From 4b6c24829679328a8d4067d60bcf3cbdedee5a0d Mon Sep 17 00:00:00 2001 From: Garion Herman Date: Fri, 30 Aug 2024 10:00:31 +0900 Subject: [PATCH] API Remove ALC renewal, tweak extension point The ALC token is no longer rotated during an active login. Also removed related `replace_token_during_session_renewal` config. The extension point that was previously provided in the `renew()` method has been renamed and is now triggered externally in the `CookieAuthenticationHandler::authenticateRequest()` method. --- .../CookieAuthenticationHandler.php | 18 ++--------- src/Security/RememberLoginHash.php | 31 ------------------- 2 files changed, 2 insertions(+), 47 deletions(-) diff --git a/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php b/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php index 2ac9ddd9fdc..917b70c961e 100644 --- a/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php +++ b/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php @@ -175,22 +175,8 @@ public function authenticateRequest(HTTPRequest $request) $this->cascadeInTo->logIn($member, false, $request); } - // Renew the token - Deprecation::withSuppressedNotice(fn() => $rememberLoginHash->renew()); - - // Send the new token to the client if it was changed - if ($rememberLoginHash->getToken()) { - $tokenExpiryDays = RememberLoginHash::config()->uninherited('token_expiry_days'); - Cookie::set( - $this->getTokenCookieName(), - $member->ID . ':' . $rememberLoginHash->getToken(), - $tokenExpiryDays, - null, - null, - false, - true - ); - } + // Session renewal hook + $rememberLoginHash->extend('onAfterRenewSession'); // Audit logging hook $member->extend('memberAutoLoggedIn'); diff --git a/src/Security/RememberLoginHash.php b/src/Security/RememberLoginHash.php index 8af22057353..fc49f8c8040 100644 --- a/src/Security/RememberLoginHash.php +++ b/src/Security/RememberLoginHash.php @@ -80,15 +80,6 @@ class RememberLoginHash extends DataObject */ private static $force_single_token = false; - /** - * If true, the token will be replaced during session renewal. This can cause unexpected - * logouts if the new token does not reach the client (e.g. due to a network error). - * - * This can be disabled as of CMS 5.3, and renewal will be removed entirely in CMS 6. - * @deprecated 5.3.0 Will be removed without equivalent functionality - */ - private static bool $replace_token_during_session_renewal = true; - /** * The token used for the hash. Only present during the lifetime of the request * that generates it, as the hash representation is stored in the database and @@ -199,28 +190,6 @@ public static function generate(Member $member) return $rememberLoginHash; } - /** - * Generates a new hash for this member but keeps the device ID intact - * - * @deprecated 5.3.0 Will be removed without equivalent functionality - * @return RememberLoginHash - */ - public function renew() - { - // Only regenerate token if configured to do so - Deprecation::notice('5.3.0', 'Will be removed without equivalent functionality'); - $replaceToken = RememberLoginHash::config()->get('replace_token_during_session_renewal'); - if ($replaceToken) { - $hash = $this->getNewHash($this->Member()); - $this->Hash = $hash; - } - - $this->extend('onAfterRenewToken', $replaceToken); - $this->write(); - - return $this; - } - /** * Deletes existing tokens for this member * if logout_across_devices is true, all tokens are deleted, otherwise