Security Laravel Package

• Guest identity – an IdentityHandler authenticator may now implement getGuestIdentity(): ?IIdentity to hand anonymous visitors a real identity. When present, getIdentity(), getId() and getRoles() transparently fall back to it, so guests carry their own roles and data instead of just the $guestRole string. The guest identity is resolved on read only and never written to storage.

• $persistIdentity – the new User::$persistIdentity property lets you decide what happens to the identity after logout or expiration. It stays available for personalization by default; flip it to false and getIdentity()/getId() return null once the user is no longer logged in. Configurable straight from the security.authentication DI section.

• SessionStorage no longer refreshes the sliding expiration timestamp once the session has already expired – an expired identity stays expired instead of being silently kept alive for another round

• Adopted nette/phpstan-rules and made static analysis a mandatory part of the build, then resolved the errors it surfaced

• Improved phpDoc types and descriptions across the codebase

A small maintenance release headlined by a fix to session-based identity storage, plus a tightening of the project's static analysis setup and a round of phpDoc polish.

• SessionStorage no longer refreshes the sliding expiration timestamp once the session has already expired – an expired identity stays expired instead of being silently kept alive for another round
• Adopted nette/phpstan-rules and made static analysis a mandatory part of the build, then resolved the errors it surfaced
• Improved phpDoc types and descriptions across the codebase

• support for PHP 8.5
• optimized global function calls

• support for PHP 8.4
• SecurityExtension: password can be dynamic #74
• $user => $username #73

• requires PHP 8.1
• uses PHP 8.1 features
• removed deprecated IUserStorage (BC break)

• support for PHP 8.3
• constants are PascalCase
• used #[\SensitiveParameter] to mark sensitive parameters

• composer: allows nette/utils 4.0

• CookieStorage: getState returns the previously set ID #67
• CookieStorage: fixed SameSite attribute
• SessionStorage::setExpiration() does not overwrite data in the session
• SimpleAuthenticator: refactoring, added verifyPassword()
• strict type fix
• coding style

• SessionStorage: used new sessionSection API to not start the session unless needed

• User: added method refreshStorage() to clear identity cache. (#46) (#50)
• UserPanel: displays 'Session is closed' on closed session #52

• support for PHP 8.1
• User::setExpiration() second argument accept also bool $clearIdentity
• User: added consts LOGOUT_MANUAL & LOGOUT_INACTIVITY
• fixed compatibility with Symfony DebugClassLoader
• compatibility: improved code hinting

• Revert "SecurityExtension: 'roles' & 'resources' are deprecated"
• SessionStorage: Fix clearing identity in case of clearAuthentication(true). (#55)
• User: passes to authenticator all arguments
• User::logout() steps reorder
• events: removed magic
• CookieStorage: added MIN_LENGTH for UID
• User::inInRole() works with object Role

For the details you can have a look at the diff.

• requires PHP 7.2
• added UserStorage, successor for IUserStorage
• added IdentityHandler
• added Authenticator, successor for IAuthenticator
• added SimpleIdentity, successor for Identity
• removed I prefixes from IAuthorizator, IResource, IRole
• SecurityExtension: 'roles' & 'resources' are deprecated
• User: added method refreshStorage() to clear identity cache. (#46) (#50)

• SecurityExtension: added section 'authentication'
• added SessionStorage & CookieStorage (replaced Nette\Http\UserStorage)

• compatible with PHP 8.0
• SecurityExtension: detects Tracy by presence of service [@Tracy](https://github.com/Tracy)\Bar nette/di#245
• improved PHP doc
• Passwords: hash(): Password can not be empty. (#47)

For the details you can have a look at the diff.

• SecurityExtensions, SimpleAuthenticator: add option for users data (#40)

For the details you can have a look at the diff.

• User: identity and authenticated state are cached, UserStorage is not called repeatedly
• UserPanel: uses capturing

For the details you can have a look at the diff.

• Passwords: constants PASSWORD_* are strings since PHP 7.4 #35
• User: added getAuthenticatorIfExists & getAuthorizatorIfExists()
• User: deprecated hasAuthenticator() & hasAuthorizator()

For the details you can have a look at the diff.

• requires PHP 7.1
• uses declare(strict_types=1)
• uses PHP 7.1 scalar and return type hints
• User::setExpiration() changed arguments 84ada184b35ac7cc19a382dc9ebb8a0e0fcc076d (BC break with fallback)
• User: added hasAuthenticator() & hasAuthorizator(), deprecated $throw in getAuthenticator() & getAuthorizator()
• Passwords: changed from static to object class (BC break)
• Passwords: BCRYPT changed to default algorithm
• SecurityExtension: added service 'passwords'
• some classes & members marked as final (BC break)
• SecurityExtension: uses configuration Schema

• SecurityExtension: added service 'passwords'
• Passwords: is not static class (forward compatibility with v3)
• Passwords: simplified checking for invalid hash

For the details you can have a look at the diff.

• Permission: used native callback invocation
• improved typehints
• SecurityExtension: used setFactory() instead of misused setClass()

For the details you can have a look at the diff.

• supports PHP up to 7.2
• coding style: fixes, lowercase true/false/null

For the details you can have a look at the diff.

• UserStorage: removed BROWSER_CLOSED expiration reason nette/http#112
• @return self -> static

For the details you can have a look at the diff.

• tests, typos

For the details you can have a look at the diff.

• requires PHP 5.6
• uses Nette\SmartObject & StaticClass
• Passwords: simplified with password_* API
• Passwords::hash() removed option 'salt' (BC break)

For the details you can have a look at the diff.

• travis: migrating to container-based infrastructure
• improved coding style

For the details you can have a look at the diff.

• travis: migrating to container-based infrastructure
• improved coding style

For the details you can have a look at the diff.

• Identity: fixed conversion of big ints nette/nette#1520

For the details you can have a look at the diff.

• added bridge for Nette DI

• UserPanel: is rendered only when headers are not sent [Closes #7](fixed bug introduced in v2.2.1)

For the details you can have a look at the diff.

• Passwords: removed useless PASSWORD_MAX_LENGTH [Closes #1]
• Passwords: Fix for validation of cost 31 [Closes #2][Closes #4]

For the details you can have a look at the diff.

The first standalone release. For more information see readme.md.