TYPO3 Neos: authentication provider for a package

Question

There are many examples to setup an authentication provider with an login, but I can't find an example how to setup one for a package.

TYPO3 Neos v1.2.x

I have a package with an editor for the backend. The editor should communicate via controller. So far all works, but I have no access to the controller now. If I have a look at the TYPO3 Neos package Settings.yaml there is an option controllerObjectName .

      Typo3BackendProvider:
        provider: 'PersistedUsernamePasswordProvider'
        requestPatterns:
          controllerObjectName: 'TYPO3\Neos\Controller\.*|TYPO3\Neos\Service\.*|TYPO3\Media\Controller\.*'
        entryPoint: 'WebRedirect'
        entryPointOptions:
          routeValues:
            '@package':    'TYPO3.Neos'
            '@controller': 'Login'
            '@action':     'index'
            '@format':     'html'

If I add to this Option my controller too, then it works:

          controllerObjectName: 'TYPO3\Neos\Controller\.*|TYPO3\Neos\Service\.*|TYPO3\Media\Controller\.*|Vendor\Package\Controller\Backend\.*'

But I can't imagin, that the answer is to overwrite the Neos settings.

So I tried to add an own provider with the same settings of Typo3BackendProvider .

      VendorPackageProvider:
        provider: 'PersistedUsernamePasswordProvider'
        requestPatterns:
          controllerObjectName: 'Vendor\Package\Controller\Backend\.*'
        entryPoint: 'WebRedirect'
        entryPointOptions:
          routeValues:
            '@package':    'TYPO3.Neos'
            '@controller': 'Login'
            '@action':     'index'
            '@format':     'html'

Cause this will not work I tried to use the tokenClass and defined it at Typo3BackendProvider and VendorPackageProvider with the same name. Don't works.

The log are also not helpful:

14-12-25 17:52:25 66198      127.0.0.1      INFO      Flow                 Session 52exQd3r1orQA35gTfjQZhhOae4x5SVh contains auth token TYPO3\Flow\Security\Authentication\Token\UsernamePassword for provider VendorPackageProvider. Status: no credentials given
14-12-25 17:52:25 66198      127.0.0.1      INFO      Flow                 Access denied (0 denied, 0 granted, 1 abstained) to method Vendor\Package\Controller\Backend\MyController::indexAction().
14-12-25 17:52:25 66198      127.0.0.1      INFO      Flow                 Redirecting to authentication entry point
    routeValues => array (
       @package => TYPO3.Neos
       @controller => Login
       @action => index
       @format => html
    )

At least my Policy.yaml:

resources:
  methods:
    Vendor_Package_BackendAccess: 'method(Vendor\Package\Controller\Backend\MyController->(initalize|index)Action())'

acls:
  'TYPO3.Neos:Editor':
    methods:
      Vendor_Package_BackendAccess: GRANT

Answer 1

For anybody else wondering about this in Flow Framework / Neos authentication providers.

It is possible to avoid overwriting the provider set by the main package of Neos and add your own provider, but it is not clean and has serious drawbacks.

The trick is to add another provider with the same name but different uppercase/lowercase. For example here you have Typo3BackendProvider , so you can complement this with typo3backendprovider (all lowercase, but you can change one letter up/down as you like). In this provider entry you set the same providerclass and your requestpattern with a small overlap on the controller for the entrypoint. The second part of the trick is to set the authenticationStrategy to atLeastOneToken .

So in your package's Settings.yaml:

providers:
  authenticationStrategy: atLeastOneToken
  typo3backendprovider:
    provider: 'PersistedUsernamePasswordProvider'
    requestPatterns:
      controllerObjectName: 'TYPO3\Neos\Controller\LoginController\?.*|Vendor\Package\Controller\Backend\.*'

(Your package must be behind the Neos package in PackageStates.php or composer.json or you must put this in the global Configuration)

Now on login, the Flow authentication framework will find two active authentication providers and authenticate both with the same credentials. And when it is in the Neos backend controllers it will find one authenticated token, and in your backend controllers it will also find one authenticated token. On logout the authenticationmanager will destroy the session with both tokens even if it technically only logged out one token or the other.

This trick has the obvious drawback of being a little vague to someone querying the configuration and seeing two authentication providers that look very much alike. Also on login the hash time is doubled because it is checked twice, so this is not scalable to multiple packages composing their backend spaces together. Finally the atLeastOneToken strategy may lead to unexpected effects of unintentional multifactor authentications if another provider would have taken the authentication before this and carried on.

Better set it global

Given the disadvantages, I would say that overwriting the controllerObjectName of the default provider is not a bad thing to do. It does actually mean that the Typo3BackendProvider governs the authentication token for that precise area. It should be set in the global Configuration/Settings.yaml and not in the package itself, to avoid problems with multiple packages defining controllerObjectName and leaving only the last one standing. Inside the Packages' settings you could just set it also, so that it would leave the normal backend clearly not working if you forgot the global configuration.