Zend Framework 2 - Global check for authentication with ZFCUser

Question

I installed ZFCUser successfully. Now I wonder if there is a way to globally check for authentication.

As outlined in the wiki there ar

Answer 1

You can use ZF2 module BjyAuthorize to block/allow access to pages based on user roles such as guest, user etc using controller guard, route guard etc

Answer 2

People,

Tip, dont forget the add the "use" to correct RouteMatch statement:

use Zend\Mvc\Router\Http\RouteMatch;

Here need this:

if (!$match instanceof RouteMatch)...

If you forget, the if above have inconstant

Answer 3

Another option might be to create your own abstract controller superclass and implement the onDispatch() method like this:

public function onDispatch(MvcEvent $e) 
{
    // check authentication here

    return parent::onDispatch($e);
}

You can implement a whitelist there too :).

Answer 4

On ZF 2.4.2 I do this in Module.php

class module {

protected $whitelist = array(
    'Application\Controller\Login'
);

public function onBootstrap(MvcEvent $e)
{

    $eventManager        = $e->getApplication()->getEventManager();
    $moduleRouteListener = new ModuleRouteListener();
    $moduleRouteListener->attach($eventManager);

    // add event
    $eventManager->attach('dispatch', array($this, 'checkLogin')); 

}

public function checkLogin($e)
{

    $auth   = $e->getApplication()->getServiceManager()->get("Zend\Authentication\AuthenticationService");
    $target = $e->getTarget();
    $match  = $e->getRouteMatch();

    $controller = $match->getParam('controller');

    if( !in_array($controller, $this->whitelist)){
        if( !$auth->hasIdentity() ){
            return $target->redirect()->toUrl('/login');
        }
    }

}

//other methods....
}

Answer 5

To be honest, I don't think it is a good idea to block every page for a non-authenticated user. How would you access the login page?

That said, you must know the page being accessed, to make a whitelist of pages accessible for anonymous visitors. To start, I'd suggest to include the login page. You can check pages the easiest by using their route. So check the current matched route against the whitelist. If blocked, act upon. Otherwise, do nothing.

An example would be inside a Module.php from a module, for example your application:

namespace Application;

use Zend\Mvc\MvcEvent;
use Zend\Mvc\Router\RouteMatch;

class Module
{
    protected $whitelist = array('zfcuser/login');

    public function onBootstrap($e)
    {
        $app = $e->getApplication();
        $em  = $app->getEventManager();
        $sm  = $app->getServiceManager();

        $list = $this->whitelist;
        $auth = $sm->get('zfcuser_auth_service');

        $em->attach(MvcEvent::EVENT_ROUTE, function($e) use ($list, $auth) {
            $match = $e->getRouteMatch();

            // No route match, this is a 404
            if (!$match instanceof RouteMatch) {
                return;
            }

            // Route is whitelisted
            $name = $match->getMatchedRouteName();
            if (in_array($name, $list)) {
                return;
            }

            // User is authenticated
            if ($auth->hasIdentity()) {
                return;
            }

            // Redirect to the user login page, as an example
            $router   = $e->getRouter();
            $url      = $router->assemble(array(), array(
                'name' => 'zfcuser/login'
            ));

            $response = $e->getResponse();
            $response->getHeaders()->addHeaderLine('Location', $url);
            $response->setStatusCode(302);

            return $response;
        }, -100);
    }
}