User: added $persistIdentity option to control identity availability after logout

By default the identity stays available after logout or expiration (for personalization). Setting $persistIdentity to false discards it, so getIdentity() and getId() return null when not logged in. Configurable via the security.authentication DI section.

Author: dg

readme.md

@@ -178,6 +178,8 @@ Importantly, **when user logs out, identity is not deleted** and is still availa
 
 Thanks to this, you can still assume which user is at the computer and, for example, display personalized offers in the e-shop, however, you can only display his personal data after logging in.
 
+If you prefer the identity to be discarded on every logout and expiration, set `$user->persistIdentity = false`. Retaining the identity is best-effort and depends on the storage implementation.
+
 Identity is an object that implements the [Nette\Security\IIdentity](https://api.nette.org/master/Nette/Security/IIdentity.html) interface, the default implementation is [Nette\Security\SimpleIdentity](https://api.nette.org/3.0/Nette/Security/SimpleIdentity.html). And as mentioned, identity is stored in the session, so if, for example, we change the role of some of the logged-in users, old data will be kept in the identity until he logs in again.
 
 

src/Bridges/SecurityDI/SecurityExtension.php

@@ -24,6 +24,7 @@
  *     authentication: object{
  *         storage: 'session'|'cookie',
  *         expiration: string|null,
+ *         persistIdentity: bool,
  *         cookieName: string|null,
  *         cookieDomain: string|null,
  *         cookieSamesite: 'Lax'|'Strict'|'None'|null,
@@ -57,6 +58,7 @@ public function getConfigSchema(): Nette\Schema\Schema
 			'authentication' => Expect::structure([
 				'storage' => Expect::anyOf('session', 'cookie')->default('session'),
 				'expiration' => Expect::string()->dynamic(),
+				'persistIdentity' => Expect::bool(true),
 				'cookieName' => Expect::string(),
 				'cookieDomain' => Expect::string(),
 				'cookieSamesite' => Expect::anyOf('Lax', 'Strict', 'None'),
@@ -96,6 +98,10 @@ public function loadConfiguration(): void
 			$user->addSetup('setExpiration', [$auth->expiration]);
 		}
 
+		if (!$auth->persistIdentity) {
+			$user->addSetup('$persistIdentity', [false]);
+		}
+
 		if ($config->users) {
 			$usersList = $usersRoles = $usersData = [];
 			foreach ($config->users as $username => $data) {

src/Security/User.php

@@ -50,6 +50,9 @@ class User
 	/** default role for authenticated user without own identity */
 	public string $authenticatedRole = 'authenticated';
 
+	/** keep identity available (via getIdentity() and getId()) after logout or expiration; depends on the storage implementation */
+	public bool $persistIdentity = true;
+
 	/** @var array<callable(static): void>  Occurs when the user is successfully logged in */
 	public array $onLoggedIn = [];
 
@@ -112,10 +115,11 @@ public function login(
 
 	/**
 	 * Logs out the user from the current session. The identity is kept available afterwards,
-	 * unless $clearIdentity is set.
+	 * unless $clearIdentity is set or the $persistIdentity property is disabled.
 	 */
 	final public function logout(bool $clearIdentity = false): void
 	{
+		$clearIdentity = $clearIdentity || !$this->persistIdentity;
 		$logged = $this->isLoggedIn();
 		$this->storage->clearAuthentication($clearIdentity);
 		$this->authenticated = false;
@@ -139,8 +143,8 @@ final public function isLoggedIn(): bool
 
 
 	/**
-	 * Returns the user identity. It may be available even when not logged in (e.g. after logout or expiration),
-	 * so its presence does not imply the user is logged in; null if none.
+	 * Returns the user identity. It may be available even when not logged in (e.g. after logout or expiration)
+	 * unless $persistIdentity is disabled, so its presence does not imply the user is logged in; null if none.
 	 */
 	final public function getIdentity(): ?IIdentity
 	{
@@ -161,10 +165,11 @@ private function loadStoredData(): void
 			$this->logoutReason = $reason;
 		})(...$this->storage->getState());
 
-		$this->identity = $identity && $this->authenticator instanceof IdentityHandler
+		$identity = $identity && $this->authenticator instanceof IdentityHandler
 			? $this->authenticator->wakeupIdentity($identity)
 			: $identity;
-		$this->authenticated = $this->authenticated && $this->identity !== null;
+		$this->authenticated = $this->authenticated && $identity !== null;
+		$this->identity = !$this->authenticated && !$this->persistIdentity ? null : $identity;
 	}
 
 
@@ -229,11 +234,11 @@ final public function hasAuthenticator(): bool
 
 	/**
 	 * Enables log out after inactivity (like '20 minutes'). The identity is kept available afterwards,
-	 * unless $clearIdentity is set.
+	 * unless $clearIdentity is set or the $persistIdentity property is disabled.
 	 */
 	public function setExpiration(?string $expire, bool $clearIdentity = false): static
 	{
-		$this->storage->setExpiration($expire, $clearIdentity);
+		$this->storage->setExpiration($expire, $clearIdentity || !$this->persistIdentity);
 		return $this;
 	}
 

tests/Security.DI/SecurityExtension.persistIdentity.phpt

@@ -0,0 +1,49 @@
+<?php declare(strict_types=1);
+
+/**
+ * Test: SecurityExtension persistIdentity
+ */
+
+use Nette\Bridges\HttpDI\HttpExtension;
+use Nette\Bridges\HttpDI\SessionExtension;
+use Nette\Bridges\SecurityDI\SecurityExtension;
+use Nette\DI;
+use Tester\Assert;
+
+
+require __DIR__ . '/../bootstrap.php';
+
+
+test('defaults to true', function () {
+	$compiler = new DI\Compiler;
+	$compiler->addExtension('foo', new HttpExtension);
+	$compiler->addExtension('bar', new SessionExtension);
+	$compiler->addExtension('security', new SecurityExtension);
+	$compiler->setClassName('ContainerDefault');
+
+	eval($compiler->compile());
+	$container = new ContainerDefault;
+
+	Assert::true($container->getService('security.user')->persistIdentity);
+});
+
+
+test('disabled via configuration', function () {
+	$compiler = new DI\Compiler;
+	$compiler->addExtension('foo', new HttpExtension);
+	$compiler->addExtension('bar', new SessionExtension);
+	$compiler->addExtension('security', new SecurityExtension);
+	$compiler->setClassName('ContainerDisabled');
+
+	$loader = new Nette\DI\Config\Loader;
+	$config = $loader->load(Tester\FileMock::create('
+security:
+	authentication:
+		persistIdentity: false
+', 'neon'));
+
+	eval($compiler->addConfig($config)->compile());
+	$container = new ContainerDisabled;
+
+	Assert::false($container->getService('security.user')->persistIdentity);
+});

tests/Security/User.persistIdentity.phpt

@@ -0,0 +1,54 @@
+<?php declare(strict_types=1);
+
+/**
+ * Test: Nette\Security\User persistIdentity.
+ */
+
+use Nette\Security\SimpleIdentity;
+use Nette\Security\User;
+use Tester\Assert;
+
+
+require __DIR__ . '/../bootstrap.php';
+require __DIR__ . '/MockUserStorage.php';
+
+
+test('identity is kept after logout by default', function () {
+	$user = new User(new MockUserStorage);
+	$user->login(new SimpleIdentity('John Doe', 'admin'));
+
+	$user->logout();
+
+	Assert::false($user->isLoggedIn());
+	Assert::equal(new SimpleIdentity('John Doe', 'admin'), $user->getIdentity());
+	Assert::same('John Doe', $user->getId());
+});
+
+
+test('identity is discarded after logout when persistIdentity is off', function () {
+	$user = new User(new MockUserStorage);
+	$user->persistIdentity = false;
+	$user->login(new SimpleIdentity('John Doe', 'admin'));
+
+	$user->logout();
+
+	Assert::false($user->isLoggedIn());
+	Assert::null($user->getIdentity());
+	Assert::null($user->getId());
+});
+
+
+test('identity already stored without authentication is not exposed when persistIdentity is off', function () {
+	$storage = new MockUserStorage;
+	$user = new User($storage);
+	$user->login(new SimpleIdentity('John Doe', 'admin'));
+	$user->logout(); // identity stays in storage, not authenticated
+
+	// fresh User over the same storage with persistIdentity off (e.g. after disabling it in config)
+	$user = new User($storage);
+	$user->persistIdentity = false;
+
+	Assert::false($user->isLoggedIn());
+	Assert::null($user->getIdentity());
+	Assert::null($user->getId());
+});