refactor authentication configuration and update deprecation warnings

Author: arodu

config/users.php

@@ -210,13 +210,34 @@
             'Form' => [
                 'className' => 'CakeDC/Auth.Form',
                 'urlChecker' => 'Authentication.CakeRouter',
+                'identifier' => [
+                    'Authentication.Password' => [
+                        'fields' => [
+                            'username' => ['username', 'email'],
+                            'password' => 'password',
+                        ],
+                        'resolver' => [
+                            'className' => 'Authentication.Orm',
+                            'finder' => 'active',
+                        ],
+                    ],
+                ],
             ],
             'Token' => [
                 'className' => 'Authentication.Token',
                 'skipTwoFactorVerify' => true,
                 'header' => null,
                 'queryParam' => 'api_key',
                 'tokenPrefix' => null,
+                'identifier' => [
+                    'Authentication.Token' => [
+                        'tokenField' => 'api_token',
+                        'resolver' => [
+                            'className' => 'Authentication.Orm',
+                            'finder' => 'active',
+                        ],
+                    ],
+                ],
             ],
             'Cookie' => [
                 'className' => 'CakeDC/Auth.Cookie',
@@ -231,6 +252,11 @@
             'Social' => [
                 'className' => 'CakeDC/Users.Social',
                 'skipTwoFactorVerify' => true,
+                'identifier' => [
+                    'CakeDC/Users.Social' => [
+                        'authFinder' => 'active',
+                    ],
+                ],
             ],
             'SocialPendingEmail' => [
                 'className' => 'CakeDC/Users.SocialPendingEmail',
@@ -244,31 +270,6 @@
                 ],
             ]
         ],
-        'Identifiers' => [
-            'Password' => [
-                'className' => 'Authentication.Password',
-                'fields' => [
-                    'username' => ['username', 'email'],
-                    'password' => 'password',
-                ],
-                'resolver' => [
-                    'className' => 'Authentication.Orm',
-                    'finder' => 'active',
-                ],
-            ],
-            'Social' => [
-                'className' => 'CakeDC/Users.Social',
-                'authFinder' => 'active',
-            ],
-            'Token' => [
-                'className' => 'Authentication.Token',
-                'tokenField' => 'api_token',
-                'resolver' => [
-                    'className' => 'Authentication.Orm',
-                    'finder' => 'active',
-                ],
-            ],
-        ],
         'Authorization' => [
             'enable' => true,
             'serviceLoader' => \CakeDC\Users\Loader\AuthorizationServiceLoader::class,

src/Controller/Component/LoginComponent.php

@@ -165,7 +165,7 @@ protected function afterIdentifyUser($user)
             $userId = $user['id'] ?? null;
             Log::info(
                 "Unsafe redirect `$queryRedirect` ignored, user id `{$userId}` " .
-                "redirected to `$redirectUrl` after successful login",
+                    "redirected to `$redirectUrl` after successful login",
             );
             $queryRedirect = $redirectUrl;
         }
@@ -188,22 +188,20 @@ protected function afterIdentifyUser($user)
      */
     protected function handlePasswordRehash($service, $user, \Cake\Http\ServerRequest $request)
     {
-        $indentifiersNames = (array)Configure::read('Auth.PasswordRehash.identifiers');
-        foreach ($indentifiersNames as $indentifierName) {
-            /**
-             * @var \Authentication\Identifier\AbstractIdentifier|null $checker
-             */
-            $checker = $service->identifiers()->get($indentifierName);
-            if (!$checker || method_exists($checker, 'needsPasswordRehash') && !$checker->needsPasswordRehash()) {
-                continue;
-            }
-            $passwordField = $checker->getConfig('fields.password', 'password');
-            $password = $request->getData($passwordField);
-            $user->set($passwordField, $password);
-            $user->setDirty('modified');
-            $this->getController()->getUsersTable()->save($user);
-            break;
+        /**
+         * @var \Authentication\Identifier\AbstractIdentifier|null $checker
+         */
+        $checker = $service->getIdentificationProvider();
+
+        if (!$checker || method_exists($checker, 'needsPasswordRehash') && !$checker->needsPasswordRehash()) {
+            return;
         }
+
+        $passwordField = $checker->getConfig('fields.password', 'password');
+        $password = $request->getData($passwordField);
+        $user->set($passwordField, $password);
+        $user->setDirty('modified');
+        $this->getController()->getUsersTable()->save($user);
     }
 
     /**

src/Loader/AuthenticationServiceLoader.php

@@ -52,6 +52,18 @@ public function __invoke(ServerRequestInterface $request)
     protected function loadIdentifiers($service)
     {
         $identifiers = Configure::read('Auth.Identifiers');
+
+        if (empty($identifiers)) {
+            return;
+        }
+
+        deprecationWarning(
+            '15.2.0',
+            'Configuring identifiers globally via `Auth.Identifiers` is deprecated. ' .
+                'Please move each identifier\'s configuration into the `identifier` key within its specific authenticator under `Auth.Authenticators`. ' .
+                'For example, the `Auth.Identifiers.Password` configuration should now be placed inside `Auth.Authenticators.Form.identifier`.'
+        );
+
         foreach ($identifiers as $key => $item) {
             [$identifier, $options] = $this->_getItemLoadData($item, $key);