refactor: move config items

UPGRADING.md

@@ -2,7 +2,9 @@
 
 ## Version 1.0.0-beta.6 to 1.0.0-beta.7
 
-### Install New Config AuthToken.php
+### Mandatory Config Changes
+
+#### New Config\AuthToken
 
 A new Config file **AuthToken.php** has been introduced. Run `php spark shield:setup`
 again to install it into **app/Config/**, or install it manually.
@@ -11,6 +13,16 @@ Then change the default settings as necessary. When using Token authentication,
 the default value has been changed from all accesses to be recorded in the
 ``token_logins`` table to only accesses that fail authentication to be recorded.
 
+#### Config\Auth
+
+The following items have been moved. They are no longer used and should be removed.
+
+- `$authenticatorHeader` and `$unusedTokenLifetime` are moved to `Config\AuthToken`.
+
+The following items have been added. Copy the properties in **src/Config/Auth.php**.
+
+- `$usernameValidationRules` and `$emailValidationRules` are added.
+
 ## Version 1.0.0-beta.3 to 1.0.0-beta.4
 
 ### Important Password Changes

docs/addons/jwt.md

@@ -215,7 +215,7 @@ class LoginController extends BaseController
         return setting('Validation.login') ?? [
             'email' => [
                 'label' => 'Auth.email',
-                'rules' => config(AuthSession::class)->emailValidationRules,
+                'rules' => config('Auth')->emailValidationRules,
             ],
             'password' => [
                 'label'  => 'Auth.password',

docs/getting_started/configuration.md

@@ -20,7 +20,7 @@ This section describes the major Config items that are not described elsewhere.
 
 ### Access Token Lifetime
 
-By default, Access Tokens can be used for 1 year since the last use. This can be easily modified in the **app/Config/Auth.php** config file.
+By default, Access Tokens can be used for 1 year since the last use. This can be easily modified in the **app/Config/AuthToken.php** config file.
 
 ```php
 public int $unusedTokenLifetime = YEAR;

docs/guides/api_hmac_keys.md

@@ -10,7 +10,7 @@ API. When making requests using HMAC keys, the token should be included in the `
 
 > **Note**
 > By default, `$authenticatorHeader['hmac']` is set to `Authorization`. You can change this value by
-> setting the `$authenticatorHeader['hmac']` value in the **app/Config/Auth.php** config file.
+> setting the `$authenticatorHeader['hmac']` value in the **app/Config/AuthToken.php** config file.
 
 Tokens are issued with the `generateHmacToken()` method on the user. This returns a
 `CodeIgniter\Shield\Entities\AccessToken` instance. These shared keys are saved to the database in plain text. The

docs/guides/api_tokens.md

@@ -3,7 +3,7 @@
 Access Tokens can be used to authenticate users for your own site, or when allowing third-party developers to access your API. When making requests using access tokens, the token should be included in the `Authorization` header as a `Bearer` token.
 
 > **Note**
-> By default, `$authenticatorHeader['tokens']` is set to `Authorization`. You can change this value by setting the `$authenticatorHeader['tokens']` value in the **app/Config/Auth.php** config file.
+> By default, `$authenticatorHeader['tokens']` is set to `Authorization`. You can change this value by setting the `$authenticatorHeader['tokens']` value in the **app/Config/AuthToken.php** config file.
 
 Tokens are issued with the `generateAccessToken()` method on the user. This returns a `CodeIgniter\Shield\Entities\AccessToken` instance. Tokens are hashed using a SHA-256 algorithm before being saved to the database. The access token returned when you generate it will include a `raw_token` field that contains the plain-text, un-hashed, token. You should display this to your user at once so they have a chance to copy it somewhere safe, as this is the only time this will be available. After this request, there is no way to get the raw token.
 

docs/guides/mobile_apps.md

@@ -26,7 +26,7 @@ class LoginController extends BaseController
         $rules = setting('Validation.login') ?? [
             'email' => [
                 'label' => 'Auth.email',
-                'rules' => config('AuthSession')->emailValidationRules,
+                'rules' => config('Auth')->emailValidationRules,
             ],
             'password' => [
                 'label' => 'Auth.password',
@@ -70,6 +70,6 @@ When making all future requests to the API, the mobile client should return the
 
 > **Note**
 >
-> By default, `$authenticatorHeader['tokens']` is set to `Authorization`. You can change the header name by setting the `$authenticatorHeader['tokens']` value in the **app/Config/Auth.php** config file.
+> By default, `$authenticatorHeader['tokens']` is set to `Authorization`. You can change the header name by setting the `$authenticatorHeader['tokens']` value in the **app/Config/AuthToken.php** config file.
 >
 > e.g. if `$authenticatorHeader['tokens']` is set to `PersonalAccessCodes` then the mobile client should return the raw token in the `PersonalAccessCodes` header as a `Bearer` token.

docs/references/authentication/hmac.md

@@ -117,7 +117,7 @@ HMAC Keys/Tokens will expire after a specified amount of time has passed since t
 This uses the same configuration value as AccessTokens.
 
 By default, this is set to 1 year. You can change this value by setting the `$unusedTokenLifetime`
-value in the `Auth` config file. This is in seconds so that you can use the
+value in the **app/Config/AuthToken.php** config file. This is in seconds so that you can use the
 [time constants](https://codeigniter.com/user_guide/general/common_functions.html#time-constants)
 that CodeIgniter provides.
 

docs/references/authentication/tokens.md

@@ -81,7 +81,7 @@ $tokens = $user->accessTokens();
 
 Tokens will expire after a specified amount of time has passed since they have been used.
 By default, this is set to 1 year. You can change this value by setting the `$unusedTokenLifetime`
-value in the `Auth` config file. This is in seconds so that you can use the
+value in the **app/Config/AuthToken.php** config file. This is in seconds so that you can use the
 [time constants](https://codeigniter.com/user_guide/general/common_functions.html#time-constants)
 that CodeIgniter provides.
 

src/Authentication/Authenticators/AccessTokens.php

@@ -124,7 +124,10 @@ public function check(array $credentials): Result
         if (! array_key_exists('token', $credentials) || empty($credentials['token'])) {
             return new Result([
                 'success' => false,
-                'reason'  => lang('Auth.noToken', [config('Auth')->authenticatorHeader['tokens']]),
+                'reason'  => lang(
+                    'Auth.noToken',
+                    [config('AuthToken')->authenticatorHeader['tokens']]
+                ),
             ]);
         }
 
@@ -149,7 +152,9 @@ public function check(array $credentials): Result
         // Hasn't been used in a long time
         if (
             $token->last_used_at
-            && $token->last_used_at->isBefore(Time::now()->subSeconds(config('Auth')->unusedTokenLifetime))
+            && $token->last_used_at->isBefore(
+                Time::now()->subSeconds(config('AuthToken')->unusedTokenLifetime)
+            )
         ) {
             return new Result([
                 'success' => false,
@@ -188,7 +193,9 @@ public function loggedIn(): bool
         $request = service('request');
 
         return $this->attempt([
-            'token' => $request->getHeaderLine(config('Auth')->authenticatorHeader['tokens']),
+            'token' => $request->getHeaderLine(
+                config('AuthToken')->authenticatorHeader['tokens']
+            ),
         ])->isOK();
     }
 
@@ -246,7 +253,7 @@ public function getBearerToken(): ?string
         /** @var IncomingRequest $request */
         $request = service('request');
 
-        $header = $request->getHeaderLine(config('Auth')->authenticatorHeader['tokens']);
+        $header = $request->getHeaderLine(config('AuthToken')->authenticatorHeader['tokens']);
 
         if (empty($header)) {
             return null;

src/Authentication/Authenticators/HmacSha256.php

@@ -124,7 +124,10 @@ public function check(array $credentials): Result
         if (! array_key_exists('token', $credentials) || $credentials['token'] === '') {
             return new Result([
                 'success' => false,
-                'reason'  => lang('Auth.noToken', [config('Auth')->authenticatorHeader['hmac']]),
+                'reason'  => lang(
+                    'Auth.noToken',
+                    [config('AuthToken')->authenticatorHeader['hmac']]
+                ),
             ]);
         }
 
@@ -161,7 +164,9 @@ public function check(array $credentials): Result
         // Hasn't been used in a long time
         if (
             isset($token->last_used_at)
-            && $token->last_used_at->isBefore(Time::now()->subSeconds(config('Auth')->unusedTokenLifetime))
+            && $token->last_used_at->isBefore(
+                Time::now()->subSeconds(config('AuthToken')->unusedTokenLifetime)
+            )
         ) {
             return new Result([
                 'success' => false,
@@ -200,7 +205,9 @@ public function loggedIn(): bool
         $request = service('request');
 
         return $this->attempt([
-            'token' => $request->getHeaderLine(config('Auth')->authenticatorHeader['hmac']),
+            'token' => $request->getHeaderLine(
+                config('AuthToken')->authenticatorHeader['hmac']
+            ),
         ])->isOK();
     }
 
@@ -260,7 +267,7 @@ public function getFullHmacToken(): ?string
         /** @var IncomingRequest $request */
         $request = service('request');
 
-        $header = $request->getHeaderLine(config('Auth')->authenticatorHeader['hmac']);
+        $header = $request->getHeaderLine(config('AuthToken')->authenticatorHeader['hmac']);
 
         if ($header === '') {
             return null;

src/Config/Auth.php

@@ -20,14 +20,21 @@
 
 class Auth extends BaseConfig
 {
+    /**
+     * ////////////////////////////////////////////////////////////////////
+     * AUTHENTICATION
+     * ////////////////////////////////////////////////////////////////////
+     */
+
+    // Constants for Record Login Attempts. Do not change.
     public const RECORD_LOGIN_ATTEMPT_NONE    = 0; // Do not record at all
     public const RECORD_LOGIN_ATTEMPT_FAILURE = 1; // Record only failures
     public const RECORD_LOGIN_ATTEMPT_ALL     = 2; // Record all login attempts
 
     /**
-     * ////////////////////////////////////////////////////////////////////
-     * AUTHENTICATION
-     * ////////////////////////////////////////////////////////////////////
+     * --------------------------------------------------------------------
+     * View files
+     * --------------------------------------------------------------------
      */
     public array $views = [
         'login'                       => '\CodeIgniter\Shield\Views\login',
@@ -43,49 +50,12 @@ class Auth extends BaseConfig
         'magic-link-email'            => '\CodeIgniter\Shield\Views\Email\magic_link_email',
     ];
 
-    /**
-     * --------------------------------------------------------------------
-     * Customize the DB group used for each model
-     * --------------------------------------------------------------------
-     */
-    public ?string $DBGroup = null;
-
-    /**
-     * --------------------------------------------------------------------
-     * Customize Name of Shield Tables
-     * --------------------------------------------------------------------
-     * Only change if you want to rename the default Shield table names
-     *
-     * It may be necessary to change the names of the tables for
-     * security reasons, to prevent the conflict of table names,
-     * the internal policy of the companies or any other reason.
-     *
-     * - users                  Auth Users Table, the users info is stored.
-     * - auth_identities        Auth Identities Table, Used for storage of passwords, access tokens, social login identities, etc.
-     * - auth_logins            Auth Login Attempts, Table records login attempts.
-     * - auth_token_logins      Auth Token Login Attempts Table, Records Bearer Token type login attempts.
-     * - auth_remember_tokens   Auth Remember Tokens (remember-me) Table.
-     * - auth_groups_users      Groups Users Table.
-     * - auth_permissions_users Users Permissions Table.
-     *
-     * @var array<string, string>
-     */
-    public array $tables = [
-        'users'             => 'users',
-        'identities'        => 'auth_identities',
-        'logins'            => 'auth_logins',
-        'token_logins'      => 'auth_token_logins',
-        'remember_tokens'   => 'auth_remember_tokens',
-        'groups_users'      => 'auth_groups_users',
-        'permissions_users' => 'auth_permissions_users',
-    ];
-
     /**
      * --------------------------------------------------------------------
      * Redirect URLs
      * --------------------------------------------------------------------
      * The default URL that a user will be redirected to after various auth
-     * auth actions. This can be either of the following:
+     * actions. This can be either of the following:
      *
      * 1. An absolute URL. E.g. http://example.com OR https://example.com
      * 2. A named route that can be accessed using `route_to()` or `url_to()`
@@ -139,28 +109,6 @@ class Auth extends BaseConfig
         // 'jwt'     => JWT::class,
     ];
 
-    /**
-     * --------------------------------------------------------------------
-     * Name of Authenticator Header
-     * --------------------------------------------------------------------
-     * The name of Header that the Authorization token should be found.
-     * According to the specs, this should be `Authorization`, but rare
-     * circumstances might need a different header.
-     */
-    public array $authenticatorHeader = [
-        'tokens' => 'Authorization',
-        'hmac'   => 'Authorization',
-    ];
-
-    /**
-     * --------------------------------------------------------------------
-     * Unused Token Lifetime
-     * --------------------------------------------------------------------
-     * Determines the amount of time, in seconds, that an unused
-     * access token can be used.
-     */
-    public int $unusedTokenLifetime = YEAR;
-
     /**
      * --------------------------------------------------------------------
      * Default Authenticator
@@ -201,7 +149,7 @@ class Auth extends BaseConfig
      * Record Last Active Date
      * --------------------------------------------------------------------
      * If true, will always update the `last_active` datetime for the
-     * logged in user on every page request.
+     * logged-in user on every page request.
      * This feature only works when session/tokens filter is active.
      *
      * @see https://codeigniter4.github.io/shield/install/#protect-all-pages for set filters.
@@ -250,6 +198,33 @@ class Auth extends BaseConfig
         'rememberLength'     => 30 * DAY,
     ];
 
+    /**
+     * --------------------------------------------------------------------
+     * The validation rules for username
+     * --------------------------------------------------------------------
+     *
+     * @var string[]
+     */
+    public array $usernameValidationRules = [
+        'required',
+        'max_length[30]',
+        'min_length[3]',
+        'regex_match[/\A[a-zA-Z0-9\.]+\z/]',
+    ];
+
+    /**
+     * --------------------------------------------------------------------
+     * The validation rules for email
+     * --------------------------------------------------------------------
+     *
+     * @var string[]
+     */
+    public array $emailValidationRules = [
+        'required',
+        'max_length[254]',
+        'valid_email',
+    ];
+
     /**
      * --------------------------------------------------------------------
      * Minimum Password Length
@@ -393,6 +368,44 @@ class Auth extends BaseConfig
      * OTHER SETTINGS
      * ////////////////////////////////////////////////////////////////////
      */
+
+    /**
+     * --------------------------------------------------------------------
+     * Customize the DB group used for each model
+     * --------------------------------------------------------------------
+     */
+    public ?string $DBGroup = null;
+
+    /**
+     * --------------------------------------------------------------------
+     * Customize Name of Shield Tables
+     * --------------------------------------------------------------------
+     * Only change if you want to rename the default Shield table names
+     *
+     * It may be necessary to change the names of the tables for
+     * security reasons, to prevent the conflict of table names,
+     * the internal policy of the companies or any other reason.
+     *
+     * - users                  Auth Users Table, the users info is stored.
+     * - auth_identities        Auth Identities Table, Used for storage of passwords, access tokens, social login identities, etc.
+     * - auth_logins            Auth Login Attempts, Table records login attempts.
+     * - auth_token_logins      Auth Token Login Attempts Table, Records Bearer Token type login attempts.
+     * - auth_remember_tokens   Auth Remember Tokens (remember-me) Table.
+     * - auth_groups_users      Groups Users Table.
+     * - auth_permissions_users Users Permissions Table.
+     *
+     * @var array<string, string>
+     */
+    public array $tables = [
+        'users'             => 'users',
+        'identities'        => 'auth_identities',
+        'logins'            => 'auth_logins',
+        'token_logins'      => 'auth_token_logins',
+        'remember_tokens'   => 'auth_remember_tokens',
+        'groups_users'      => 'auth_groups_users',
+        'permissions_users' => 'auth_permissions_users',
+    ];
+
     /**
      * --------------------------------------------------------------------
      * User Provider