In CakePHP prior to 2.0 you could allow a user to login using their email address by stopping the autoRedirect and then comparing the username data to the email column in your database (apparently Cake could then fallback to username checks if not an email).
In CakePHP 2.0 this has changed and you login manually using $this->Auth->login()
My question is how do I get this working for 2.0? I have some quite complicated code that does a variety of things such as handle ajax and postback requests, locking of accounts if a user tries to login too many times etc so it's quite long!
As you will see I check if the account actually exists manually so I can show a message of account not found before going through the authentication process if the case, and also use this to lock the account of that user if 5 fail attempts.
The main problem here is allowing the system to check on both usernames and email addresses for authentication, the system in place does LOCK the user if you use the email address as it handles that in the mentioned check, but it will always fail because the authentication cannot handle it.
Hope someone can help, offer ideas tips. Thanks
if ($this->request->is('post'))
{
$opts = array(
'conditions'=>array(
'OR'=>array(
'User.username'=>$this->data['User']['username'],
'User.email'=>$this->data['User']['username']
)
)
);
$user = $this->User->find('first', $opts);
if(!empty($user))
{
if($user['User']['status'] == 0)
{
if($this->request->is('ajax'))
{
$this->autoRender = false;
echo json_encode(array('authenticated'=>false,'error'=>__('Sorry your account is currently locked. Please reset your password.?')));
}
else
{
$this->Session->setFlash(__('Sorry your account is currently locked. Please reset your password.'), 'default', array(), 'auth');
}
}
else
{
if ($this->Auth->login())
{
if ($this->request->is('ajax'))
{
$this->autoRender = false;
if(isset($this->params['url']['continue']))
{
$pathtoredirect = $this->UrlEncode->base64url_decode($this->params['url']['continue']);
echo json_encode(array('authenticated'=>true,'redirect'=>$pathtoredirect,'base'=>false));
}
else
{
$pathtoredirect = $this->Auth->redirect();
echo json_encode(array('authenticated'=>true,'redirect'=>$pathtoredirect,'base'=>true));
}
}
else
{
if(isset($this->params['url']['continue']))
{
$pathtoredirect = $this->UrlEncode->base64url_decode($this->params['url']['continue']);
}
else
{
$pathtoredirect = $this->Auth->redirect();
}
return $this->redirect($pathtoredirect);
}
}
else
{
if($this->Session->read('attempts'))
{
$attempts = $this->Session->read('attempts') + 1;
}
else
{
$attempts = 1;
}
$this->Session->write('attempts', $attempts);
if($attempts >= 5)
{
$this->User->id = $user['User']['id'];
$this->User->saveField('status', 0);
if ($this->request->is('ajax'))
{
$this->autoRender = false;
echo json_encode(array('authenticated'=>false,'error'=>__('Username or password is incorrect. For security reasons this account has now been locked and you must reset your password to unlock it.')));
}
else
{
$this->Session->setFlash(__('Username or password is incorrect. For security reasons this account has now been locked and you must reset your password to unlock it.'), 'default', array(), 'auth');
}
}
else
{
if ($this->request->is('ajax'))
{
$this->autoRender = false;
echo json_encode(array('authenticated'=>false,'error'=>__('Username or password is incorrect')));
}
else
{
$this->Session->setFlash(__('Username or password is incorrect'), 'default', array(), 'auth');
}
}
}
}
}
else
{
if ($this->request->is('ajax'))
{
$this->autoRender = false;
echo json_encode(array('authenticated'=>false,'error'=>__('Sorry that account does not exist.')));
}
else
{
$this->Session->setFlash(__('Sorry that account does not exist.'), 'default', array(), 'auth');
}
}
}
