Cakephp 3 摘要认证

Cakephp 3 Digest authentication

我试图通过 cakephp 3 使用摘要式身份验证来构建可扩展的系统。仅在需要时要求客户端输入密码,但输入的详细信息不允许访问,而是再次弹出请求凭据的对话框。非常感谢任何建议或帮助!

AppController::initialize()

$this->loadComponent('Auth', [
        'authenticate' => [
            'Digest' => [
                'fields' => ['username' => 'username', 'password' => 'password_hash'],
                'userModel' => 'Users',
                'finder' => 'auth'
            ],
        ],
        'authError' => 'incorrect username or password',
        'storage' => 'Memory',
        'unauthorizedRedirect' => false
    ]);

用户表:

    public function beforeSave(\Cake\Event\Event $event)
{
    $entity = $event->data['entity'];

    // Make a password for digest auth.
    $entity->password_hash = DigestAuthenticate::password(
        $entity->username, 
        $entity->plain_password,
        env('SERVER_NAME')
    );

    $entity->created = Time::now();
    return true;
}

public function findAuth(\Cake\ORM\Query $query, array $options)
{
    $query
        ->select(['id', 'username', 'password_hash']);
    return $query;
}

编辑:从实体中删除了代码

我决定深入研究 digest getuser 函数 (Function code) 并将一些数据输出到我未经授权的页面,这样我就可以看到发生了什么。

$Password: 8a3575d301f04f08dd461f93e3d55a21 
$digest[username]: James  
$digest['response']: 4fa261678c753da8e78e4bf98057fd72 
$hash: a627c3e68061937e454c321d55e986d3
$request->env('ORIGINAL_REQUEST_METHOD'): GET

只需从实体中删除 _setPassword 函数。密码将被散列,稍后将在 DigestAuthentication 上使用此散列,而不是所需的明文。

我还会重构并从 beforeSave 中删除密码创建并将其放入类似于您现在对 passwordHasher 所做的操作的实体... 请记住,在这种情况下,您需要更新 _setUsername _setPassword 上的摘要!

好吧,事实证明我犯了一个非常愚蠢的错误! 变化:

$entity->password_hash = DigestAuthenticate::password(
    $entity->username, 
    $entity->password_hash, // was plain_password which was not in my model!
    env('SERVER_NAME')
);