Can extra criteria be built into the CakePHP Authentication Component?

Question

I want to build a security measure like the RSA/Page Token, where the token is a 3 form parameter in the login. (username,password,token)

It's not clear to me what the role of the users controller's "login" action is. This this an "AfterFilter" for the Auth component?

Would this logic work?

// controllers/users_controller.php
login()
{
    if(isbadtoken($this->data['User']['Token']))
        $this-redirect('http://dev.null');
}

Should this logic go in the application controller like cookie logins and social network logins?

Answer 1

In cake 2.0+, you need to call the auth login method manually, so something like this should work:

function login()
{
    if (isbadtoken($this->request->data['User']['Token']))
    {
        return;
    }

    // login user etc..
    if ($this->Auth->login())
    { /* ... */ }
}

In previous cake versions, auth login is already called before your code, so something like this would be necessary:

function login()
{
    if (isbadtoken($this->request->data['User']['Token']))
    {
        // since auth doesn't know about about token,
        // log out the user in case auth login was successfull
        $this->Auth->logout();
        return;
    }

    if (!$this->Auth->user())
    {
        /* user is not logged in */
        return;
    }

    /* user is logged in */
}

A better solution would probably be to make the auth component aware of the token and somehow include it in the login process, but if it's too complicated to do so, something like the above should give you no trouble.