I’m attempting to create something of a security template using cbsecurity and its default auth provider cbAuth that I can use as a basis for future apps but I’m having a bit of a problem.
During authentication using cbsecurity\modules\cbauth\models\AuthenticationService.cfc I’m questioning how to use the following steps -
if ( !getUserService().isValidCredentials( arguments.username, arguments.password ) ) {
throw( type = “InvalidCredentials”, message = “Incorrect Credentials Entered” );
}
var user = getUserService().retrieveUserByUsername( arguments.username );
In the first step it appears to be clearly looking for yes/no validation so my “isValidCredentials” function might be something like
var rsUser = Select ID from appUser where username = “blah” and password = “blah”;
return rsUser.recordcount;
This would satisfy the yes/no sounding nature of “isValidCredentials” but the very next line is -
var user = getUserService().retrieveUserByUsername( arguments.username );
No user object has been created yet to retrieve so it seems I have two options. Wondering if one or the other is intended or if there is a perhaps a third option of “I’m way off track”.
Option 1 -
Treat “isValidCredentials” as more than simple validation of credentials with something like -
if (rsUser.recordcount){
populate the user object;
return true;
} else {
return false;
}
Option 2 -
Let “retrieveUserByUsername” have expanded capability to where if a user object not found - build it before returning like so:
var oUser = wirebox.getInstance(“User”);
if( oUser.getUserName() != arguments.username ){
var rsUserInfo = UserData.GetByUserName(
username = arguments.username
);
populator.populateFromQuery( target=oUser, qry=rsUserInfo, ignoreEmpty=true );
}
return oUser;
#1 seems like maybe/kinda/sorta the intent but thinking based on name that I’m off track in that thinking.
#2 seems dangerous as I would be populating a user object based solely on the username. I’ve looked and I don’t see anywhere I could be calling in non-secure fashion but still.
The thing that really makes me think I’m off track is the whole idea of “retrieveUserByUsername” in the first place. If I’m logging someone in and then getting the user object why isn’t it just “retrieveUser” ?? I can’t think of any circumstances where it would be anything but the logged in user. I do remember something about impersonating a user or something so maybe that’s it?
Lastly, does anyone know of a complete-ish example of using this security module? I found one very recent one but he appears to be setting two user objects in the variables scope of his UserService on initialization and then returning whichever one based on “retrieveUserByUsername” call which then gets loaded and used in request scope. I’m looking to figure out a more “real-world”-ish method of when/how to set the user object in session per the above.
Thank you!