Authentication 3.3.6

What's Changed

• Fix an open redirect weakness in getLoginRedirect() by @markstory in #796

Full Changelog: 3.3.5...3.3.6

Authentication 4.1.1

What's Changed

• Update PHPUnit version requirement to include 13.0 by @dereuromark in #790
• Update stan by @LordSimal in #792
• small docs adjustments by @LordSimal in #793
• Add security policy by @jamisonbryant in #794
• Fix an open redirect weakness in getLoginRedirect() by @markstory in #795

Full Changelog: 4.1.0...4.1.1

Authentication 4.1.0

Improvements

• Added AuthenticationComponent::redirectAfterLogin() helper to make the safe post-login redirect path the obvious one. It resolves the validated local redirect target via the existing getLoginRedirect() logic and falls back to the provided default, returning the controller redirect response directly (#787).

  if ($result->isValid()) {
      return $this->Authentication->redirectAfterLogin('/dashboard');
  }

Full Changelog: 4.0.1...4.1.0

Authentication 4.0.1

What's Changed

• Update all.py for display on book by @WideeFr in #771
• Improve type declarations by @ADmad in #772

Full Changelog: 4.0.0...4.0.1

Authentication 4.0.0

Breaking Changes

• Identifier configuration format changed - Moved from nested array to flatter structure:

  // Before
  'identifier' => ['Authentication.Token' => ['tokenField' => 'id', ...]]
  
  // After
  'identifier' => ['className' => 'Authentication.Token', 'tokenField' => 'id', ...]

• Class renames:

  • CakeRouterUrlChecker → DefaultUrlChecker
  • DefaultUrlChecker (framework-agnostic) → GenericUrlChecker

• SessionAuthenticator identify option removed - This deprecated option has been removed. Use PrimaryKeySessionAuthenticator if you need session-based authentication without password re-verification.

• Identifier parameter now optional in AbstractAuthenticator constructor

• Removed deprecated code including loadIdentifier() method

• Updated dependency: firebase/php-jwt now requires ^7.0

Improvements

• Lazy identifier initialization via getIdentifier() method
• Cleaner authenticator/identifier relationship
• Redirect validation feature (backported from 3.x)
• Plugin now properly declares cakephp/cakephp as dependency
• Identity::get() now supports dot-separated field names for nested data access
• New IdentityHelper::getIdentity() method for easier identity access in templates
• PrimaryKeySessionAuthenticator now has a default TokenIdentifier configured

Migration

Rector rules available at cakephp/upgrade#370 for automated migration assistance.

Full Changelog: 3.3.5...4.0.0

CakePHP Authentication 3.3.5

Deprecations

• SessionAuthenticator identify option deprecated - This option was ineffective for detecting password changes or remotely invalidating sessions. Use PrimaryKeySessionAuthenticator instead if you need to fetch fresh user data from the database on each request. (#763)

Fixes

• Fixed PHP deprecation errors (#759)
• Improved deprecation notice wording for authenticators without identifiers

Full Changelog: 3.3.4...3.3.5

CakePHP Authentication 3.3.4

What's Changed

• Rename Plugin to AuthenticationPlugin by @ADmad in #750
• Add optional redirect loop protection to AuthenticationService by @dereuromark in #752
• Fix loadIdentifier called after loadAuthenticator losing resolver config by @dereuromark in #755 (Fix regression)

Full Changelog: 3.3.3...3.3.4

CakePHP Authentication 3.3.3

What's Changed

• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #736
• Update password-hashers.rst by @txj in #738
• Don't populate IdentifierCollection errors with empty nested arrays by @ADmad in #739
• Bump actions/stale from 9 to 10 by @dependabot[bot] in #740
• Return added on getAuthenticationService() Update authenticators.rst by @RiteshParyali in #741
• Fix up identifier defaulting. by @dereuromark in #737
• Fix CI by @ADmad in #745
• Set the redirect query param only for GET requests. by @ADmad in #744

New Contributors

• @txj made their first contribution in #738

Full Changelog: 3.3.2...3.3.3

CakePHP Authentication 3.3.2

What's Changed

• Remove deprecation warning for creating an Authenticator without Identifier by @umer936 in #734

Full Changelog: 3.3.1...3.3.2

CakePHP Authentication 3.3.1

What's Changed

• Fix argument type for AuthenticationComponent::setIdentity(). by @ADmad in #730
• Fix error message generation when using multiple array login URLs. by @ADmad in #731

Full Changelog: 3.3.0...3.3.1