[FIXED] Checking logged-in user info on CakePHP when using a custom auth adapter

Issue

I'm using this JWTAuth adapter to use JWT authentication instead of cookie-based auth in my CakePHP 2.8 app. It works great, except for one hitch:

Normally for one of my REST endpoints, I can use $this->Auth->user("id") to get the currently logged-in users' ID.

When I try to make a controller action accessible to non-members using $this->Auth->allow(), a problem occurs. If I do this, using $this->Auth->loggedIn() in the controller returns false, meaning I can not add additional logic for logged-in users.

When using standard cookie auth:

• $this->Auth->user('id') is available in Controller::beforeFilter().
• $this->Auth->loggedIn() is true in Controller::beforeFilter().
• $this->Auth->user('id') is available in controller actions, public and members-only.
• $this->Auth->loggedIn() is true in controller actions, public and members-only.

When using JWT auth:

• $this->Auth->user('id') is null in Controller::beforeFilter().
• $this->Auth->loggedIn() is false in Controller::beforeFilter().
• $this->Auth->user('id') is available in members-only controller actions, and null in public controller actions.
• $this->Auth->loggedIn() is true in members-only controller actions, and false in public controller actions.

Is there any way I can get Auth to include information returned by the JWTAuth component on actions that have been made public by $this->Auth->allow()?

Example controller here:

public function visible(){
    // This will always be false, even if a valid JWT token is sent
    $this->set("loggedIn", $this->Auth->loggedIn());
}

public function members_only(){
    // This will be unavailable if not logged in, and a true if logged in
    $this->set("loggedIn", $this->Auth->loggedIn());
}

public function beforeFilter($options = array()){
    parent::beforeFilter();

    $this->Auth->allow("visible");
}

And for reference, my AppController::components array;

public $components = array(
    'DebugKit.Toolbar',
    'Auth' => array(
        'authorize' => array(
            'Actions' => array(
                'actionPath' => 'controllers'
            ),
        ),
        'authenticate' => array(
            'Form' => array(
                'fields' => array('username' => 'email'),
                'contain' => array(
                    'UserProfile',
                )
            ),
            'JwtAuth.JwtToken' => array(
                'fields' => array(
                    'username' => 'email',
                    'token' => 'password',
                ),
                'header' => 'AuthToken',
                'userModel' => 'User',
            ),
        ),
        'unauthorizedRedirect' => false
    ),
    "Acl",
    "RequestHandler",
    "Session"
);

Solution

I'm a bit late, but I found a solution to this problem, but (warning!) it involved updating the code for AuthComponent.

I took a copy of Lib/Controller/Component/AuthComponent.php and placed it under app/Controller/Component/AuthComponent.php.

I then added one line to the file:

public function startup(Controller $controller) {
    $methods = array_flip(array_map('strtolower', $controller->methods));
    $action = strtolower($controller->request->params['action']);

    // One-line modification from the ordinary CakePHP file.
    // This lets us have info on the logged-in user in public actions when using stateless auth.
    $this->_getUser();

Voila, you can now access user info on the server while accessing a non-protected controller function with stateless auth!

Answered By - caitlin