Hi, Trying to use the library I got such an error.Where am I doing wrong? @jasny, @SergeAx, @Minstel

Fatal error: Uncaught Error: Typed property Veloster\App\Models\User::$hashedPassword must not be accessed before initialization in C:\xampp\htdocs\php\App\Models\User.php:32
Stack trace:
#0 C:\xampp\htdocs\php\vendor\jasny\auth\src\Auth.php(319): Veloster\App\Models\User->verifyPassword('12345678')
#1 C:\xampp\htdocs\php\App\Models\Accounts.php(46): Jasny\Auth\Auth->login('admin', '12345678')
#2 C:\xampp\htdocs\php\App\Controllers\Home.php(27): Veloster\App\Models\Accounts->authenticate('admin', '12345678')
#3 [internal function]: Veloster\App\Controllers\Home::login(
#4 C:\xampp\htdocs\php\Core\Route.php(74): call_user_func_array(Array, Array)
#5 C:\xampp\htdocs\php\index.php(24): Veloster\Core\Route::dispatch()
#6 {main}
thrown in C:\xampp\htdocs\php\App\Models\User.php on line 32

User.php:

<?php

namespace Veloster\App\Models;

use Jasny\Auth;
use Jasny\Auth\UserInterface;

class User implements UserInterface
{
    public string $id;
    public string $username;
    public int $accessLevel = 0;

    protected string $hashedPassword;

    public function getAuthId(): string
    {
        return $this->id;
    }

    /**
     * {@interal This method isn't required by the interface}}.
     * @param string $password
     */
    public function changePassword(string $password): void
    {
        $this->hashedPassword = password_hash($password, PASSWORD_BCRYPT);
    }

    public function verifyPassword(string $password): bool
    {
        return password_verify($password, $this->hashedPassword);
    }

    public function getAuthChecksum(): string
    {
        return hash('sha256', $this->id . $this->hashedPassword);
    }

    public function getAuthRole(Auth\ContextInterface $context = null): int
    {
        return $this->accessLevel;
    }

    public function requiresMfa(): bool
    {
        return false;
    }
}

Funstion in Login_Controller.php:

public function authenticate(string $username,string $password)
    {
        $levels = new Authz\Levels(['user' => 1, 'moderator' => 10, 'admin' => 100]);

        $auth = new Auth($levels, new AuthStorage());

        session_start();
        $auth->initialize();
        $auth->login($username,$password);
    }

AuthStroge.php:

<?php

namespace Veloster\App\Models;

use Jasny\Auth;
use Illuminate\Database\Capsule\Manager as DB;
use Jasny\Auth\StorageInterface;

class AuthStorage implements StorageInterface
{
    /**
     * Fetch a user by ID
     * @param string $id
     * @return Auth\UserInterface|null
     */
    public function fetchUserById(string $id): ?Auth\UserInterface
    {
        DB::table('Accounts')
            ->Where('id','=', $id)
            ->get();
        return new User();
    }

    /**
     * Fetch a user by username
     * @param string $username
     * @return Auth\UserInterface|null
     */
    public function fetchUserByUsername(string $username): ?Auth\UserInterface
    {
        DB::table('Accounts')->Where('username','=', $username)->get();
        return new User;
    }

    /**
     * Fetch the context by ID.
     * @param string $id
     * @return Auth\ContextInterface|null
     */
    public function fetchContext(string $id) : ?Auth\ContextInterface
    {
        DB::table('Accounts')
            ->Where('id','=', $id)
            ->get();
        return new Context();
    }

    /**
     * Get the default context of the user.
     * @param Auth\UserInterface $user
     * @return Auth\ContextInterface|null
     */
    public function getContextForUser(Auth\UserInterface $user) : ?Auth\ContextInterface
    {
        return null;
    }
}

https://github.com/jasny/auth/blob/d8d0b723fec345c910ec415f0d338f54334c0082/src/Confirmation/HashidsConfirmation.php#L315

Third param in hash function generates outputs raw binary data which trigger warnings in Hashids. In constructor of Hashids salt is encoding but is as binary so \mb_detect_encoding($salt) return incorrect encoding type for \mb_convert_encoding($salt, 'UTF-8', \mb_detect_encoding($salt))
https://github.com/vinkla/hashids/blob/8cab111f78e0bd9c76953b082919fc9e251761be/src/Hashids.php#L95

all of the mentioned methods in the documentation are called as static methods, but none of them is static so it gives an error

Auth::login(string $username, string $password) Auth::loginAs(UserInterface $user) Auth::logout() ...etc

The method of MFA shouldn't be important for this lib, though it would always include verifying some sort of code. Instead of requiring the use of wrapper, a callback that takes the user and code and returns a boolean should be all that's needed for the Auth class.

In addition to the context, add bool $mfa as argument for getAuthRole(). This will be set to true if the user is MFA authenticated. It's up to the User class to return a role like 'mfa-required' if needed. Methods like isLoggedIn() will still return true, even if the login is just partial.

To logic to setup MFA (like creating an OTP secret, sending an email, etc) is outside the scope of this library.

If MFA fails the user is automatically logged out.

class AuthController extends Jasny\Controller
{
    public function run(...$args)
    {
        try {
            return parent::run(...$args);
        } catch (LoginException $exception) {
            $this->session->flash('warning', $exception->getMessage());
            $this->redirect('/login');
        }
    }

    public function postLogin()
    {
        $this->auth->login(
            $this->getQueryParam('username'),
            $this->getQueryParam('password'),
        );

        $next = $this->auth->is('mfa-required') ? '/login/mfa' : '/admin';
        $this->redirect($next);
    }

    public function postLoginMfa()
    {
        $this->auth->mfa($this->getQueryParam('code'));
        $this->redirect('/admin');
    }
}

class User
{
    /** One time password secret for multi factor authentication (MFA) */
    public ?string $otpSecret = null;

    public getAuthRole(?ContextInterface $context, bool $mfa)
    {
        if ($this->otpSecret !== null && !$mfa) {
            return 'mfa-required';
        }

        return $this->role;
    }
}

$levels = new Authz\Levels([
    -1 => 'mfa-required',
    1 => 'user',
    20 => 'admin',
]);

$auth = (new Auth($levels, ...))
    ->withMfa(static function(User $user, string $code): bool {
        return TOPT::create($user->otpSecret)->verify($code);
    });

Fatal error: gymadarasz\Auth\Auth and Jasny\Authz\byLevel define the same property ($levels) in the composition of gymadarasz\Auth\Auth. However, the definition differs and is considered incompatible. Class was composed in C:\xampp\htdocs\testauth\src\Auth\Auth.php on line 97

My suugestion, just remove the line protected static $levels; from trait byLevel in file byLevel.php at line ~37

While trying to implement the example in the README, I keep getting this error, I am using Slim and I am auto loading the example Auth class using composer's psr-0 like this "psr-0": { "": "auth/" }, is this probably because PHP doesn't support abstract static functions or am I doing things wrong?

PHP 7.4+

Use composition instead of traits. PSR-15 Middleware (with double pass support). Changed API (big BC break).

Get stateful Authz object (for current or other user / context). Give authz services an immutable state by caching the user role. Added recalc() methods.

Support for context. This could an organization for instance. Check if the user has a role in that organization.

Login/logout events via PSR-14 Event dispatcher (instead of methods on user).

Renamed user and context methods to getAuthId(), so it doesn't clash with getId().

Improved hashids confirmation (tokens not bc)

We should create an Authz class rather than moving that into the User class. Moving all functionality to a model class is a 'God object' anti-pattern.

While it is typical there is only one authentication interface per application, this is not the way by definition. Additionally using static methods and properties make testing harder.

// Global Auth for an application
App::auth();

// Application instance for dependency injection
$app->getAuth();

Verify bug fix, fetchByUsername may return false for invalid login, instead of empty model that implements the getPassword methods resulting in a fatal error. Verify should check for false and not presume fetchByUsername always returns user model.

$user is always 'set' so the isset check is redundant