CakePHP perform Auth before Constructing Models?

3
votes

In my CakePHP application I have multi-tenancy which is provided through isolated databases (each tenant has their own, tenant-specific database).

There is also a 'global' database which contains users and tenancy information. The 'tenants' table contains the name of which database the particular tenant occupies. Each user contains a single tenant_id.

Structure:

global_db:
    users (contains tenant_id foreign key)
    tenants (contains tenant-specific database name, ie: 'isolated_tenant1_db')

isolated_tenant1_db:
    orders
    jobs
    customers

isolated_tenant2_db:
    orders
    jobs
    customers

This system works correctly when the user is logged in via forms / sessions. When they login through /Users/login their tenancy is verified, stored in Session, and database parameters are loaded so their own 'isolated' models can use this dynamic connection.

However, issues arise when the user tries to login via Basic Auth, and directly request the controller function they want to access. For example /Orders/view/1.xml. In this case, CakePHP attempts to construct the 'Order' Model before the user has been logged in, and therefore before any tenancy information is available - which means it has no idea what database to connect to in order to access orders.

From putting debug() statements around the place I can see that the order in which models / controllers / auth are constructed / executed is as follows (when executing /Orders/view/1.xml):

  1. Model __construct: User
  2. Controller __construct: OrdersController
  3. Model __construct: Permission
  4. Model __construct: Order
  5. function: OrdersController/beforeFilter
  6. AuthComponent __startup
  7. Model __construct: Models related to Order

My problem is that AuthComponent::_startup is executed after Order Model has been constructed. I need to attempt to login the user (and get their database information) before this 'Order' model is constructed.

Questions:

  • What causes the User model to be constructed before anything else? (I also have the default CakePHP ACL enabled)
  • Where in the App can I put a call to Auth->login() to attempt login if the request contains BasicAuth headers, that will be executed prior to trying to load tenant-specific models? I assume putting this inside User __construct is a very bad idea.

== UPDATE 01/05/2014 == Inserting code samples.

bootstrap.php: Checks whether the request is being made to api. subdomain:

// Determine whether the request is coming from the api.* subdomain, and if so set the API_REQUEST define to true. 
if (preg_match('/^api\./i',$_SERVER['HTTP_HOST']))
{
    define('API_REQUEST',true);

    // Any links generated (in emails etc), will contain the full base url. If a cron job logged in via the API is generating
    // those e-mails, then users will receive links to api.mydomain, instead of just mydomain.
    $full_base_url = Router::fullBaseUrl();
    $new_full_base_url = preg_replace('/\/\/api\./i', '//', $full_base_url);
    Router::fullBaseUrl($new_full_base_url);
    CakeLog::write('auth_base_url_debug', 'modified fullbaseurl from ' . $full_base_url . ' to ' . $new_full_base_url);
}
else
{
    define('API_REQUEST',false);
}

AppController.php:

public $components = array(
            'Security',
            'Session',
            'Acl',
            'Auth' => array(
                    'className' => 'ExtendedAuth',
                    'authenticate' => array(
                            'FormAlias',
                    ),
                    'authorize' => array(
                            'Actions' => array('actionPath' => 'controllers')
                    ),
                    'loginRedirect' => array('controller' => 'Consignments', 'action' => 'index'),
                    'logoutRedirect' => array('controller' => 'Users', 'action' => 'login'),
            ),
            //'Users.RememberMe',
    );

function beforeFilter() 
{
// Reroute all requests to API subdomain (ie: api.mydomain) to api_ prefixed actions.
        // Also, enable Basic Authentication if the user is accessing via api.*
        // If login fails, return 401 error instead of 302 redirect to login page.
        if(API_REQUEST == true)
        {   
            $this->params['action'] = 'api_'.$this->params['action'];   // prefix the actions with api_

            $this->Auth->authenticate = array('BasicAlias');            // Switch to using Basic Authentication

            if($this->Auth->login() == false)                           // Attempt Basic Auth Login
            {   // Login failed
                CakeLog::write('auth_api', 'Unauthorized API request to: ' . $this->params['action']);
                header("HTTP/1.0 401 Unauthorized");                    // Force returning an Unauthorized header (401)
                exit;                                                   // MUST BE CALLED TO PREVENT 302 BEING SENT!
            }
        }
}

It is important to note that BasicAlias Auth Component is not included in the $components within AppController, but used dynamically if the request is to the api.* subdomain. However, the order in which classes are constructed has no effect whether BasicAlias AuthComponent is included in $components, or used dynamically as shown above.

AppModel:

function __construct($id = false, $table = null, $ds = null)
{       
    if(($ds == null) && ($this->use_tenant_database == true))
    {           
        // Create a connection to the tenants database and configure model to use this connection.          
        $Tenant = ClassRegistry::init('Tenant');

        $db_name = $Tenant->checkAndCreateTenantDatabaseConnectionForCurrentUser();

        if($db_name == false)
        {
            header("HTTP/1.0 500 Server Error");                    // Force returning a Server Error Header (500)
            debug('AppModel::$db_name = false, unable to proceed');
            CakeLog::write('tenant_error', 'db_name = false, unable to connect.');
            exit;                                                   // MUST BE CALLED TO PREVENT 302 BEING SENT!
        }

        // Point model to the tenant database connection:
        $this->useDbConfig = $db_name;
    }

    parent::__construct($id, $table, $ds);
}

And then within any models which use a specific tenant database:

class Order extends AppModel
{
    var $use_tenant_database = true;
        ...
}

Tenant.php:

/**
     * Check whether a connection to the current users tenant database has already been created and if so, return its name.
     * Otherwise, create the connection and return its name.
     * 
     * @return boolean|Ambigous <mixed, multitype:, NULL, array, boolean>
     */
    public function checkAndCreateTenantDatabaseConnectionForCurrentUser()
    {
        // Check whether we have the tenants database connection information available in the Configure variable:
        if(Configure::check('Tenant.db_name') == true)
        {   // the db_config is available in configure, use it!
            $db_name = Configure::read('Tenant.db_name');
        }
        else
        {   // The tenants db_name has not been set in the configure variable, we need to create a database connection and then
            // set the configure variable.
            $tenant_id = $this->getCurrentUserTenantId();

            if($tenant_id == null)
            {   // Unable to resolve the tenant_id, instead, connect to the default database.
                debug('TRIED TO CONSTRUCT MODEL WITHOUT KNOWING TENANT DATABASE!!'); 
                            exit;
            }

            $db_name = $this->TenantDatabase->createConnection($tenant_id);

            if($db_name == false)
            {   // The database connection could not be created.
                CakeLog::write('tenant_error', 'unable to find the database name for tenant_id: ' . $tenant_id);
                return false;
            }

            Configure::write('Tenant.db_name', $db_name);
        }

        return $db_name;
    }

So, if the user requests a URL for example: http://api.mydomain.com/Orders/getAllPendingOrders Where they have supplied BASIC auth credentials along with the request, then what happens is that classes are constructed / executed in the following order:

  1. Model __construct: User
  2. Controller __construct: OrdersController
  3. Model __construct: Permission
  4. Model __construct: Order
  5. Model __construct: Tenant
  6. Model __construct: TenantDatabase
  7. function: OrdersController/beforeFilter
  8. AuthComponent __startup --> This then performs the login.
  9. Model __construct: other models.

The problem is: Order.php is being constructed the user has been logged in, which means when the code in AppModel.php is executed:

$db_name = $Tenant->checkAndCreateTenantDatabaseConnectionForCurrentUser();

It is unable to determine the users current tenancy.

I need to find out a workaround for this, either by somehow performing the login BEFORE Order.php is constructed, or hacking it so that if you attempt to construct a model which has $use_tenant_database = true, and the user is not logged in, then BasicAuth is performed at this point to try and login the user.. however this feels wrong to me.

3
cakephpcakephp-2.4
Models are created upon first access. Which means given the information in the question tyst there are direct or indirect refererences to the order model in the beforeFilter. Know that you can redefine the datasource at any time and that will take effect from then on. For a specific answer you need to show your code. - AD7six
@AD7six Thanks for your response, and I think you may be right, however this seems like quite a strange hack as it would require you to loop through everything in the ClassRegistry and adjust the datasource for all constructed models. Ideally AuthComponent could execute prior to OrdersController being constructed, however I am unsure if this is something that can be done. - user984976
@AD7six Sorry I was away on an easter vacation without eclipse so I couldn't produce a whole bunch of code samples until today as I have now returned. I have updated the original post, any feedback / comments would be much appreciated. - user984976
That's much more useful. two things: 1) Unless you are creating it in your bootstrap, the user model is not being instanciated before your controller 2) if you put debug(Debugger::trace()) in your Order model - you'll see you are first accessing it it from the Acl component probably - the acl component doesn't do anything unless you call it, the code responsible for first access to the Order model should be in the question if it isn't already. It'd be useful to have those two points confirmed before going into details on how better to do what you're doing. - AD7six
Ok, modified as per request. - user984976

3 Answers

3
votes

You might want to have a look at Authorization (who’s allowed to access what) portion in Cake's documentation. Specifically look at the isAuthorized function and how it works.

You might need something like this in your Orders controller:

// app/Controller/OrdersController.php

public function isAuthorized($user) {
    // All registered users can add posts
    if ($this->action === 'add') {
        return true;
    }

    // The owner of an order can edit and delete it
    if (in_array($this->action, array('edit', 'delete'))) {
        $orderId = (int) $this->request->params['pass'][0];
        if ($this->Order->isOwnedBy($orderId, $user['id'])) {
            return true;
        }
    }

    return parent::isAuthorized($user);
}
0
votes

Implement your logic in before filter Request Life-cycle callback in the app controller.

Controller::beforeFilter() : This function is executed before every action in the controller. It’s a handy place to check for an active session or inspect user permissions.

http://book.cakephp.org/2.0/en/controllers.html

0
votes

It turns out these models were being constructed by the 'Search.Prg' plugin, a CakeDC plugin for handling search / filtering of results. The initialize() function within the component was being executed and causing the model to be constructed prior to the user being logged in.

The way in which this was solved was to move the Basic Auth check / login process from AppController beforeFilter to ExtendedAuthComponent (my own custom authenciation component) initialize function. The end code was this:

ExtendedAuthComponent.php

public function initialize(Controller $controller) 
    {
        parent::initialize($controller);    // Call parent initialization first, this sets up request and response variables.
        $this->controller = $controller;

        // Reroute all requests to API subdomain (ie: api.rms.roving.net.au) to api_ prefixed actions.
        // Also, enable Basic Authentication if the user is accessing via api.*
        // If login fails, return 401 error instead of 302 redirect to login page.
        if(API_REQUEST == true)
        {   
            $controller->params['action'] = 'api_'.$controller->params['action'];   // prefix the actions with api_

            if($this->loggedIn() == false)                                  // Attempt Basic Auth Login
            {   // Login failed
                $this->authenticate = array('BasicAlias');                  // Switch to using Basic Authentication
                if($this->login() == false)
                {
                    CakeLog::write('auth_api', 'Unauthorized API request to: ' . $this->params['action']);
                    header("HTTP/1.0 401 Unauthorized");                    // Force returning an Unauthorized header (401)
                    exit;                                                   // MUST BE CALLED TO PREVENT 302 BEING SENT!
                }
            }
        }
    }

This causes the user to be logged in via Basic Auth before the Search.Prg components initialize() function is run, which means the users tenancy is determined before the model(s) are constructed, solving the problem.