Merge pull request #843 from kenjis/fix-token-auth-logging

fix: AccessTokens authenticator records all accesses to database

Author: kenjis

UPGRADING.md

@@ -1,5 +1,16 @@
 # Upgrade Guide
 
+## Version 1.0.0-beta.6 to 1.0.0-beta.7
+
+### Install New Config AuthToken.php
+
+A new Config file **AuthToken.php** has been introduced. Run `php spark shield:setup`
+again to install it into **app/Config/**, or install it manually.
+
+Then change the default settings as necessary. When using Token authentication,
+the default value has been changed from all accesses to be recorded in the
+``token_logins`` table to only accesses that fail authentication to be recorded.
+
 ## Version 1.0.0-beta.3 to 1.0.0-beta.4
 
 ### Important Password Changes

src/Authentication/Authenticators/AccessTokens.php

@@ -8,6 +8,7 @@
 use CodeIgniter\I18n\Time;
 use CodeIgniter\Shield\Authentication\AuthenticationException;
 use CodeIgniter\Shield\Authentication\AuthenticatorInterface;
+use CodeIgniter\Shield\Config\Auth;
 use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Exceptions\InvalidArgumentException;
 use CodeIgniter\Shield\Models\TokenLoginModel;
@@ -42,6 +43,8 @@ public function __construct(UserModel $provider)
      */
     public function attempt(array $credentials): Result
     {
+        $config = config('AuthToken');
+
         /** @var IncomingRequest $request */
         $request = service('request');
 
@@ -51,21 +54,35 @@ public function attempt(array $credentials): Result
         $result = $this->check($credentials);
 
         if (! $result->isOK()) {
-            // Always record a login attempt, whether success or not.
-            $this->loginModel->recordLoginAttempt(
-                self::ID_TYPE_ACCESS_TOKEN,
-                $credentials['token'] ?? '',
-                false,
-                $ipAddress,
-                $userAgent
-            );
+            if ($config->recordLoginAttempt >= Auth::RECORD_LOGIN_ATTEMPT_FAILURE) {
+                // Record all failed login attempts.
+                $this->loginModel->recordLoginAttempt(
+                    self::ID_TYPE_ACCESS_TOKEN,
+                    $credentials['token'] ?? '',
+                    false,
+                    $ipAddress,
+                    $userAgent
+                );
+            }
 
             return $result;
         }
 
         $user = $result->extraInfo();
 
         if ($user->isBanned()) {
+            if ($config->recordLoginAttempt >= Auth::RECORD_LOGIN_ATTEMPT_FAILURE) {
+                // Record a banned login attempt.
+                $this->loginModel->recordLoginAttempt(
+                    self::ID_TYPE_ACCESS_TOKEN,
+                    $credentials['token'] ?? '',
+                    false,
+                    $ipAddress,
+                    $userAgent,
+                    $user->id
+                );
+            }
+
             $this->user = null;
 
             return new Result([
@@ -80,14 +97,17 @@ public function attempt(array $credentials): Result
 
         $this->login($user);
 
-        $this->loginModel->recordLoginAttempt(
-            self::ID_TYPE_ACCESS_TOKEN,
-            $credentials['token'] ?? '',
-            true,
-            $ipAddress,
-            $userAgent,
-            $this->user->id
-        );
+        if ($config->recordLoginAttempt === Auth::RECORD_LOGIN_ATTEMPT_ALL) {
+            // Record a successful login attempt.
+            $this->loginModel->recordLoginAttempt(
+                self::ID_TYPE_ACCESS_TOKEN,
+                $credentials['token'] ?? '',
+                true,
+                $ipAddress,
+                $userAgent,
+                $this->user->id
+            );
+        }
 
         return $result;
     }

src/Config/AuthToken.php

@@ -7,13 +7,13 @@
 use CodeIgniter\Config\BaseConfig;
 
 /**
- * Authenticator Configuration for Token Auth and HMAC Auth
+ * Configuration for Token Auth and HMAC Auth
  */
 class AuthToken extends BaseConfig
 {
     /**
      * --------------------------------------------------------------------
-     * Record Login Attempts for Token and HMAC Authorization
+     * Record Login Attempts for Token Auth and HMAC Auth
      * --------------------------------------------------------------------
      * Specify which login attempts are recorded in the database.
      *

src/Filters/TokenAuth.php

@@ -21,7 +21,7 @@ class TokenAuth implements FilterInterface
 {
     /**
      * Do whatever processing this filter needs to do.
-     * By default it should not return anything during
+     * By default, it should not return anything during
      * normal execution. However, when an abnormal state
      * is found, it should return an instance of
      * CodeIgniter\HTTP\Response. If it does, script

tests/Authentication/Authenticators/AccessTokenAuthenticatorTest.php

@@ -174,7 +174,7 @@ public function testAttemptCannotFindUser(): void
         $this->assertFalse($result->isOK());
         $this->assertSame(lang('Auth.badToken'), $result->reason());
 
-        // A login attempt should have always been recorded
+        // A failed login attempt should have been recorded by default.
         $this->seeInDatabase($this->tables['token_logins'], [
             'id_type'    => AccessTokens::ID_TYPE_ACCESS_TOKEN,
             'identifier' => 'abc123',
@@ -202,8 +202,8 @@ public function testAttemptSuccess(): void
         $this->assertInstanceOf(AccessToken::class, $foundUser->currentAccessToken());
         $this->assertSame($token->token, $foundUser->currentAccessToken()->token);
 
-        // A login attempt should have been recorded
-        $this->seeInDatabase($this->tables['token_logins'], [
+        // A successful login attempt is not recorded by default.
+        $this->dontSeeInDatabase($this->tables['token_logins'], [
             'id_type'    => AccessTokens::ID_TYPE_ACCESS_TOKEN,
             'identifier' => $token->raw_token,
             'success'    => 1,