Documentation

Authenticator extends AutoService
in package
implements HookInterface

The Authenticator does the main work of authx -- ie it analyzes a credential, checks if current policy accepts this credential, and logs in as the target person.

Tags
service

authx.authenticator

Table of Contents

Interfaces

HookInterface
Interface HookInterface

Properties

$authxUf  : AuthxInterface
$rejectMode  : string

Methods

__construct()  : mixed
Authenticator constructor.
auth()  : bool
Run the entire authentication routine, checking credentials, checking policy, and ultimately logging in.
on_civi_invoke_auth()  : bool|void
When 'CRM_Core_Invoke' fires 'civi.invoke.auth', we should check for credentials.
setRejectMode()  : $this
Specify the rejection mode.
validate()  : array{flow: string, credType: string, jwt: ?array, useSession: bool, userId: ?int, contactId: ?int}
Determine whether credentials are valid. This is similar to `auth()` but stops short of performing an actual login.
checkCredential()  : array<string|int, mixed>|null
Assess the credential ($tgt->cred) and determine the matching principal.
checkPolicy()  : mixed
Does our policy permit this login?
login()  : mixed
Update Civi and UF to recognize the authenticated user.
reject()  : mixed
Reject a bad authentication attempt.

Properties

$rejectMode

protected string $rejectMode = 'send'

Ex: 'send' or 'exception

Methods

__construct()

Authenticator constructor.

public __construct() : mixed

auth()

Run the entire authentication routine, checking credentials, checking policy, and ultimately logging in.

public auth(GenericHookEvent $e, array{flow: string, useSession: ?bool, cred: ?string, principal: ?array} $details) : bool
Parameters
$e : GenericHookEvent

Details for the 'civi.invoke.auth' event.

$details : array{flow: string, useSession: ?bool, cred: ?string, principal: ?array}

Describe the authentication process with these properties:

  • string $flow (required); The type of authentication flow being used Ex: 'param', 'header', 'auto'
  • bool $useSession (default FALSE) If TRUE, then the authentication should be persistent (in a session variable). If FALSE, then the authentication should be ephemeral (single page-request).

And then ONE of these properties to describe the user/principal:

  • string $cred The credential, as formatted in the 'Authorization' header. Ex: 'Bearer 12345', 'Basic ASDFFDSA=='
  • array $principal Description of a validated principal. Must include 'contactId', 'userId', xor 'user'
Tags
throws
Exception
Return values
bool

Returns TRUE on success. Exits with failure

on_civi_invoke_auth()

When 'CRM_Core_Invoke' fires 'civi.invoke.auth', we should check for credentials.

public on_civi_invoke_auth(GenericHookEvent $e) : bool|void
Parameters
$e : GenericHookEvent
Tags
throws
Exception
Return values
bool|void

setRejectMode()

Specify the rejection mode.

public setRejectMode(string $mode) : $this
Parameters
$mode : string
Return values
$this

validate()

Determine whether credentials are valid. This is similar to `auth()` but stops short of performing an actual login.

public validate(array<string|int, mixed> $details) : array{flow: string, credType: string, jwt: ?array, useSession: bool, userId: ?int, contactId: ?int}
Parameters
$details : array<string|int, mixed>
Tags
throws
AuthxException
Return values
array{flow: string, credType: string, jwt: ?array, useSession: bool, userId: ?int, contactId: ?int}

Description of the validated principal (redacted).

checkCredential()

Assess the credential ($tgt->cred) and determine the matching principal.

protected checkCredential(AuthenticatorTarget $tgt) : array<string|int, mixed>|null
Parameters
$tgt : AuthenticatorTarget
Tags
see
AuthenticatorTarget::setPrincipal()
Return values
array<string|int, mixed>|null

Array describing the authenticated principal represented by this credential. Ex: ['userId' => 123] Format should match setPrincipal().

reject()

Reject a bad authentication attempt.

protected reject([string $message = 'Authentication failed' ]) : mixed
Parameters
$message : string = 'Authentication failed' 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results