Yii2 认证实现原理和示例

Posted 日拱一卒,功不唐捐

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Yii2 认证实现原理和示例相关的知识,希望对你有一定的参考价值。

  Yii的用户认证分为两个部分,一个是User组件,负责管理用户认证状态的,包括登录,登出,检测当前登录状态等,源文件位于vender/yiisoft/yii2/web/User.php。另一个是实现接口IdentityInterface的模型,同时必须继承ActiveRecord,当用户登录注册时,组件User会通过模型中的接口方法,对用户进行验证。

  对于用户状态切换主要通过switchIdentity方法实现的,比如注册后,用户登录时,会用到User组件中的switchIdentity方法,如下:

/**
     * Switches to a new identity for the current user.
     *
     * When [[enableSession]] is true, this method may use session and/or cookie to store the user identity information,
     * according to the value of `$duration`. Please refer to [[login()]] for more details.
     *
     * This method is mainly called by [[login()]], [[logout()]] and [[loginByCookie()]]
     * when the current user needs to be associated with the corresponding identity information.
     *
     * @param IdentityInterface|null $identity the identity information to be associated with the current user.
     * If null, it means switching the current user to be a guest.
     * @param integer $duration number of seconds that the user can remain in logged-in status.
     * This parameter is used only when `$identity` is not null.
     */
    public function switchIdentity($identity, $duration = 0)
    {
        $this->setIdentity($identity);

        if (!$this->enableSession) {
            return;
        }

        /* Ensure any existing identity cookies are removed. */
        if ($this->enableAutoLogin) {
            $this->removeIdentityCookie();
        }

        $session = Yii::$app->getSession();
        if (!YII_ENV_TEST) {
            $session->regenerateID(true);
        }
        $session->remove($this->idParam);
        $session->remove($this->authTimeoutParam);

        if ($identity) {
            $session->set($this->idParam, $identity->getId());
            if ($this->authTimeout !== null) {
                $session->set($this->authTimeoutParam, time() + $this->authTimeout);
            }
            if ($this->absoluteAuthTimeout !== null) {
                $session->set($this->absoluteAuthTimeoutParam, time() + $this->absoluteAuthTimeout);
            }
            if ($duration > 0 && $this->enableAutoLogin) {
                $this->sendIdentityCookie($identity, $duration);
            }
        }
    }

  如果写入identity为null,则将用户状态设置为离线,如果不是null,而是模型实例,该方法会将用户模型的id值写入session中,用户打开新页面时,只需下面的方法就可以判断是否已经登录。

//已登录返回true
Yii::$app->user->isGuest

  访问user组件的isGuest属性,会通过魔术方法,调用User组件中的getIsGuest方法

    /**
     * Returns a value indicating whether the user is a guest (not authenticated).
     * @return boolean whether the current user is a guest.
     * @see getIdentity()
     */
    public function getIsGuest()
    {
        return $this->getIdentity() === null;
    }

  方法又调用getIdentity()方法

    /**
     * Returns the identity object associated with the currently logged-in user.
     * When [[enableSession]] is true, this method may attempt to read the user\'s authentication data
     * stored in session and reconstruct the corresponding identity object, if it has not done so before.
     * @param boolean $autoRenew whether to automatically renew authentication status if it has not been done so before.
     * This is only useful when [[enableSession]] is true.
     * @return IdentityInterface|null the identity object associated with the currently logged-in user.
     * `null` is returned if the user is not logged in (not authenticated).
     * @see login()
     * @see logout()
     */
    public function getIdentity($autoRenew = true)
    {
        if ($this->_identity === false) {
            if ($this->enableSession && $autoRenew) {
                $this->_identity = null;
                $this->renewAuthStatus();
            } else {
                return null;
            }
        }

        return $this->_identity;
    }

  当session启用时,通过renewAuthStatus()更新新用户状态

    /**
     * Updates the authentication status using the information from session and cookie.
     *
     * This method will try to determine the user identity using the [[idParam]] session variable.
     *
     * If [[authTimeout]] is set, this method will refresh the timer.
     *
     * If the user identity cannot be determined by session, this method will try to [[loginByCookie()|login by cookie]]
     * if [[enableAutoLogin]] is true.
     */
    protected function renewAuthStatus()
    {
        $session = Yii::$app->getSession();
        $id = $session->getHasSessionId() || $session->getIsActive() ? $session->get($this->idParam) : null;

        if ($id === null) {
            $identity = null;
        } else {
            /* @var $class IdentityInterface */
            $class = $this->identityClass;
            $identity = $class::findIdentity($id);
        }

        $this->setIdentity($identity);

        if ($identity !== null && ($this->authTimeout !== null || $this->absoluteAuthTimeout !== null)) {
            $expire = $this->authTimeout !== null ? $session->get($this->authTimeoutParam) : null;
            $expireAbsolute = $this->absoluteAuthTimeout !== null ? $session->get($this->absoluteAuthTimeoutParam) : null;
            if ($expire !== null && $expire < time() || $expireAbsolute !== null && $expireAbsolute < time()) {
                $this->logout(false);
            } elseif ($this->authTimeout !== null) {
                $session->set($this->authTimeoutParam, time() + $this->authTimeout);
            }
        }

        if ($this->enableAutoLogin) {
            if ($this->getIsGuest()) {
                $this->loginByCookie();
            } elseif ($this->autoRenewCookie) {
                $this->renewIdentityCookie();
            }
        }
    }

  该方法主要通过session取出用户id,然后通过id获取用户模型实例,然后使用实例进行登录,和更新认证过期时间。

  下面实现一个常用的用户注册登录功能模块,用户只有登录后才可以进入home页面

  User模型:

<?php
/**
 * Created by PhpStorm.
 * User: zhenbao
 * Date: 16/10/17
 * Time: 下午4:14
 */

namespace app\\models;

use Yii;
use yii\\web\\IdentityInterface;
use yii\\db\\ActiveRecord;

class User extends ActiveRecord implements IdentityInterface
{
    const LOGIN = "login";
    const REGISTER = "register";

    public function scenarios()
    {
        return [
            self::LOGIN => [\'username\', \'password\'],
            self::REGISTER => [\'username\', \'password\']
        ];
    }

    public static function tableName()
    {
        return "user";
    }

    public static function findIdentity($id)
    {
        return static::findOne($id);
    }

    public static function findIdentityByAccessToken($token, $type = null)
    {
        return static::findOne([\'accessToken\' => $token]);
    }

    public function getId()
    {
        return $this -> id;
    }

    public function getAuthKey()
    {
        return $this -> authKey;
    }

    public function validateAuthKey($authKey)
    {
        return $this -> getAuthKey() === $authKey;
    }

    public static function findIdentityByUsername($username)
    {
        return static::findOne([\'username\' => $username]);
    }

    public function validatePassword($password)
    {
        return $this -> password === sha1($password);
    }

    public function setPassword()
    {
        $this -> password = sha1($this -> password);
        return true;
    }

    public function beforeSave($insert)
    {
        if(parent::beforeSave($insert))
        {
            if($this -> isNewRecord)
            {
                $this -> authKey = Yii::$app -> security -> generateRandomString();
            }
            return true;
        }
        return false;
    }
}

  控制器:

<?php

namespace app\\controllers;

use Yii;
use yii\\web\\Controller;
use app\\models\\User;
use yii\\web\\Cookie;

class UserController extends Controller
{
    /**默认方法为home方法
     * @var string
     */
    public $defaultAction = \'home\';

    /**用户登录,当已经登录直接跳转home页面,
     * 否则,查看是否有访问accessToken,如果有使用accessToken登录,如果accessToken无效则删除accessToken然后返回到登录界面
     * 如果没有accessToken则使用用户的登录密码登录,验证成功后,查看是否选择了记住我,有则生成accessToken,下次直接使用accessToken登录
     * 登录失败,返回到登录界面重新登录。
     * @return string|\\yii\\web\\Response
     */
    public function actionLogin()
    {
        $request = Yii::$app->request->post(\'User\');
        //如果已经登录获取认证identity然后进入home页面
        if (!(Yii::$app->user->isGuest)) {
            return $this->redirect(\'/?r=user/home\');
        } else {
            //如果没有登录,查看cookie中是否有accessToken,如果有尝试使用accessToken登录,accessToken登录失败,则删除这个无效的accessToken
            $accessToken = Yii::$app->request->cookies->getValue(\'accessToken\');
            if ($accessToken !== null) {
                if (Yii::$app->user->loginByAccessToken($accessToken)) {
                    return $this->redirect("/?r=user/home");
                } else {
                    Yii::$app->request->cookies->remove("accessToken");
                    $user = new User([\'scenario\' => \'login\']);
                    return $this->renderPartial(\'login\', [\'model\' => $user]);
                }
            }
            //尝试用户名密码登录,如果验证成功,查看是否有点击记住我,如果有生成accessToken,下次直接accessToken登录
            $request = Yii::$app->request->post(\'User\');
            if ($request && isset($request[\'username\']) && isset($request[\'password\'])) {
                $user = User::findIdentityByUsername($request[\'username\']);
                if ($user && $user->validatePassword($request[\'password\'])) {
                    $remeberMe = Yii::$app->request->post(\'remeberMe\');
                    if ($remeberMe === \'on\') {
                        //生成访问accessToken
                        $user->accessToken = Yii::$app->security->generateRandomString();
                        $user->scenario = \'login\';
                        $user->save();
                        Yii::$app->response->cookies->add(new Cookie([
                            \'name\' => \'accessToken\',
                            \'value\' => $user->accessToken,
                            \'expire\' => time() + 3600 * 24 * 7
                        ]));
                    }
                    Yii::$app->user->login($user);
                    return $this->redirect(\'/?r=user/home\');
                }
            }
            //accessToken和账号密码均无法登录,重新返回登录界面
            $user = new User([\'scenario\' => \'login\']);
            return $this->renderPartial(\'login\', [\'model\' => $user]);

        }
    }

    /**根据用户是否登录,选择跳转页面
     * @return string|\\yii\\web\\Response
     */
    public function actionHome()
    {
        if (Yii::$app->user->isGuest) {
            return $this->redirect(\'/?r=user/login\');
        }
        $user = Yii::$app->user->getIdentity();
        return $this->renderPartial(\'home\', [\'user\' => $user]);
    }

    /**退出登录,如果有删除accessToken,返回登录页面
     * @return \\yii\\web\\Response
     */
    public function actionLogout()
    {
        $user = Yii::$app->user->getIdentity();
        Yii::$app->user->logout($user);
        $accessToken = Yii::$app->request->cookies->getValue(\'accessToken\');
        if ($accessToken !== null) {
            Yii::$app->response->cookies->remove(\'accessToken\');
        }
        return $this->redirect(\'/?r=user/login\');
    }

    /**
     * 注册用户,如果注册成功自动进入home主页,注册失败进入注册页面
     * @return string|\\yii\\web\\Response
     */
    public function actionRegister()
    {
        $user = new User([\'scenario\' => \'register\']);
        $request = Yii::$app->request->post();
        if ($request) {
            if ($user->load($request) && $user->setPassword() && $user->save()) {
                Yii::$app->user->login($user);
                return $this->redirect(\'/?r=user/login\');
            }
        }
        return $this->renderPartial(\'register\', [\'model\' => $user]);
    }
}

  视图login

<?php

use yii\\helpers\\html;
use yii\\bootstrap\\ActiveForm;

 $form = ActiveForm::begin([
        \'id\' => \'user\',
        \'options\' => [\'class\' => \'form-horizontal\'],
        \'fieldConfig\' => [
            \'template\' => "{label}\\n<div class=\\"col-lg-3\\">{input}</div>\\n<div class=\\"col-lg-8\\">{error}</div>",
            \'labelOptions\' => [\'class\' => \'col-lg-1 control-label\'],
        ],
    ]); ?>

<?= $form->field($model, \'username\')->textInput([\'autofocus\' => true]) ?>
<?= $form->field($model, \'password\')->passwordInput() ?>
<input type="checkbox" name="remeberMe" >记住我
<?= Html::submitButton(\'Login\', [\'class\' => \'btn btn-primary\', \'name\' => \'login-button\']) ?>
<?php ActiveForm::end(); ?>
<a href="/?r=user/register">注册</a>

  视图注册:

<?php

use yii\\helpers\\Html;
use yii\\bootstrap\\ActiveForm;

$this->title = \'register\';

$form = ActiveForm::begin([
    \'id\' => \'login-form\',
    \'options\' => [\'class\' => \'form-horizontal\'],
    \'fieldConfig\' => [
        \'template\' => "{label}\\n<div class=\\"col-lg-3\\">{input}</div>\\n<div class=\\"col-lg-8\\">{error}</div>",
        \'labelOptions\' => [\'class\' => \'col-lg-1 control-label\'],
    ],
]); ?>

<?= $form->field($model, \'username\')->textInput([\'autofocus\' => true]) ?>
<?= $form->field($model, \'password\')->passwordInput() ?>
<?= Html::submitButton(\'Register\', [\'class\' => \'btn btn-primary\', \'name\' => \'login-button\']) ?>
<?php ActiveForm::end(); ?>
<a href="/?r=user/login">登录</a>

  home视图:

<?php
    echo $user -> username;
?>
<a href="/?r=user/logout">退出</a>

  运行:

home页面

 

文档:http://www.yiichina.com/doc/guide/2.0/security-authentication

以上是关于Yii2 认证实现原理和示例的主要内容,如果未能解决你的问题,请参考以下文章

Shiro原理流程,代码示例

Shiro原理流程,代码示例

yii2 登录退出自动登录

Yii2.0源码阅读-behavior的实现原理

html PHP代码片段: - AJAX基本示例:此代码演示了使用PHP和JavaScript实现的基本AJAX功能。

Yii2框架RESTful API教程 - 格式化响应,授权认证和速率限制