[FIXED] Using CakePHP Form and Basic Authentication together

Issue

I've created a simple test site using CakePHP 3.8 and Authentication 1.0 to try it out. I'd like to use both Form and Basic authentication since the intended app will offer REST calls.

The site works properly if the HttpBasic is not included, that is the Login window is displayed. However, with HttpBasic, the site goes directly to basic authentication.

The code is directly from the cookbook.

What am I missing?

    public function getAuthenticationService(ServerRequestInterface $request, ResponseInterface $response)
{
    $service = new AuthenticationService();

    $service->setConfig([
            'unauthenticatedRedirect' => '/users/login',
            'queryParam' => 'redirect'
    ]);

    $fields = [
        'username' => 'user',
        'password' => 'password',
    ];

    // Load Identifiers
    $service->loadIdentifier('Authentication.Password', compact('fields'));

    // Load the authenticators
    $service->loadAuthenticator('Authentication.Session');
    $service->loadAuthenticator('Authentication.Form', [
            'fields' => $fields,
            'loginUrl' => '/users/login',
    ]);
    $service->loadAuthenticator('Authentication.HttpBasic');

    return $service;
}

Solution

As mentioned in the comments, using the form authenticator and the HTTP basic authenticator together won't work overly well, this is due to the fact that the authentication service won't stop executing all loaded authenticators, unless one of them returns a response that indicates successful authentication.

This means that you'd always be presented with the authentication challenge response, and never see your login form. Only the actual authentication part would work in that constellation, ie directly sending your login credentials as form data to the login endpoint.

If you don't actually need the basic auth challenge response that is preventing you from accessing the login form, then you could use a custom/extended authenticator that doesn't cause a challenge response to be returned, which should be as simple as overriding \Authentication\Authenticator\HttpBasicAuthenticator::unauthorizedChallenge():

src/Authenticator/ChallengelessHttpBasicAuthenticator.php

namespace App\Authenticator;

use Authentication\Authenticator\HttpBasicAuthenticator;
use Psr\Http\Message\ServerRequestInterface;

class ChallengelessHttpBasicAuthenticator extends HttpBasicAuthenticator
{
    public function unauthorizedChallenge(ServerRequestInterface $request)
    {
        // noop
    }
}

$service->loadAuthenticator(\App\Authenticator\ChallengelessHttpBasicAuthenticator::class);

Also not that you might need to add additional checks in case your application uses the authentication component's setIdentity() method, which would cause the identity to be persisted in the session, even when using stateless authenticators. If you don't want that, then you'd need to test whether the successful authenticator is stateless before setting the identity:

$provider = $this->Authentication->getAuthenticationService()->getAuthenticationProvider();
if (!($provider instanceof \Authentication\Authenticator\StatelessInterface))
{
    $this->Authentication->setIdentity(/* ... */);
}

Answered By - ndm