Authentication is tedious. Many projects need some sort of authentication system. And in many of these projects you will basically start from scratch. That's why cbauth was created.

cbauth is a library that handles creating user sessions for your app including authenticating users, logging users in and out, and retrieving the currently authenticated user. It is customizable to plug in to your existing authentication method and session storage.

These are some of the methods you can use in your project:

Requirements

• Lucee 5+

• Adobe ColdFusion 2016+

• Coldbox 4.3 +

Installation

cbauth requires ColdBox 4.3 or higher for .

cbauth can be installed with

Configuration

cbauth needs a userServiceClass which has to be specified in the module settings. It should be a WireBox mapping that resolves to a component that implements the IUserService interface (though this implementation can be implicit.)

By default, cbauth uses sessionStorage@cbstorages and RequestStorage@cbstorages for the sessionStorage and requestStorage, respectively.

Your config settings will look like this:

You can specify other requestStorage or sessionStorage (e.g distributed cache) as long as your new storages follow the Interface definitions as defined:

Usage

Before you can use cbauth you have to create a UserService which implement the .

You also have a User class which implements the interface.

When you have create your User and UserService and configured the moduleSettings you are ready to use the AuthenticationService. You can inject the authentication service using WireBox:

Or, the quick way, you can just use the auth() helper method (which is actually just a shortcut to a wirebox injection). The auth() helper is very useful in views. And since Wirebox handles singleton management, you don't have to worry about calling auth()too many times.

The Authentication service provides you with all methods for handling user sessions, e.g:

After login your userID is stored in sessionstorage. Your user object will be cached in the requeststorage, so you only have to hit your database once per request to access user information.

The full list of methods is described in the section.

cbauth is quite flexible. In your IUserService implementation you can define how you want to retrieve your IAuthUser implementation: from a database, LDAP or any other authentication provider. You can define any properties you want to store, permissions or roles, and additional data for your authenticated user.

The current user will be retrieved and cached in a configured requestStorage. The userID will be stored in a configured sessionStorage. Both sessionStorage and requestStorage can be anything you want, as long as they implement the required methods. A common scenario, for example, is when you don't want to use ColdFusion or Lucee sessions for API applications, but instead use a distributed cache.

v5.0.1

24 Apr 2020 — 03:47:00 UTC

other

• *: fix: Allow any dsl to be the user service ()

v5.0.0

02 Apr 2020 — 22:10:08 UTC

BREAKING

• *: feat: Added interception points and return user from authorize ()

v4.1.2

18 Feb 2020 — 17:27:02 UTC

other

• *: Adjust gitignore file for better directory matching ()

v4.1.1

13 Feb 2020 — 17:36:32 UTC

other

• *: chore: Use forgeboxStorage ()

v4.1.0

23 Dec 2019 — 18:06:36 UTC

feat

• Login: Add new preLogin and postLogin interception points ()

v4.0.0

02 Oct 2019 — 05:29:36 UTC

BREAKING

• cbstorages: Upgrade cbstorages to 2.0.0 ()

v3.0.3

24 Sep 2019 — 16:40:21 UTC

other

• *: chore: Transfer cbauth to coldbox-modules namespace ()

v3.0.2

22 Sep 2019 — 19:08:45 UTC

other

• *: docs: Fixed Coldbox 4.3 docs link ()

v3.0.1

22 Sep 2019 — 18:58:14 UTC

chore

• build: Use openjdk8 on Travis ()

v3.0.0

12 Jul 2019 — 20:14:17 UTC

BREAKING

• Storages: Allow customizing of storages ()

v2.0.0

25 Oct 2018 — 06:56:50 UTC

BREAKING

• build: Trigger major release for prior commit ()

chore

• ci: Add commandbox-semantic-release ()

• formatting: Clean up spacing at end of lines ()

• server.json: Default to adobe@11 servers ()

fix

• build: Update box.json references to elpete ()

• build: Remove incompatible scripts for commandbox-semantic-release ()

• tests: Fix MockBox expectation to match struct pattern ()

other

• *: Merge pull request #3 from elpete/add_csr ()

• *: Merge pull request #2 from jclausen/master ()

v2.0.0

25 Oct 2018 — 06:40:06 UTC

BREAKING

• build: Trigger major release for prior commit ()

chore

• ci: Add commandbox-semantic-release ()

• formatting: Clean up spacing at end of lines ()

• server.json: Default to adobe@11 servers ()

fix

• build: Remove incompatible scripts for commandbox-semantic-release ()

• tests: Fix MockBox expectation to match struct pattern ()

other

• *: Merge pull request #3 from elpete/add_csr ()

• *: Merge pull request #2 from jclausen/master ()

You have to create a User component which responds to the getId() method. This user will be retrieved by the retrieve methods from your

You have to create a UserService and specify a userServiceClass in your moduleSettings. This UserService needs to have three methods, according to cbauth.interfaces.IUserService

interface {

	/**
	 * Verify if the incoming username/password are valid credentials.
	 *
	 * @username The username
	 * @password The password
	 */
	boolean function isValidCredentials( required username, required password );

	/**
	 * Retrieve a user by username
	 *
	 * @return User that implements IAuthUser
	 */
	function retrieveUserByUsername( required username );

	/**
	 * Retrieve a user by unique identifier
	 *
	 * @id The unique identifier
	 *
	 * @return User that implements IAuthUser
	 */
	function retrieveUserById( required id );
}

The user component returned by both retrieve... methods needs to respond to getId() as specified by the interface.

Interceptions

cbauth announces several custom interception points. You can use these interception points to change request data or add additional values to session or request scopes. The preAuthentication and postAuthentication events fire during the standard authenticate() method call with a username and password. The preLogin and postLogin events fire during the login() method call. The preLogout and postLogout events fire during the logout() method call.

preAuthentication

InterceptData

Modifying the values in the interceptData will change what is passed to isValidCredentials and retrieveUserByUsername. This is the prime time to ignore certain requests or remove or pad usernames.

postAuthentication

InterceptData

This is the prime time to store additional values based on the user returned.

preLogin

InterceptData

postLogin

InterceptData

This is a good opportunity to store additional data if your application logged the user in manually without authenticating via a username/password like a "remember me" system.

preLogout

InterceptData

postLogout

InterceptData

The authentication service can be used by injecting it using WireBox:

Or, the quick way, you can just use the auth() helper method (which is actually just a shortcut to a wirebox injection). The auth() helper is very useful in views. And since Wirebox handles singleton management, you don't have to worry about calling auth()too many times.