[6.x] Authentication

.github/workflows/laravel-ci.yml

@@ -67,7 +67,7 @@ jobs:
     services:
       # Install Postgres
       pgsql:
-        image: postgres:latest
+        image: ${{ (matrix.db == 'pgsql') && 'postgres:latest' || '' }}
         env:
           POSTGRES_USER: root
           POSTGRES_PASSWORD: mysecretpassword
@@ -78,7 +78,7 @@ jobs:
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 3
       # Install MySQL
       mysql:
-        image: mysql:8.0
+        image: ${{ (matrix.db == 'mysql') && 'mysql:8.0' || '' }}
         env:
           MYSQL_ROOT_PASSWORD: mysecretpassword
           MYSQL_DATABASE: craft_test
@@ -127,7 +127,7 @@ jobs:
         uses: ramsey/composer-install@v3
 
       - name: Execute CMS tests
-        run: vendor/bin/pest
+        run: ./vendor/bin/pest --ci
 
       - name: Set version
         run: composer config version "6.x-dev"

database/Factories/UserFactory.php

@@ -4,10 +4,16 @@
 
 namespace CraftCms\Cms\Database\Factories;
 
-use CraftCms\Cms\Element\Models\Element;
+use Craft;
+use CraftCms\Cms\Auth\Models\WebAuthn;
 use CraftCms\Cms\User\Models\User;
 use Illuminate\Database\Eloquent\Factories\Factory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Collection;
+use Illuminate\Support\Enumerable;
+use Illuminate\Support\Facades\Hash;
 use Override;
+use RuntimeException;
 
 final class UserFactory extends Factory
 {
@@ -17,12 +23,27 @@ final class UserFactory extends Factory
     public function definition(): array
     {
         return [
-            'id' => Element::factory(),
+            'id' => null,
+            'fullName' => $this->faker->name(),
+            'firstName' => $this->faker->firstName(),
+            'lastName' => $this->faker->lastName(),
             'username' => $this->faker->userName(),
             'email' => $this->faker->email(),
+            'password' => Hash::make('password'),
+            'active' => true,
+            'pending' => false,
+            'locked' => false,
+            'suspended' => false,
         ];
     }
 
+    public function admin(bool $admin = true): self
+    {
+        return $this->state(fn () => [
+            'admin' => $admin,
+        ]);
+    }
+
     public function pending(): self
     {
         return $this->state(fn () => [
@@ -52,4 +73,47 @@ public function suspended(): self
             'suspended' => true,
         ]);
     }
+
+    public function createElement(array $attributes = [], ?Model $parent = null): \CraftCms\Cms\User\Elements\User
+    {
+        return $this->create($attributes, $parent)->asElement();
+    }
+
+    public function withPasskey(string $credentialId): self
+    {
+        return $this->afterCreating(fn (User $user) => WebAuthn::factory()->create([
+            'userId' => $user->id,
+            'credentialId' => $credentialId,
+        ]));
+    }
+
+    #[Override]
+    protected function store(Collection $results): void
+    {
+        $results->each(function (User $model) {
+            foreach ($model->getRelations() as $name => $items) {
+                if ($items instanceof Enumerable && $items->isEmpty()) {
+                    $model->unsetRelation($name);
+                }
+            }
+
+            if (! Craft::$app->getElements()->saveElement($element = $model->asElement())) {
+                dump($element->getErrors());
+                throw new RuntimeException('Could not save user.');
+            }
+
+            $model->id = $element->id;
+            $model->exists = true;
+            $model->save();
+
+            $this->createChildren($model);
+
+            // Ensure any password is set to the element as well.
+            $element->password = $model->password;
+
+            $model->refresh();
+            $model->uid = $element->uid;
+            $model->password = $element->password;
+        });
+    }
 }

database/Factories/UserGroupFactory.php

@@ -16,6 +16,7 @@ final class UserGroupFactory extends Factory
     public function definition(): array
     {
         return [
+            'uid' => fake()->uuid(),
             'name' => fake()->words(asText: true),
             'handle' => fake()->slug(),
             'description' => fake()->paragraph(),

database/Factories/WebAuthnFactory.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CraftCms\Cms\Database\Factories;
+
+use CraftCms\Cms\Auth\Models\WebAuthn;
+use CraftCms\Cms\User\Models\User;
+use Illuminate\Database\Eloquent\Factories\Factory;
+use Override;
+
+final class WebAuthnFactory extends Factory
+{
+    protected $model = WebAuthn::class;
+
+    #[Override]
+    public function definition(): array
+    {
+        return [
+            'userId' => User::factory(),
+            'credentialId' => $this->faker->uuid(),
+            'dateCreated' => now(),
+            'dateUpdated' => now(),
+        ];
+    }
+}

resources/templates/_special/login.twig

@@ -5,7 +5,7 @@
 {% set staticEmail = staticEmail ?? null %}
 
 {% set generalConfig = app.config.craft.general %}
-{% set username = staticEmail ?? (generalConfig.rememberUsernameDuration ? craft.app.user.getRememberedUsername(): '') %}
+{% set username = staticEmail ?? (generalConfig.rememberUsernameDuration ? rememberedUsername : '') %}
 
 {% if generalConfig.useEmailAsUsername %}
   {% set usernameLabel = 'Email'|t('app') %}

resources/templates/set-password.twig

@@ -20,7 +20,7 @@
                 name: 'newPassword',
                 autocomplete: 'new-password',
                 autofocus: true,
-                errors: (errors is defined ? errors : null)
+                errors: errors.get('newPassword')
             }) }}
         </div>
 

resources/templates/users/_auth-methods.twig

@@ -4,7 +4,7 @@
   id: 'auth-method-setup',
   class: ['pane', 'fullwidth']|merge((paneClass ?? [])|explodeClass),
 } %}
-  {% for method in craft.app.auth.getAvailableMethods() %}
+  {% for method in craft.auth.getAvailableMethods() %}
     {% set isActive = method.isActive() %}
     {% set headingId = "auth-method-heading-#{loop.index0}" %}
 

resources/templates/users/_password.twig

@@ -8,7 +8,7 @@
     id: 'newPassword',
     name: 'newPassword',
     autocomplete: 'new-password',
-    errors: user.getErrors('newPassword'),
+    errors: sessionErrors.get('newPassword'),
     inputAttributes: {
       data: {
         lpignore: user.isCurrent ? false : 'true',

routes/actions.php

@@ -5,7 +5,12 @@
 use CraftCms\Cms\Cms;
 use CraftCms\Cms\Edition;
 use CraftCms\Cms\Http\Controllers\AddressesController;
+use CraftCms\Cms\Http\Controllers\AnnouncementsController;
 use CraftCms\Cms\Http\Controllers\ApiController;
+use CraftCms\Cms\Http\Controllers\Auth\LoginController;
+use CraftCms\Cms\Http\Controllers\Auth\PasskeyController;
+use CraftCms\Cms\Http\Controllers\Auth\SessionInfoController;
+use CraftCms\Cms\Http\Controllers\Auth\TwoFactorAuthenticationController;
 use CraftCms\Cms\Http\Controllers\BaseUpdaterController;
 use CraftCms\Cms\Http\Controllers\ConfigSyncController;
 use CraftCms\Cms\Http\Controllers\Dashboard\Widgets\CraftSupportController;
@@ -36,9 +41,11 @@
 use CraftCms\Cms\Http\Controllers\Users\ActivateController;
 use CraftCms\Cms\Http\Controllers\Users\EnableController;
 use CraftCms\Cms\Http\Controllers\Users\ImpersonationController;
+use CraftCms\Cms\Http\Controllers\Users\PasswordController;
 use CraftCms\Cms\Http\Controllers\Users\PermissionsController;
 use CraftCms\Cms\Http\Controllers\Users\PhotoController;
 use CraftCms\Cms\Http\Controllers\Users\PreferencesController;
+use CraftCms\Cms\Http\Controllers\Users\SaveUserController;
 use CraftCms\Cms\Http\Controllers\Users\SuspendController;
 use CraftCms\Cms\Http\Controllers\Users\UnlockController;
 use CraftCms\Cms\Http\Controllers\Users\UsersController;
@@ -56,6 +63,7 @@
 use CraftCms\Cms\Http\Middleware\RequireToken;
 use CraftCms\Cms\Support\Str;
 use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
+use Illuminate\Session\Middleware\StartSession;
 use Illuminate\Support\Facades\Route;
 
 /**
@@ -70,6 +78,31 @@
     Cms::config()->cpTrigger.'/'.Cms::config()->actionTrigger.Str::start($route, '/'),
 ])->all());
 
+/**
+ * Actions that are accessible both with and without CP can be registered here.
+ */
+foreach ([
+    Cms::config()->actionTrigger => [],
+    implode('/', [
+        Cms::config()->cpTrigger,
+        Cms::config()->actionTrigger,
+    ]) => ['craft.cp'],
+] as $prefix => $middleware) {
+    Route::prefix($prefix)->middleware($middleware)->group(function () {
+        // Auth
+        Route::post('users/login', [LoginController::class, 'attemptLogin']);
+        Route::post('auth/verify-totp', [TwoFactorAuthenticationController::class, 'verify']);
+        Route::post('auth/verify-recovery-code', [TwoFactorAuthenticationController::class, 'verifyRecoveryCode']);
+        Route::post('auth/passkey-request-options', [PasskeyController::class, 'requestOptions']);
+        Route::post('users/login-with-passkey', [PasskeyController::class, 'login']);
+        Route::post('users/login-modal', [LoginController::class, 'showLoginModal']);
+        Route::any('users/session-info', [SessionInfoController::class, 'show'])->withoutMiddleware(StartSession::class);
+        Route::any('users/get-elevated-session-timeout', [SessionInfoController::class, 'confirmTimeout']);
+        Route::post('users/send-password-reset-email', [PasswordController::class, 'sendPasswordResetEmail']);
+        Route::post('users/save-user', SaveUserController::class);
+    });
+}
+
 /**
  * Actions that are accessible without CP can be registered here.
  */
@@ -275,7 +308,9 @@
         Route::middleware('password.confirm')->group(function () {
             Route::post('users/impersonate', [ImpersonationController::class, 'impersonate']);
             Route::post('users/get-impersonation-url', [ImpersonationController::class, 'getUrl']);
+            Route::post('users/save-password', [PasswordController::class, 'store']);
         });
+        Route::post('users/mark-announcements-as-read', [AnnouncementsController::class, 'markRead']);
 
         Route::post('users/save-permissions', [PermissionsController::class, 'store']);
         Route::post('users/save-preferences', [PreferencesController::class, 'store']);
@@ -289,6 +324,10 @@
         Route::post('users/render-photo-input', [PhotoController::class, 'renderInput']);
         Route::post('users/upload-user-photo', [PhotoController::class, 'upload']);
         Route::post('users/delete-user-photo', [PhotoController::class, 'destroy']);
+        Route::post('users/require-password-reset', [PasswordController::class, 'requireReset']);
+        Route::post('users/remove-password-reset-requirement', [PasswordController::class, 'removeResetRequirement']);
+        Route::post('users/get-password-reset-url', [PasswordController::class, 'passwordResetUrl']);
+        Route::post('users/send-activation-email', [ActivateController::class, 'sendActivationEmail']);
 
         // User groups
         Route::middleware([

routes/cp.php

@@ -2,7 +2,12 @@
 
 declare(strict_types=1);
 
+use CraftCms\Cms\Auth\Enums\CpAuthPath;
 use CraftCms\Cms\Edition;
+use CraftCms\Cms\Http\Controllers\Auth\LoginController;
+use CraftCms\Cms\Http\Controllers\Auth\SetPasswordController;
+use CraftCms\Cms\Http\Controllers\Auth\TwoFactorAuthenticationController;
+use CraftCms\Cms\Http\Controllers\Auth\VerifyEmailController;
 use CraftCms\Cms\Http\Controllers\Dashboard\DashboardController;
 use CraftCms\Cms\Http\Controllers\Entries\CreateEntryController;
 use CraftCms\Cms\Http\Controllers\Entries\EntriesIndexController;
@@ -39,10 +44,18 @@
 Route::get('install', [InstallController::class, 'index'])
     ->middleware([HandleInertiaRequests::class]);
 
+Route::get(CpAuthPath::Login->value, [LoginController::class, 'showLogin']);
+Route::get(CpAuthPath::TwoFactorChallenge->value, [TwoFactorAuthenticationController::class, 'showForm']);
+Route::get(CpAuthPath::SetPassword->value, [SetPasswordController::class, 'show']);
+Route::post(CpAuthPath::SetPassword->value, [SetPasswordController::class, 'store']);
+Route::get(CpAuthPath::VerifyEmail->value, [VerifyEmailController::class, 'show']);
+Route::post(CpAuthPath::VerifyEmail->value, [VerifyEmailController::class, 'store']);
+
 /**
  * Admin requests that require a login
  */
-Route::middleware('auth:craft')->group(function () {
+Route::middleware(['auth:craft', 'can:accessCp'])->group(function () {
+    Route::get(CpAuthPath::Logout->value, [LoginController::class, 'logout']);
     Route::get('dashboard', DashboardController::class);
 
     Route::get('utilities', [UtilitiesController::class, 'index']);

routes/routes.php

@@ -12,5 +12,6 @@
     ->prefix(Cms::config()->cpTrigger)
     ->group(__DIR__.'/cp.php');
 
-Route::middleware(['web', 'craft'])
+Route::middleware(['web', 'craft', 'craft.web'])
+    ->name('craft.')
     ->group(__DIR__.'/web.php');

routes/web.php

@@ -1 +1,38 @@
 <?php
+
+use CraftCms\Cms\Auth\Enums\CpAuthPath;
+use CraftCms\Cms\Cms;
+use CraftCms\Cms\Edition;
+use CraftCms\Cms\Http\Controllers\Auth\LoginController;
+use CraftCms\Cms\Http\Controllers\Auth\TwoFactorAuthenticationController;
+use CraftCms\Cms\Http\Controllers\Auth\VerifyEmailController;
+use CraftCms\Cms\Site\Sites;
+use Illuminate\Support\Facades\Route;
+
+if (Edition::get()->registersFrontendUserRoutes()) {
+    if (Cms::config()->loginPath !== false) {
+        Route::get(Cms::config()->loginPath, [LoginController::class, 'showLogin']);
+        Route::get(CpAuthPath::TwoFactorChallenge->value, [TwoFactorAuthenticationController::class, 'showForm']);
+    }
+
+    if (Cms::config()->verifyEmailPath !== false) {
+        Route::get(Cms::config()->verifyEmailPath, [VerifyEmailController::class, 'show']);
+        Route::post(Cms::config()->verifyEmailPath, [VerifyEmailController::class, 'store']);
+    }
+
+    Route::middleware('auth:craft')->group(function () {
+        if (Cms::config()->logoutPath !== false) {
+            Route::get(Cms::config()->logoutPath, [LoginController::class, 'logout']);
+        }
+    });
+}
+
+if (! is_null(Cms::config()->setPasswordRequestPath)) {
+    Route::get('.well-known/change-password', function (Sites $sites) {
+        $uri = Cms::config()->getSetPasswordRequestPath($sites->getCurrentSite()->handle);
+
+        abort_if(is_null($uri), 404);
+
+        return redirect($uri);
+    });
+}