Helper autoloading has been changed to be done by CodeIgniter's autoloader instead of Composer.
So you need to update the settings. Run php spark shield:setup again, and the
following steps will be done.
-
Add
authandsettingto the$helpersarray in app/Config/Autoload.php:public $helpers = ['auth', 'setting'];
-
Remove the following code in the
initController()method in `app/Controllers/BaseController.php:$this->helpers = array_merge($this->helpers, ['setting']);
The following items have been added. Copy the properties in src/Config/Auth.php.
permission_deniedandgroup_deniedare added toConfig\Auth::$redirects.permissionDeniedRedirect()andgroupDeniedRedirect()are added.
If you have written a custom filter that extends AbstractAuthFilter, now you need to add and implement the redirectToDeniedUrl() method to your custom filter.
The following example is related to the above explanation for group filter.
/**
* If the user does not belong to the group, redirect to the configured URL with an error message.
*/
protected function redirectToDeniedUrl(): RedirectResponse
{
return redirect()->to(config('Auth')->groupDeniedRedirect())
->with('error', lang('Auth.notEnoughPrivilege'));
} Shield requires CodeIgniter 4.3.5 or later. Versions prior to 4.3.5 have known vulnerabilities. See https://github.com/codeigniter4/CodeIgniter4/security/advisories
A new Config file AuthToken.php has been introduced. Run php spark shield:setup
again to install it into app/Config/, or install it manually.
Then change the default settings as necessary. When using Token authentication,
the default value has been changed from all accesses to be recorded in the
token_logins table to only accesses that fail authentication to be recorded.
The following items have been moved. They are no longer used and should be removed.
$authenticatorHeaderand$unusedTokenLifetimeare moved toConfig\AuthToken.
The following items have been added. Copy the properties in src/Config/Auth.php.
$usernameValidationRulesand$emailValidationRulesare added.
Shield 1.0.0-beta.4 fixes a vulnerability related to password storage. As a result, hashed passwords already stored in the database are no longer compatible and cannot be used by default.
All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the above vulnerability. Therefore, they should be removed as soon as possible.
Existing users will no longer be able to log in with their passwords and will need to log in with the magic link and then set their passwords again.
If you want to use passwords saved in Shield v1.0.0-beta.3 or earlier,
you must add the following property in app/Config/Auth.php:
public bool $supportOldDangerousPassword = true;After upgrading, with the above setting, once a user logs in with the password, the hashed password is updated and stored in the database.
In this case, the existing hashed passwords are still easier to crack than expected.
Therefore, this setting should not be used for an extended period of time.
So you should change the setting to false as soon as possible, and remove old
hashed password.
Note
This setting is deprecated. It will be removed in v1.0.0 official release.
By default, Shield uses the hashing algorithm PASSWORD_DEFAULT (see app/Config/Auth.php),
that is, PASSWORD_BCRYPT at the time of writing.
Now there are two limitations when you use PASSWORD_BCRYPT.
- the password will be truncated to a maximum length of 72 bytes.
- the password will be truncated at the first NULL byte (
\0).
If these behaviors are unacceptable, see How to Strengthen the Password.