi
 
       - name: Setup problem matchers for PHPUnit
-        if: matrix.php-version == '8.1' && matrix.db-type == 'mysql'
+        if: matrix.php-version == '8.2' && matrix.db-type == 'mysql'
         run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json"
 
       - name: Run PHPUnit
         run: |
           if [[ ${{ matrix.db-type }} == 'sqlite' ]]; then export DB_URL='sqlite:///:memory:'; fi
-          if [[ ${{ matrix.db-type }} == 'mysql' ]]; then export DB_URL='mysql://root:[email protected]/cakephp'; fi
+          if [[ ${{ matrix.db-type }} == 'mysql' ]]; then export DB_URL='mysql://root:[email protected]/cakephp?encoding=utf8'; fi
           if [[ ${{ matrix.db-type }} == 'pgsql' ]]; then export DB_URL='postgres://postgres:[email protected]/postgres'; fi
-          if [[ ${{ matrix.php-version }} == '8.1' ]]; then
+          if [[ ${{ matrix.php-version }} == '8.2' ]]; then
             export CODECOVERAGE=1 && vendor/bin/phpunit --coverage-clover=coverage.xml
           else
             vendor/bin/phpunit
           fi
 
       - name: Submit code coverage
-        if: matrix.php-version == '8.1'
+        if: matrix.php-version == '8.2'
         uses: codecov/codecov-action@v1
 
   cs-stan:
@@ -85,7 +90,7 @@ jobs:
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
-          php-version: '8.1'
+          php-version: '8.2'
           extensions: mbstring, intl, apcu, memcached, redis
           tools: cs2pr
           coverage: none

Docs/Documentation/TwoFactor.md

@@ -8,6 +8,14 @@ Configuration
 
 Processors defined as Configure storage with key `TwoFactorProcessors`
 
+By default `\RobThree\Auth\Providers\Qr\EndroidQrCodeProvider` is used.
+
+You can disable it by adding this to any config file:
+
+`OneTimePasswordAuthenticator.qrcodeprovider` => `YOUR QR CODE PROVIDER`
+
+To get a list of available providers please visit [RobThree/TwoFactorAuth](https://robthree.github.io/TwoFactorAuth/qr-codes.html) documentation.
+
 
 Processors
 -------------

composer.json

@@ -26,18 +26,19 @@
         "source": "https://github.com/CakeDC/auth"
     },
     "require": {
-        "php": ">=8.1.0",
+        "php": ">=8.2.0",
         "cakephp/cakephp": "^5.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^10.0",
+        "endroid/qr-code": "^6.0",
         "league/oauth2-facebook": "@stable",
         "league/oauth2-instagram": "@stable",
         "league/oauth2-google": "@stable",
         "league/oauth2-linkedin": "@stable",
         "luchianenco/oauth2-amazon": "^1.1",
         "google/recaptcha": "@stable",
-        "robthree/twofactorauth": "^2.0",
+        "robthree/twofactorauth": "^3.0",
         "league/oauth1-client": "^1.7",
         "cakephp/authorization": "^3.0",
         "cakephp/cakephp-codesniffer": "^5.0",

config/auth.php

@@ -108,7 +108,7 @@
         // The algorithm used
         'algorithm' => \RobThree\Auth\Algorithm::Sha1,
         // QR-code provider (more on this later)
-        'qrcodeprovider' => null,
+        'qrcodeprovider' => new \RobThree\Auth\Providers\Qr\EndroidQrCodeProvider(),
         // Random Number Generator provider (more on this later)
         'rngprovider' => null
     ],

src/Authenticator/OneTimeTokenAuthenticator.php

@@ -0,0 +1,41 @@
+<?php
+declare(strict_types=1);
+
+namespace CakeDC\Auth\Authenticator;
+
+use Authentication\Authenticator\AbstractAuthenticator;
+use Authentication\Authenticator\AuthenticatorInterface;
+use Authentication\Authenticator\Result;
+use Authentication\Authenticator\ResultInterface;
+use Cake\Core\Configure;
+use Cake\ORM\TableRegistry;
+use Psr\Http\Message\ServerRequestInterface;
+
+class OneTimeTokenAuthenticator extends AbstractAuthenticator implements AuthenticatorInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function authenticate(ServerRequestInterface $request): ResultInterface
+    {
+        /** @var \Cake\Http\ServerRequest $request */
+        $token = $request->getQuery('token') ?: $request->getData('token');
+        if (is_array($token)) {
+            $token = join($token);
+        }
+
+        if (!$token) {
+            return new Result(null, Result::FAILURE_CREDENTIALS_MISSING);
+        }
+
+        $usersTable = TableRegistry::getTableLocator()->get(Configure::read('Users.table'));
+
+        $user = $usersTable->loginWithToken($token);
+
+        if (!$user) {
+            return new Result(null, Result::FAILURE_CREDENTIALS_MISSING);
+        }
+
+        return new Result($user, Result::SUCCESS);
+    }
+}

src/Controller/Component/OneTimePasswordAuthenticatorComponent.php

@@ -41,11 +41,11 @@ public function initialize(array $config): void
 
         if (Configure::read('OneTimePasswordAuthenticator.login')) {
             $this->tfa = new TwoFactorAuth(
+                Configure::read('OneTimePasswordAuthenticator.qrcodeprovider'),
                 Configure::read('OneTimePasswordAuthenticator.issuer'),
                 Configure::read('OneTimePasswordAuthenticator.digits'),
                 Configure::read('OneTimePasswordAuthenticator.period'),
                 Configure::read('OneTimePasswordAuthenticator.algorithm'),
-                Configure::read('OneTimePasswordAuthenticator.qrcodeprovider'),
                 Configure::read('OneTimePasswordAuthenticator.rngprovider')
             );
         }

src/Exception/InvalidProviderException.php

@@ -32,7 +32,7 @@ class InvalidProviderException extends CakeException
      * @param int $code code
      * @param null $previous previous
      */
-    public function __construct(array|string $message, int $code = 500, $previous = null)
+    public function __construct(array|string $message, int $code = 500, null $previous = null)
     {
         parent::__construct($message, $code, $previous);
     }

src/Exception/InvalidSettingsException.php

@@ -32,7 +32,7 @@ class InvalidSettingsException extends CakeException
      * @param int $code code
      * @param null $previous previous
      */
-    public function __construct(array|string $message, int $code = 500, $previous = null)
+    public function __construct(array|string $message, int $code = 500, null $previous = null)
     {
         parent::__construct($message, $code, $previous);
     }

tests/TestCase/Authenticator/CookieAuthenticatorTest.php

@@ -82,7 +82,7 @@ public function testPersistIdentity($setCookie, $field, array $post, array $sess
         $this->assertInstanceOf(RequestInterface::class, $result['request']);
         $this->assertInstanceOf(ResponseInterface::class, $result['response']);
         if ($setCookie) {
-            $this->assertStringContainsString('CookieAuth=%5B%22johndoe%22%2C%22%242y%2410%24', $result['response']->getHeaderLine('Set-Cookie'));
+            $this->assertStringContainsString('CookieAuth=%5B%22johndoe%22%2C%22%242y%24', $result['response']->getHeaderLine('Set-Cookie'));
         } else {
             $this->assertStringNotContainsString('CookieAuth', $result['response']->getHeaderLine('Set-Cookie'));
         }