feat(auth): support multiple authenticatable models

innocenzi · innocenzi · commit aa8ba9531893 · 2025-08-24T16:44:18.000+02:00
diff --git a/packages/auth/src/AuthConfig.php b/packages/auth/src/AuthConfig.php
@@ -15,11 +15,11 @@
 final class AuthConfig
 {
     /**
-     * @param null|class-string<CanAuthenticate> $authenticatable
+     * @param array<class-string<CanAuthenticate>> $authenticatables
      * @param array<class-string,array<string,MethodReflector[]>> $policies
      */
     public function __construct(
-        public ?string $authenticatable = null,
+        public array $authenticatables = [],
         public array $policies = [],
     ) {}
 
diff --git a/packages/auth/src/AuthenticatableDiscovery.php b/packages/auth/src/AuthenticatableDiscovery.php
@@ -26,7 +26,7 @@ public function discover(DiscoveryLocation $location, ClassReflector $class): vo
     public function apply(): void
     {
         foreach ($this->discoveryItems as $discoveryItem) {
-            $this->authConfig->authenticatable = $discoveryItem;
+            $this->authConfig->authenticatables[] = $discoveryItem;
         }
     }
 }
diff --git a/packages/auth/src/Authentication/AuthenticatableResolver.php b/packages/auth/src/Authentication/AuthenticatableResolver.php
@@ -6,8 +6,10 @@ interface AuthenticatableResolver
 {
     /**
      * Resolves an authenticatable entity by the given ID.
+     *
+     * @param class-string<CanAuthenticate> $class
      */
-    public function resolve(int|string $id): ?CanAuthenticate;
+    public function resolve(int|string $id, string $class): ?CanAuthenticate;
 
     /**
      * Resolves an identifier for the given authenticatable entity.
diff --git a/packages/auth/src/Authentication/AuthenticatableResolverInitializer.php b/packages/auth/src/Authentication/AuthenticatableResolverInitializer.php
@@ -2,7 +2,6 @@
 
 namespace Tempest\Auth\Authentication;
 
-use Tempest\Auth\AuthConfig;
 use Tempest\Container\Container;
 use Tempest\Container\Initializer;
 use Tempest\Container\Singleton;
@@ -14,7 +13,6 @@ final class AuthenticatableResolverInitializer implements Initializer
     public function initialize(Container $container): AuthenticatableResolver
     {
         return new DatabaseAuthenticatableResolver(
-            authConfig: $container->get(AuthConfig::class),
             database: $container->get(Database::class),
         );
     }
diff --git a/packages/auth/src/Authentication/CurrentAuthenticatableInitializer.php b/packages/auth/src/Authentication/CurrentAuthenticatableInitializer.php
@@ -17,7 +17,7 @@
 {
     public function canInitialize(ClassReflector $class, null|string|UnitEnum $tag): bool
     {
-        return $class->implements(CanAuthenticate::class);
+        return $class->implements(CanAuthenticate::class) || $class->is(CanAuthenticate::class);
     }
 
     public function initialize(ClassReflector $class, null|string|UnitEnum $tag, Container $container): object
diff --git a/packages/auth/src/Authentication/DatabaseAuthenticatableResolver.php b/packages/auth/src/Authentication/DatabaseAuthenticatableResolver.php
@@ -2,7 +2,6 @@
 
 namespace Tempest\Auth\Authentication;
 
-use Tempest\Auth\AuthConfig;
 use Tempest\Auth\Exceptions\AuthenticatableModelWasInvalid;
 use Tempest\Auth\Exceptions\ModelIsNotAuthenticatable;
 use Tempest\Database\Database;
@@ -13,19 +12,16 @@
 final readonly class DatabaseAuthenticatableResolver implements AuthenticatableResolver
 {
     public function __construct(
-        private AuthConfig $authConfig,
         private Database $database,
     ) {}
 
-    public function resolve(int|string $id): ?CanAuthenticate
+    public function resolve(int|string $id, string $class): ?CanAuthenticate
     {
-        $model = query($this->authConfig->authenticatable)->findById($id);
-
-        if (! ($model instanceof CanAuthenticate)) {
-            throw new ModelIsNotAuthenticatable($this->authConfig->authenticatable);
+        if (! is_a($class, CanAuthenticate::class, allow_string: true)) {
+            throw new ModelIsNotAuthenticatable($class);
         }
 
-        return $model;
+        return query($class)->findById($id);
     }
 
     public function resolveId(CanAuthenticate $authenticatable): int|string
diff --git a/packages/auth/src/Authentication/SessionAuthenticator.php b/packages/auth/src/Authentication/SessionAuthenticator.php
@@ -9,7 +9,8 @@
 
 final readonly class SessionAuthenticator implements Authenticator
 {
-    public const string AUTHENTICATABLE_KEY = '#authenticatable';
+    public const string AUTHENTICATABLE_KEY = '#authenticatable:id';
+    public const string AUTHENTICATABLE_CLASS = '#authenticatable:class';
 
     public function __construct(
         private AuthConfig $authConfig,
@@ -19,6 +20,11 @@ public function __construct(
 
     public function authenticate(CanAuthenticate $authenticatable): void
     {
+        $this->session->set(
+            key: self::AUTHENTICATABLE_CLASS,
+            value: $authenticatable::class,
+        );
+
         $this->session->set(
             key: self::AUTHENTICATABLE_KEY,
             value: $this->authenticatableResolver->resolveId($authenticatable),
@@ -34,11 +40,12 @@ public function deauthenticate(): void
     public function current(): ?CanAuthenticate
     {
         $id = $this->session->get(self::AUTHENTICATABLE_KEY);
+        $class = $this->session->get(self::AUTHENTICATABLE_CLASS);
 
-        if (! $id) {
+        if (! $id || ! $class) {
             return null;
         }
 
-        return $this->authenticatableResolver->resolve($id);
+        return $this->authenticatableResolver->resolve($id, $class);
     }
 }
diff --git a/tests/Integration/Auth/AccessControl/PolicyBasedAccessControlTest.php b/tests/Integration/Auth/AccessControl/PolicyBasedAccessControlTest.php
@@ -242,6 +242,20 @@ public function policy_for_can_accept_multiple_actions(): void
         $this->assertFalse($downloadResultOther->granted);
     }
 
+    #[Test]
+    public function policy_with_multiple_authenticatables(): void
+    {
+        $this->registerPoliciesFrom(MultiAuthenticatablePolicy::class);
+
+        $accessControl = $this->container->get(AccessControl::class);
+        $document = new Document(title: 'Test Document', authorId: 1);
+        $user = new User(userId: 1);
+        $serviceAccount = new ServiceAccount(accountId: 1);
+
+        $this->assertTrue($accessControl->isGranted('view', $document, $user)->granted);
+        $this->assertTrue($accessControl->isGranted('view', $document, $serviceAccount)->granted);
+    }
+
     #[Test]
     public function throws_exception_when_policy_resource_parameter_type_is_invalid(): void
     {
@@ -324,6 +338,17 @@ public function __construct(
     }
 }
 
+final class ServiceAccount implements CanAuthenticate
+{
+    public PrimaryKey $id;
+
+    public function __construct(
+        int $accountId,
+    ) {
+        $this->id = new PrimaryKey($accountId);
+    }
+}
+
 final class Comment
 {
     public function __construct(
@@ -432,6 +457,19 @@ public function readAndDownload(?Document $resource, ?User $subject): bool
     }
 }
 
+final class MultiAuthenticatablePolicy
+{
+    #[PolicyFor(Document::class)]
+    public function view(?Document $_resource, null|User|ServiceAccount $subject): bool
+    {
+        if (! ($subject instanceof CanAuthenticate)) {
+            return false;
+        }
+
+        return true;
+    }
+}
+
 final class InvalidResourceTypePolicy
 {
     // expects a User as resource but will receive a Post
diff --git a/tests/Integration/Auth/Authentication/AuthenticatableDiscoveryTest.php b/tests/Integration/Auth/Authentication/AuthenticatableDiscoveryTest.php
@@ -21,14 +21,21 @@ public function discovers_authenticatable_class(): void
 
         $discovery = new AuthenticatableDiscovery($config);
         $discovery->setItems(new DiscoveryItems([]));
-        $discovery->discover(new DiscoveryLocation('', ''), new ClassReflector(Device::class));
+        $discovery->discover(new DiscoveryLocation('', ''), new ClassReflector(AuthenticatableDevice::class));
+        $discovery->discover(new DiscoveryLocation('', ''), new ClassReflector(AuthenticatableUser::class));
         $discovery->apply();
 
-        $this->assertSame(Device::class, $config->authenticatable);
+        $this->assertContains(AuthenticatableDevice::class, $config->authenticatables);
+        $this->assertContains(AuthenticatableUser::class, $config->authenticatables);
     }
 }
 
-final class Device implements CanAuthenticate
+final class AuthenticatableDevice implements CanAuthenticate
+{
+    public PrimaryKey $id;
+}
+
+final class AuthenticatableUser implements CanAuthenticate
 {
     public PrimaryKey $id;
 }
diff --git a/tests/Integration/Auth/Authentication/CurrentAuthenticatableTest.php b/tests/Integration/Auth/Authentication/CurrentAuthenticatableTest.php
@@ -24,7 +24,7 @@ protected function configure(): void
     {
         $this->migrate(CreateMigrationsTable::class, CreateServiceAccountTableMigration::class);
 
-        $this->container->config(new AuthConfig(authenticatable: ServiceAccount::class));
+        $this->container->config(new AuthConfig(authenticatables: [ServiceAccount::class]));
     }
 
     #[Test]
diff --git a/tests/Integration/Auth/Authentication/DatabaseAuthenticatableResolverTest.php b/tests/Integration/Auth/Authentication/DatabaseAuthenticatableResolverTest.php
@@ -23,12 +23,12 @@ public function can_resolve_custom_authenticatable_class(): void
     {
         $this->migrate(CreateMigrationsTable::class, CreateApiTokensTableMigration::class);
 
-        $this->container->config(new AuthConfig(authenticatable: ApiToken::class));
+        $this->container->config(new AuthConfig(authenticatables: [ApiToken::class]));
 
         $authenticatable = query(ApiToken::class)->create();
 
         $authenticatableResolver = $this->container->get(AuthenticatableResolver::class);
-        $resolved = $authenticatableResolver->resolve($authenticatable->id);
+        $resolved = $authenticatableResolver->resolve($authenticatable->id, ApiToken::class);
 
         $this->assertEquals($authenticatable->id, $resolved->id);
     }
@@ -38,7 +38,7 @@ public function can_resolve_id_from_custom_authenticatable_class(): void
     {
         $this->migrate(CreateMigrationsTable::class, CreateApiTokensTableMigration::class);
 
-        $this->container->config(new AuthConfig(authenticatable: ApiToken::class));
+        $this->container->config(new AuthConfig(authenticatables: [ApiToken::class]));
 
         $authenticatable = query(ApiToken::class)->create(id: 10);
 
diff --git a/tests/Integration/Auth/Authentication/SessionAuthenticatorTest.php b/tests/Integration/Auth/Authentication/SessionAuthenticatorTest.php
@@ -11,6 +11,7 @@
 use Tempest\Auth\Authentication\Authenticator;
 use Tempest\Auth\Authentication\CanAuthenticate;
 use Tempest\Auth\Authentication\SessionAuthenticator;
+use Tempest\Auth\Exceptions\AuthenticatableWasMissing;
 use Tempest\Clock\Clock;
 use Tempest\Core\FrameworkKernel;
 use Tempest\Database\MigratesUp;
@@ -34,7 +35,7 @@
  */
 final class SessionAuthenticatorTest extends FrameworkIntegrationTestCase
 {
-    private string $path = __DIR__ . '/Fixtures/tmp';
+    private string $path = __DIR__ . '/tmp';
 
     #[PreCondition]
     protected function configure(): void
@@ -43,13 +44,13 @@ protected function configure(): void
 
         $this->container->get(FrameworkKernel::class)->internalStorage = realpath($this->path);
         $this->container->config(new FileSessionConfig(path: 'sessions', expiration: Duration::hours(2)));
-        $this->container->config(new AuthConfig(authenticatable: User::class));
+        $this->container->config(new AuthConfig(authenticatables: [User::class]));
         $this->container->singleton(SessionManager::class, fn () => new FileSessionManager(
             $this->container->get(Clock::class),
             $this->container->get(SessionConfig::class),
         ));
 
-        $this->migrate(CreateMigrationsTable::class, CreateUsersTableMigration::class);
+        $this->migrate(CreateMigrationsTable::class, CreateUsersTableMigration::class, CreateApiKeysTableMigration::class);
     }
 
     #[PostCondition]
@@ -66,6 +67,7 @@ public function deauthenticated_by_default(): void
 
         $this->assertNull($authenticator->current());
         $this->assertNull($session->get(SessionAuthenticator::AUTHENTICATABLE_KEY));
+        $this->assertNull($session->get(SessionAuthenticator::AUTHENTICATABLE_CLASS));
     }
 
     #[Test]
@@ -79,6 +81,7 @@ public function can_authenticate(): void
 
         $this->assertInstanceOf(User::class, $authenticator->current());
         $this->assertSame($user->id->value, $session->get(SessionAuthenticator::AUTHENTICATABLE_KEY));
+        $this->assertSame(User::class, $session->get(SessionAuthenticator::AUTHENTICATABLE_CLASS));
     }
 
     #[Test]
@@ -93,6 +96,41 @@ public function can_deauthenticate(): void
 
         $this->assertNull($authenticator->current());
         $this->assertNull($session->get(SessionAuthenticator::AUTHENTICATABLE_KEY));
+        $this->assertNull($session->get(SessionAuthenticator::AUTHENTICATABLE_CLASS));
+    }
+
+    #[Test]
+    public function multiple_authenticatables(): void
+    {
+        $authenticator = $this->container->get(Authenticator::class);
+
+        $user = query(User::class)->create(full_name: 'Frieren the Slayer');
+        $apiKey = query(ApiKey::class)->create(description: 'API key for Frieren');
+
+        $authenticator->authenticate($user);
+        $this->assertInstanceOf(User::class, $authenticator->current());
+        $this->assertInstanceOf(User::class, $this->container->invoke(ServiceWithAuthenticatable::class));
+        $this->assertSame('Frieren the Slayer', $authenticator->current()->full_name);
+        $authenticator->deauthenticate();
+
+        $authenticator->authenticate($apiKey);
+        $this->assertInstanceOf(ApiKey::class, $authenticator->current());
+        $this->assertInstanceOf(ApiKey::class, $this->container->invoke(ServiceWithAuthenticatable::class));
+        $this->assertSame('API key for Frieren', $authenticator->current()->description);
+        $authenticator->deauthenticate();
+
+        $this->assertNull($authenticator->current());
+
+        $this->assertException(AuthenticatableWasMissing::class, fn () => $this->container->invoke(ServiceWithAuthenticatable::class));
+    }
+}
+
+final class ServiceWithAuthenticatable
+{
+    // TODO: User|ApiKey should work, but it currently yields a circular dependency error.
+    public function __invoke(CanAuthenticate $authenticatable): object
+    {
+        return $authenticatable;
     }
 }
 
@@ -116,3 +154,24 @@ public function up(): QueryStatement
             ->string('full_name');
     }
 }
+
+final class ApiKey implements CanAuthenticate
+{
+    public PrimaryKey $id;
+
+    public function __construct(
+        public string $description,
+    ) {}
+}
+
+final class CreateApiKeysTableMigration implements MigratesUp
+{
+    public string $name = 'create_api_keys_table';
+
+    public function up(): QueryStatement
+    {
+        return new CreateTableStatement('api_keys')
+            ->primary()
+            ->string('description');
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ public function discover(DiscoveryLocation $location, ClassReflector $class): vo`
`26`	`26`	`public function apply(): void`
`27`	`27`	`{`
`28`	`28`	`foreach ($this->discoveryItems as $discoveryItem) {`
`29`		`- $this->authConfig->authenticatable = $discoveryItem;`
	`29`	`+ $this->authConfig->authenticatables[] = $discoveryItem;`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@`
`2`	`2`
`3`	`3`	`namespace Tempest\Auth\Authentication;`
`4`	`4`
`5`		`-use Tempest\Auth\AuthConfig;`
`6`	`5`	`use Tempest\Container\Container;`
`7`	`6`	`use Tempest\Container\Initializer;`
`8`	`7`	`use Tempest\Container\Singleton;`
`@@ -14,7 +13,6 @@ final class AuthenticatableResolverInitializer implements Initializer`
`14`	`13`	`public function initialize(Container $container): AuthenticatableResolver`
`15`	`14`	`{`
`16`	`15`	`return new DatabaseAuthenticatableResolver(`
`17`		`- authConfig: $container->get(AuthConfig::class),`
`18`	`16`	`database: $container->get(Database::class),`
`19`	`17`	`);`
`20`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@`
`17`	`17`	`{`
`18`	`18`	`public function canInitialize(ClassReflector $class, null\|string\|UnitEnum $tag): bool`
`19`	`19`	`{`
`20`		`- return $class->implements(CanAuthenticate::class);`
	`20`	`+ return $class->implements(CanAuthenticate::class) \|\| $class->is(CanAuthenticate::class);`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`public function initialize(ClassReflector $class, null\|string\|UnitEnum $tag, Container $container): object`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,8 @@`
`9`	`9`
`10`	`10`	`final readonly class SessionAuthenticator implements Authenticator`
`11`	`11`	`{`
`12`		`- public const string AUTHENTICATABLE_KEY = '#authenticatable';`
	`12`	`+ public const string AUTHENTICATABLE_KEY = '#authenticatable:id';`
	`13`	`+ public const string AUTHENTICATABLE_CLASS = '#authenticatable:class';`
`13`	`14`
`14`	`15`	`public function __construct(`
`15`	`16`	`private AuthConfig $authConfig,`
`@@ -19,6 +20,11 @@ public function __construct(`
`19`	`20`
`20`	`21`	`public function authenticate(CanAuthenticate $authenticatable): void`
`21`	`22`	`{`
	`23`	`+ $this->session->set(`
	`24`	`+ key: self::AUTHENTICATABLE_CLASS,`
	`25`	`+ value: $authenticatable::class,`
	`26`	`+ );`
	`27`	`+`
`22`	`28`	`$this->session->set(`
`23`	`29`	`key: self::AUTHENTICATABLE_KEY,`
`24`	`30`	`value: $this->authenticatableResolver->resolveId($authenticatable),`
`@@ -34,11 +40,12 @@ public function deauthenticate(): void`
`34`	`40`	`public function current(): ?CanAuthenticate`
`35`	`41`	`{`
`36`	`42`	`$id = $this->session->get(self::AUTHENTICATABLE_KEY);`
	`43`	`+ $class = $this->session->get(self::AUTHENTICATABLE_CLASS);`
`37`	`44`
`38`		`- if (! $id) {`
	`45`	`+ if (! $id \|\| ! $class) {`
`39`	`46`	`return null;`
`40`	`47`	`}`
`41`	`48`
`42`		`- return $this->authenticatableResolver->resolve($id);`
	`49`	`+ return $this->authenticatableResolver->resolve($id, $class);`
`43`	`50`	`}`
`44`	`51`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,14 +21,21 @@ public function discovers_authenticatable_class(): void`
`21`	`21`
`22`	`22`	`$discovery = new AuthenticatableDiscovery($config);`
`23`	`23`	`$discovery->setItems(new DiscoveryItems([]));`
`24`		`- $discovery->discover(new DiscoveryLocation('', ''), new ClassReflector(Device::class));`
	`24`	`+ $discovery->discover(new DiscoveryLocation('', ''), new ClassReflector(AuthenticatableDevice::class));`
	`25`	`+ $discovery->discover(new DiscoveryLocation('', ''), new ClassReflector(AuthenticatableUser::class));`
`25`	`26`	`$discovery->apply();`
`26`	`27`
`27`		`- $this->assertSame(Device::class, $config->authenticatable);`
	`28`	`+ $this->assertContains(AuthenticatableDevice::class, $config->authenticatables);`
	`29`	`+ $this->assertContains(AuthenticatableUser::class, $config->authenticatables);`
`28`	`30`	`}`
`29`	`31`	`}`
`30`	`32`
`31`		`-final class Device implements CanAuthenticate`
	`33`	`+final class AuthenticatableDevice implements CanAuthenticate`
	`34`	`+{`
	`35`	`+ public PrimaryKey $id;`
	`36`	`+}`
	`37`	`+`
	`38`	`+final class AuthenticatableUser implements CanAuthenticate`
`32`	`39`	`{`
`33`	`40`	`public PrimaryKey $id;`
`34`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ protected function configure(): void`
`24`	`24`	`{`
`25`	`25`	`$this->migrate(CreateMigrationsTable::class, CreateServiceAccountTableMigration::class);`
`26`	`26`
`27`		`- $this->container->config(new AuthConfig(authenticatable: ServiceAccount::class));`
	`27`	`+ $this->container->config(new AuthConfig(authenticatables: [ServiceAccount::class]));`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`#[Test]`