CakePHP Authentication 2.10.0

Updated Dependencies

• The 2.10.0 release requires a minimum of CakePHP 4.4.0 and PHP 7.4.0
• The optional dependency on firebase/jwt has changed from ^5.5 to ^6.2

New Features

• Implement Impersonation by @ajibarra in #532
• Add AuthenticationComponent identityCheckEvent option by @Erwane in #555
• Token Identifier: Add Option to Hash Token Before Resolving by @amayer5125 in #559
• Adds tls option to LDAP identifier by @eardkdw in #510
• Added EnvironmentAuthenticator to allow integration with Shiboleth authentication by @MolbioUnige in #565

Bug fixes

• Bump to php-jwt 6.2 and remove temporary/deprecated code by @swiffer in #507
• User friendly exception when auth middleware is not loaded by @cnizzardini in #513
• Fix null value causing a type error in the password identifier. by @ndm2 in #542
• Fix deprecations in tests by @markstory in #544
• Fix return type for offsetSet() by @othercorey in #547
• Fix invalid default value for $config parameter by @othercorey in #546
• Fix return type annotation for Identity::__isset() by @othercorey in #548

Documentation and tooling changes

• Fixed syntax errors in documentation @cnizzardini in #511
• Add more context to testing docs. by @markstory in #515
• Updated documentation tooling by @ndm2 in #516, #519
• Update french doc translation by @zachee54 in #523
• Update to PHPStan 1.5 and Psalm to 4.22 by @LordSimal in #522
• よりわかりやすく by @yuki-yasumura in #524
• Add note on Authentication.Password Identifier resolvers default finder by @cnizzardini in #525
• firebase/php-jwt compatibility note by @cnizzardini in #531
• Replaced Legacy AuthComponent Update password-hashers.rst by @markusramsak in #534
• update phpstan and psalm by @LordSimal in #537
• Fix typo by @PhantomWatson in #540
• Refactor example code by @PhantomWatson in #539
• [doc][fr] Translate d2db317 by @zachee54 in #541
• Remove redundant logic from login action example by @nishimura-d in #543
• Add docs for account impersonation. by @markstory in #551
• Update the middleware example by @B3none in #552
• Note about IDE comp improvement by @dereuromark in #561
• update docs links by @Arhell in #568
• Use newer ubuntu for tests. by @markstory in #578

New Contributors

• @cnizzardini made their first contribution in #511
• @yuki-yasumura made their first contribution in #524
• @dependabot made their first contribution in #526
• @markusramsak made their first contribution in #534
• @nishimura-d made their first contribution in #543
• @ajibarra made their first contribution in #532
• @B3none made their first contribution in #552
• @amayer5125 made their first contribution in #559
• @eardkdw made their first contribution in #510
• @MolbioUnige made their first contribution in #565

Full Changelog: 2.9.0...2.10.0

CakePHP Authentication 2.9.0

What's Changed

• Support for JSON Web Key Sets by @swiffer in #505

New Contributors

• @swiffer made their first contribution in #505

Full Changelog: 2.8.0...2.9.0

CakePHP Authentication 2.8.0

What's Changed

• Allow skipping the challenge exception generation for Http Basic/Digest Auth. by @ADmad in #498
• Fixed translation errors in documents. by @karintou8710 in #503
• Added the default option to add the application salt to the cookie by @RobertoRoos in #467

⚠️ Important Upgrade Information for Cookie Authenticator Users

This release changes the default stored token for Cookie Authenticator. The token is now comprised of hash(username + password-hash + hmac(username + password, salt)). This helps prevent forged tokens from being created in case an application database is compromised. This change will invalidate all existing cookie tokens. If you do not desire that, be sure to set salt => false in your configuration for CookieAuthenticator

New Contributors

• @karintou8710 made their first contribution in #503
• @RobertoRoos made their first contribution in #467

Full Changelog: 2.7.0...2.8.0

CakePHP Authentication 2.7.0

What's Changed

• Bump firebase/php-jwt to v5.5, and deprecate algorithms in favour of only using a single algorithm in JwtAuthenticator. by @markstory, @ADmad, @pabloelcolombiano in #500

Full Changelog: 2.6.2...2.7.0

CakePHP Authentication 2.6.2

What's Changed

• Improve Documentation including translations to Spanish and French @zachee54, @davidyell, @opeadeyomoye, @enviniom, @Arhell, @LordSimal, @ADmad, @ndm2, @ravage84 in #452, #455, #456, #457, #461, #463, #466, #469, #474, #475, #477, #480, #478, #487, #490
• Improve CI tooling @othercorey, @CriztianiX in #483, #460, #489, #491
• Add php 8.1 to matrix by @othercorey in #484, #482, #492, #496
• Fix cakephp 4.3 deprecations by @othercorey in #486

Security Improvements

• Overwrite "algorithms" config of JWT authenticator instead of merging. by @ADmad in #501

New Contributors

• @zachee54 made their first contribution in #452
• @opeadeyomoye made their first contribution in #463
• @enviniom made their first contribution in #469
• @albertcansado made their first contribution in #472
• @Arhell made their first contribution in #477
• @LordSimal made their first contribution in #478
• @CriztianiX made their first contribution in #482

Full Changelog: 2.6.1...2.6.2

CakePHP Authentication 2.6.1

Fixes

• Improved documentation.
• Cleaned up extra parameters passed in tests.
• Improved the loginUrl mismatch error message.
• Fixed a regression where identity instances that already implement IdentityInterface were being wrapped in a decorator when it wasn't necessary.

CakePHP Authentication 2.6.0

Fixes

• Update AuthenticationRequiredException to extend HttpException so that proper status code is set. #437

Enhancements

• Allow customizing identity attribute in IdentityHelper. #436

CakePHP Authentication 2.5.0

Fixes

• Updated exception base classes to extend HttpException so that status codes continue to work.

CakePHP Authentication 2.4.0

Changes

• Use Cookie::create() to create cookies. This enables the usage of the samesite attribute.
• The httpOnly option of CookieAuthenticator is deprecated. Use httponly instead.
• The expire option of CookieAuthenticator is deprecated. Use expires instead.
• Added Japanese documentation.
• Removed unreachable code.

CakePHP Authentication 2.3.1

Fixes

• Improve documentation for CallbackIdentifier.
• Add example to docs with multiple authenticators.
• Added initial japanese translation to the docs.
• Moved CI to GitHub Actions.