Merge branch 'temp' into 'fix-email-delivery-error-log'

Author: sammyskills

.github/release.yml

@@ -0,0 +1,23 @@
+changelog:
+  exclude:
+    authors:
+      - dependabot
+  categories:
+    - title: Breaking Changes
+      labels:
+        - 'breaking change'
+    - title: Fixed Bugs
+      labels:
+        - bug
+    - title: New Features
+      labels:
+        - 'new feature'
+    - title: Enhancements
+      labels:
+        - enhancement
+    - title: Refactoring
+      labels:
+        - refactor
+    - title: Others (Only for checking. Remove this category)
+      labels:
+        - "*"

README.md

@@ -35,7 +35,7 @@ access for a mobile application that you build.
 
 Usage of Shield requires the following:
 
-- A [CodeIgniter 4](https://github.com/codeigniter4/CodeIgniter4/)-based project
+- A [CodeIgniter 4.2.3+](https://github.com/codeigniter4/CodeIgniter4/) based project
 - [Composer](https://getcomposer.org/) for package management
 - PHP 7.4.3+
 

composer.json

@@ -23,7 +23,7 @@
     },
     "require-dev": {
         "codeigniter4/devkit": "^1.0",
-        "codeigniter4/framework": "^4.1",
+        "codeigniter4/framework": "^4.2.3",
         "mockery/mockery": "^1.0"
     },
     "provide": {

docs/customization.md

@@ -95,35 +95,47 @@ Shield has the following rules for registration:
 
 ```php
 [
-    'username'         => [
-            'required',
-            'max_length[30]',
-            'min_length[3]',
-            'regex_match[/\A[a-zA-Z0-9\.]+\z/]',
-            'is_unique[users.username]',
-        ],
-    'email'            => 'required|max_length[254]|valid_email|is_unique[auth_identities.secret]',
-    'password'         => 'required|strong_password',
-    'password_confirm' => 'required|matches[password]',
+    'username' => [
+        'label' =>  'Auth.username',
+        'rules' => 'required|max_length[30]|min_length[3]|regex_match[/\A[a-zA-Z0-9\.]+\z/]|is_unique[users.username]',
+    ],
+    'email' => [
+        'label' =>  'Auth.email',
+        'rules' => 'required|max_length[254]|valid_email|is_unique[auth_identities.secret]',
+    ],
+    'password' => [
+        'label' =>  'Auth.password',
+        'rules' => 'required|strong_password',
+    ],
+    'password_confirm' => [
+        'label' =>  'Auth.passwordConfirm',
+        'rules' => 'required|matches[password]',
+    ],
 ];
 ```
 
 If you need a different set of rules for registration, you can specify them in your `Validation` configuration (**app/Config/Validation.php**) like:
 
 ```php
-//--------------------------------------------------------------------
-// Rules
-//--------------------------------------------------------------------
-public $registration = [
-    'username'         => [
-            'required',
-            'max_length[30]',
-            'min_length[3]',
-            'regex_match[/\A[a-zA-Z0-9\.]+\z/]',
-            'is_unique[users.username]',
+    //--------------------------------------------------------------------
+    // Rules
+    //--------------------------------------------------------------------
+    public $registration = [
+        'username' => [
+            'label' =>  'Auth.username',
+            'rules' => 'required|max_length[30]|min_length[3]|regex_match[/\A[a-zA-Z0-9\.]+\z/]|is_unique[users.username]',
         ],
-    'email'            => 'required|max_length[254]|valid_email|is_unique[auth_identities.secret]',
-    'password'         => 'required|strong_password',
-    'password_confirm' => 'required|matches[password]',
-];
+        'email' => [
+            'label' =>  'Auth.email',
+            'rules' => 'required|max_length[254]|valid_email|is_unique[auth_identities.secret]',
+        ],
+        'password' => [
+            'label' =>  'Auth.password',
+            'rules' => 'required|strong_password',
+        ],
+        'password_confirm' => [
+            'label' =>  'Auth.passwordConfirm',
+            'rules' => 'required|matches[password]',
+        ],
+    ];
 ```

docs/install.md

@@ -12,6 +12,12 @@
 
 These instructions assume that you have already [installed the CodeIgniter 4 app starter](https://codeigniter.com/user_guide/installation/installing_composer.html) as the basis for your new project, set up your `.env` file, and created a database that you can access via the Spark CLI script.
 
+> **Note**
+> CodeIgniter Shield requires Codeigniter v4.2.3 or later.
+
+> **Note**
+> You must set ``Config\Security::$csrfProtection`` to `'session'` (or set `security.csrfProtection = session` in your `.env` file) for security reasons, if you use Session Authenticator.
+
 Installation is done through [Composer](https://getcomposer.org). The example assumes you have it installed globally.
 If you have it installed as a phar, or othewise you will need to adjust the way you call composer itself.
 

src/Authentication/Actions/Email2FA.php

@@ -77,7 +77,7 @@ public function handle(IncomingRequest $request)
         $email->setMessage(view(setting('Auth.views')['action_email_2fa_email'], ['code' => $identity->secret]));
 
         if ($email->send(false) === false) {
-            throw new RuntimeException('Cannot send email for user: ' . $user->email . '\n' . $email->printDebugger(['headers']));
+            throw new RuntimeException('Cannot send email for user: ' . $user->email . "\n" . $email->printDebugger(['headers']));
         }
 
         return view(setting('Auth.views')['action_email_2fa_verify']);
@@ -114,7 +114,7 @@ public function afterLogin(User $user): void
         $this->createIdentity($user);
     }
 
-    private function createIdentity(User $user): void
+    final protected function createIdentity(User $user): void
     {
         /** @var UserIdentityModel $identityModel */
         $identityModel = model(UserIdentityModel::class);

src/Authentication/Actions/EmailActivator.php

@@ -47,7 +47,7 @@ public function show(): string
         $email->setMessage(view(setting('Auth.views')['action_email_activate_email'], ['code' => $code]));
 
         if ($email->send(false) === false) {
-            throw new RuntimeException('Cannot send email for user: ' . $user->email . '\n' . $email->printDebugger(['headers']));
+            throw new RuntimeException('Cannot send email for user: ' . $user->email . "\n" . $email->printDebugger(['headers']));
         }
 
         // Display the info page
@@ -100,7 +100,7 @@ public function afterRegister(User $user): void
         $this->createIdentity($user);
     }
 
-    private function createIdentity(User $user): string
+    final protected function createIdentity(User $user): string
     {
         /** @var UserIdentityModel $identityModel */
         $identityModel = model(UserIdentityModel::class);

src/Authentication/Authenticators/Session.php

@@ -15,11 +15,14 @@
 use CodeIgniter\Shield\Entities\UserIdentity;
 use CodeIgniter\Shield\Exceptions\InvalidArgumentException;
 use CodeIgniter\Shield\Exceptions\LogicException;
+use CodeIgniter\Shield\Exceptions\SecurityException;
 use CodeIgniter\Shield\Models\LoginModel;
 use CodeIgniter\Shield\Models\RememberModel;
 use CodeIgniter\Shield\Models\UserIdentityModel;
 use CodeIgniter\Shield\Models\UserModel;
 use CodeIgniter\Shield\Result;
+use Config\Security;
+use Config\Services;
 use stdClass;
 
 class Session implements AuthenticatorInterface
@@ -72,6 +75,25 @@ public function __construct(UserModel $provider)
         $this->loginModel        = model(LoginModel::class);
         $this->rememberModel     = model(RememberModel::class);
         $this->userIdentityModel = model(UserIdentityModel::class);
+
+        $this->checkSecurityConfig();
+    }
+
+    /**
+     * Checks less secure Configuration.
+     */
+    private function checkSecurityConfig(): void
+    {
+        /** @var Security $securityConfig */
+        $securityConfig = config('Security');
+
+        if ($securityConfig->csrfProtection === 'cookie') {
+            throw new SecurityException(
+                'Config\Security::$csrfProtection is set to \'cookie\'.'
+                . ' Same-site attackers may bypass the CSRF protection.'
+                . ' Please set it to \'session\'.'
+            );
+        }
     }
 
     /**
@@ -567,7 +589,10 @@ public function startLogin(User $user): void
 
         // Regenerate the session ID to help protect against session fixation
         if (ENVIRONMENT !== 'testing') {
-            session()->regenerate();
+            session()->regenerate(true);
+
+            // Regenerate CSRF token even if `security.regenerate = false`.
+            Services::security()->generateHash();
         }
 
         // Let the session know we're logged in

src/Controllers/LoginController.php

@@ -70,9 +70,18 @@ public function loginAction(): RedirectResponse
     protected function getValidationRules(): array
     {
         return setting('Validation.login') ?? [
-            //'username' => config('AuthSession')->usernameValidationRules,
-            'email'    => config('AuthSession')->emailValidationRules,
-            'password' => 'required',
+            // 'username' => [
+            //     'label' => 'Auth.username',
+            //     'rules' => config('AuthSession')->usernameValidationRules,
+            // ],
+            'email' => [
+                'label' => 'Auth.email',
+                'rules' => config('AuthSession')->emailValidationRules,
+            ],
+            'password' => [
+                'label' => 'Auth.password',
+                'rules' => 'required',
+            ],
         ];
     }
 

src/Controllers/MagicLinkController.php

@@ -192,7 +192,10 @@ private function recordLoginAttempt(
     protected function getValidationRules(): array
     {
         return [
-            'email' => config('AuthSession')->emailValidationRules,
+            'email' => [
+                'label' => 'Auth.email',
+                'rules' => config('AuthSession')->emailValidationRules,
+            ],
         ];
     }
 }