Releases: cakephp/authentication
Release list
Authentication 2.11.2
Authentication 4.2.1
What's Changed
- Bump actions/checkout from 6 to 7 by @dependabot[bot] in #800
- Bump esbuild and vite in /docs by @dependabot[bot] in #801
- Improve documentation for CookieAuthenticator by @markstory in #803
- Improve cookie authentication tokens by @markstory in #805
Full Changelog: 4.2.0...4.2.1
Authentication 3.3.7
What's Changed
- Update link to finder documentation by @PhantomWatson in #804
- 3.x - security: replace unencrypted cookie auth tokens with verified, work-factor-bounded HMAC-SHA256 tokens by @markstory in #806
Full Changelog: 3.3.6...3.3.7
Authentication 2.11.1
What's Changed
- Backport security patches from 3.x and 4.x by @markstory in #799
Full Changelog: 2.11.0...2.11.1
Authentication 4.2.0
What's Changed
- Add AuthenticationComponent::replaceIdentity() by @dereuromark in #788
Full Changelog: 4.1.1...4.2.0
Authentication 3.3.6
What's Changed
- Fix an open redirect weakness in getLoginRedirect() by @markstory in #796
Full Changelog: 3.3.5...3.3.6
Authentication 4.1.1
What's Changed
- Update PHPUnit version requirement to include 13.0 by @dereuromark in #790
- Update stan by @LordSimal in #792
- small docs adjustments by @LordSimal in #793
- Add security policy by @jamisonbryant in #794
- Fix an open redirect weakness in getLoginRedirect() by @markstory in #795
Full Changelog: 4.1.0...4.1.1
Authentication 4.1.0
Improvements
-
Added
AuthenticationComponent::redirectAfterLogin()helper to make the safe post-login redirect path the obvious one. It resolves the validated local redirect target via the existinggetLoginRedirect()logic and falls back to the provided default, returning the controller redirect response directly (#787).if ($result->isValid()) { return $this->Authentication->redirectAfterLogin('/dashboard'); }
Full Changelog: 4.0.1...4.1.0
Authentication 4.0.1
What's Changed
Full Changelog: 4.0.0...4.0.1
Authentication 4.0.0
Breaking Changes
-
Identifier configuration format changed - Moved from nested array to flatter structure:
// Before 'identifier' => ['Authentication.Token' => ['tokenField' => 'id', ...]] // After 'identifier' => ['className' => 'Authentication.Token', 'tokenField' => 'id', ...]
-
Class renames:
CakeRouterUrlChecker→DefaultUrlCheckerDefaultUrlChecker(framework-agnostic) →GenericUrlChecker
-
SessionAuthenticator
identifyoption removed - This deprecated option has been removed. UsePrimaryKeySessionAuthenticatorif you need session-based authentication without password re-verification. -
Identifier parameter now optional in
AbstractAuthenticatorconstructor -
Removed deprecated code including
loadIdentifier()method -
Updated dependency:
firebase/php-jwtnow requires ^7.0
Improvements
- Lazy identifier initialization via
getIdentifier()method - Cleaner authenticator/identifier relationship
- Redirect validation feature (backported from 3.x)
- Plugin now properly declares
cakephp/cakephpas dependency Identity::get()now supports dot-separated field names for nested data access- New
IdentityHelper::getIdentity()method for easier identity access in templates PrimaryKeySessionAuthenticatornow has a defaultTokenIdentifierconfigured
Migration
Rector rules available at cakephp/upgrade#370 for automated migration assistance.
Full Changelog: 3.3.5...4.0.0