Helios is an authentication middleware embracing PSR-7. It's purpose is to keep the identity completely request dependent, as well as avoiding the use of server-side session through the use of JSON Web Tokens.
Install via composer:
$ composer require dasprid/helios
Getting started (for Expressive)
Create a file named helios.global.php
or similar in your autoloading config directory:
<?php
return (new DASPRiD\Helios\ConfigProvider())->__invoke();
This will introduce a few factories, namely you can retrieve the following objects through that:
DASPRiD\Helios\CookieManager
throughDASPRiD\Helios\CookieManagerInterface
DASPRiD\Helios\IdentityMiddleware
throughDASPRiD\Helios\IdentityMiddleware
DASPRiD\Helios\TokenManager
throughDASPRiD\Helios\TokenManagerInterface
You'll need to implement a lookup which retrieves the user identity based on the subject stored in the token. Register that lookup in your dependency container:
<?php
class MyIdentityLookup implements DASPRiD\Helios\Identity\IdentityLookupInterface
{
public function lookup($subject) : LookupResult
{
// Pseudo-code here
if ($this->repository->has($subject)) {
return LookupResult::fromIdentity($this->repository->get($subject));
}
return LookupResult::invalid();
}
}
For Helios to function, it needs a few configuration variables. Copy the file doc/example-config.php
and adjust the
values as needed.
Helios ships with an IdentityMiddleware
, which should be registered in your middleware pipeline before the dispatch
middleware. The exact location in the stack depends on your own needs.
Helios itself does not ship with any actual logic for signing users in or out. Thus, a simple sign-in middleware may look like this:
<?php
class MySignIn
{
/**
* DASPRiD\Helios\CookieManagerInterface
*/
private $cookieManager;
public function __invoke()
{
// Verify the user
if ($userIsValid) {
$response = new Zend\Diactoros\Response\RedirectResponse('/go/somewhere');
return $this->cookieManager->injectTokenCookuie(
$response,
$user->getId(),
!$rememberMeSelected
);
}
// Do some error response here
}
}
Similar to the sign-in middleware, your sign-out middleware can use the CookieManager
to invalidate the cookie:
<?php
class MySignOut
{
/**
* DASPRiD\Helios\CookieManagerInterface
*/
private $cookieManager;
public function __invoke()
{
$response = new Zend\Diactoros\Response\RedirectResponse('/go/somewhere');
return $this->cookieManager->expireTokenCookie($response);
}
}
Each time the user is retrieved by the IdentityMiddleware
, it is injected into the request as an attribute. Thus when
you need the user in your middleware, you can easily get it:
<?php
class SomeOtherMiddleware
{
public function __invoke(Psr\Http\Message\ServerRequestInterface $request)
{
$user = $request->getAttribute(DASPRiD\Helios\IdentityMiddleware::IDENTITY_ATTRIBUTE);
}
}
Sometimes it may be required that the identity is always available in your view, e.g. to display the username in the layout. The proper way to handle that case is to use a specific template renderer which takes the request object, beside the usual view parameters, and injects the user into the view variables before rendering. Try to avoid injecting the entire request object into the view parameters though.