Remove deprecated identify option from SessionAuthenticator

The identify option was deprecated in 3.x in favor of
PrimaryKeySessionAuthenticator. Remove it for the 4.x major.

Author: dereuromark

docs/en/authenticators.rst

@@ -18,13 +18,8 @@ Configuration options:
 
 -  **sessionKey**: The session key for the user data, default is
    ``Auth``
--  **identify**: Set this key with a value of bool ``true`` to enable checking
-   the session credentials against the identifiers. When ``true``, the configured
-   :doc:`/identifiers` are used to identify the user using data
-   stored in the session on each request. Default value is ``false``.
 -  **fields**: Allows you to map the ``username`` field to the unique
-   identifier in your user storage. Defaults to ``username``. This option is
-   used when the ``identify`` option is set to true.
+   identifier in your user storage. Defaults to ``username``.
 
 PrimaryKeySession
 =================

docs/en/upgrade-3-to-4.rst

@@ -105,6 +105,28 @@ For LDAP authentication:
         LdapIdentifier::CREDENTIAL_PASSWORD => 'password',
     ];
 
+SessionAuthenticator ``identify`` Option Removed
+-------------------------------------------------
+
+The deprecated ``identify`` option has been removed from ``SessionAuthenticator``.
+Use ``PrimaryKeySessionAuthenticator`` instead if you need to fetch fresh user
+data from the database on each request.
+
+**Before (3.x):**
+
+.. code-block:: php
+
+    $service->loadAuthenticator('Authentication.Session', [
+        'identify' => true,
+        'identifier' => 'Authentication.Password',
+    ]);
+
+**After (4.x):**
+
+.. code-block:: php
+
+    $service->loadAuthenticator('Authentication.PrimaryKeySession');
+
 URL Checker Renamed and Restructured
 -------------------------------------
 
@@ -278,15 +300,20 @@ New dedicated checker for multiple login URLs:
 Migration Tips
 ==============
 
-1. **Search and Replace**:
+1. **Session Identify**:
+
+   If you used ``'identify' => true`` on ``SessionAuthenticator``, switch to
+   ``PrimaryKeySessionAuthenticator`` which always fetches fresh data.
+
+2. **Search and Replace**:
 
    - ``AbstractIdentifier::CREDENTIAL_`` → ``PasswordIdentifier::CREDENTIAL_``
    - ``IdentifierCollection`` → ``IdentifierFactory``
    - ``'Authentication.CakeRouter'`` → Remove (no longer needed, default is now CakePHP-based)
    - ``CakeRouterUrlChecker`` → ``DefaultUrlChecker``
    - Old 3.x ``DefaultUrlChecker`` → ``StringUrlChecker``
 
-2. **String URL Checking**:
+3. **String URL Checking**:
 
    If you want to use string-only URL checking, explicitly configure
    ``StringUrlChecker``:
@@ -298,17 +325,17 @@ Migration Tips
            'loginUrl' => '/users/login',
        ]);
 
-3. **Multiple Login URLs**:
+4. **Multiple Login URLs**:
 
    If you have multiple login URLs, add ``'urlChecker' => 'Authentication.Multi'``
    to your authenticator configuration.
 
-4. **Custom Identifier Setup**:
+5. **Custom Identifier Setup**:
 
    If you were passing ``IdentifierCollection`` to authenticators, switch to
    either passing a single identifier or null (to use defaults).
 
-5. **Test Thoroughly**:
+6. **Test Thoroughly**:
 
    The changes to identifier management and URL checking are significant.
    Test all authentication flows after upgrading.

docs/es/authenticators.rst

@@ -18,13 +18,8 @@ Opciones de configuración:
 
 -  **sessionKey**: Key para los datos de usuario, por defecto es
    ``Auth``
--  **identify**: Establezca esta key con un valor ``true`` para permitir la verificación de las
-   credenciales de sesión con los identificadores. Cuando es ``true``, los
-   :doc:`/identifiers` configurados se utilizan para identificar al usuario utilizando los datos
-   almacenados en la sesión en cada request. El valor predeterminado es ``false``.
 -  **fields**: Permite mapear el campo ``username`` al identificador único
-   en su almacenamiento de usuario. Por defecto es ``username``. Esta opción se utiliza cuando
-   la opción ``identify`` se establece en verdadero.
+   en su almacenamiento de usuario. Por defecto es ``username``.
 
 Form
 ====

docs/fr/authenticators.rst

@@ -19,16 +19,9 @@ Les options de configuration:
 
 -  **sessionKey**: La clé de session pour les données de l'utilisateur, par
    défaut ``Auth``.
--  **identify**: Définissez cette clé avec la valeur booléenne ``true`` pour
-   activer la confrontation des identifiants utilisateur contenus dans la
-   session avec les identificateurs (*identifiers*). Lorsque que la valeur est
-   ``true``, les :doc:`/identifiers` configurés sont utilisés à chaque requête
-   pour identifier l'utilisateur à partir des informations stockées en session.
-   La valeur par défaut est ``false``.
 -  **fields**: Vous permet de mapper le champ ``username`` à l'identifiant
    unique dans votre système de stockage des utilisateurs. Vaut ``username`` par
-   défaut. Cette option est utilisée quand l'option ``identify`` est définie à
-   *true*.
+   défaut.
 
 Form
 ====

docs/ja/authenticators.rst

@@ -14,13 +14,8 @@ Authenticatorは、リクエストを認証操作に変換する処理を行い
 設定オプション:
 
 -  **sessionKey**: ユーザーのセッションキー, デフォルトは ``Auth``
--  **identify**:  bool ``true`` の値を指定してこのキーを設定すると、
-   セッションの認証情報を識別子と照合できるようになります。
-   ``true`` の場合、設定された :doc:`/identifiers` はリクエストのたびにセッションに
-   保存されたデータを使ってユーザを識別するために使われます。デフォルト値は ``false``.
 -  **fields**: ``username`` フィールドをユーザストレージ内の一意の識別しに写像することができます。
    デフォルトは ``username`` です。
-   このオプションは ``identify`` オプションが true に設定されている場合に使用されます.
 
 `Form`
 =========

src/Authenticator/PrimaryKeySessionAuthenticator.php

@@ -53,7 +53,6 @@ class PrimaryKeySessionAuthenticator extends SessionAuthenticator
         'fields' => [],
         'sessionKey' => 'Auth',
         'impersonateSessionKey' => 'AuthImpersonate',
-        'identify' => false,
         'identityAttribute' => 'identity',
         'identifierKey' => 'key',
         'idField' => 'id',
@@ -167,7 +166,6 @@ public function impersonate(
         }
         $session->write($impersonateSessionKey, $impersonator[$this->getConfig('idField')]);
         $session->write($sessionKey, $impersonated[$this->getConfig('idField')]);
-        $this->setConfig('identify', true);
 
         return [
             'request' => $request,

src/Authenticator/SessionAuthenticator.php

@@ -33,9 +33,6 @@ class SessionAuthenticator extends AbstractAuthenticator implements PersistenceI
      * Default config for this object.
      * - `fields` The fields to use to verify a user by.
      * - `sessionKey` Session key.
-     * - `identify` Whether to identify user data stored in a session. This is
-     *   useful if you want to remotely end sessions that have a different password stored,
-     *   or if your identification logic needs additional conditions before a user can login.
      *
      * @var array
      */
@@ -45,7 +42,6 @@ class SessionAuthenticator extends AbstractAuthenticator implements PersistenceI
         ],
         'sessionKey' => 'Auth',
         'impersonateSessionKey' => 'AuthImpersonate',
-        'identify' => false,
         'identityAttribute' => 'identity',
     ];
 
@@ -85,18 +81,6 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);
         }
 
-        if ($this->getConfig('identify') === true) {
-            $credentials = [];
-            foreach ($this->getConfig('fields') as $key => $field) {
-                $credentials[$key] = $user[$field];
-            }
-            $user = $this->getIdentifier()->identify($credentials);
-
-            if (!$user) {
-                return new Result(null, Result::FAILURE_CREDENTIALS_INVALID);
-            }
-        }
-
         if (!($user instanceof ArrayAccess)) {
             $user = new ArrayObject($user);
         }
@@ -168,7 +152,6 @@ public function impersonate(
         }
         $session->write($impersonateSessionKey, $impersonator);
         $session->write($sessionKey, $impersonated);
-        $this->setConfig('identify', true);
 
         return [
             'request' => $request,
@@ -193,7 +176,6 @@ public function stopImpersonating(ServerRequestInterface $request, ResponseInter
             $identity = $session->read($impersonateSessionKey);
             $session->delete($impersonateSessionKey);
             $session->write($sessionKey, $identity);
-            $this->setConfig('identify', true);
         }
 
         return [

tests/TestCase/AuthenticationServiceTest.php

@@ -30,7 +30,6 @@
 use Cake\Http\Response;
 use Cake\Http\ServerRequest;
 use Cake\Http\ServerRequestFactory;
-use Cake\I18n\DateTime;
 use Cake\Routing\Router;
 use InvalidArgumentException;
 use PHPUnit\Framework\Attributes\AllowMockObjectsWithoutExpectations;
@@ -166,56 +165,6 @@ public function testAuthenticateWithChallengeDisabled()
         $this->assertFalse($result->isValid());
     }
 
-    /**
-     * Integration test for session auth + identify always getting a fresh user record.
-     *
-     * @return void
-     */
-    public function testAuthenticationWithSessionIdentify()
-    {
-        $users = $this->fetchTable('Users');
-        $user = $users->get(1);
-
-        $request = ServerRequestFactory::fromGlobals([
-            'SERVER_NAME' => 'example.com',
-            'REQUEST_URI' => '/testpath',
-        ]);
-        $request->getSession()->write('Auth', [
-            'username' => $user->username,
-            'password' => $user->password,
-        ]);
-
-        $factory = function () {
-            return new AuthenticationService([
-                'authenticators' => [
-                    'Authentication.Session' => [
-                        'identify' => true,
-                        'identifier' => 'Authentication.Password',
-                    ],
-                ],
-            ]);
-        };
-        $service = $factory();
-        $result = $service->authenticate($request);
-        $this->assertTrue($result->isValid());
-
-        $dateValue = new DateTime('2022-01-01 10:11:12');
-        $identity = $result->getData();
-        $this->assertEquals($identity->username, $user->username);
-        $this->assertNotEquals($identity->created, $dateValue);
-
-        // Update the user so that we can ensure session is reading from the db.
-        $user->created = $dateValue;
-        $users->saveOrFail($user);
-
-        $service = $factory();
-        $result = $service->authenticate($request);
-        $this->assertTrue($result->isValid());
-        $identity = $result->getData();
-        $this->assertEquals($identity->username, $user->username);
-        $this->assertEquals($identity->created, $dateValue);
-    }
-
     /**
      * testLoadAuthenticatorException
      */

tests/TestCase/Authenticator/SessionAuthenticatorTest.php

@@ -197,62 +197,6 @@ public function testAuthenticateFailure()
         $this->assertSame(Result::FAILURE_IDENTITY_NOT_FOUND, $result->getStatus());
     }
 
-    /**
-     * Test successful session data verification by database lookup
-     *
-     * @return void
-     */
-    public function testVerifyByDatabaseSuccess()
-    {
-        $request = ServerRequestFactory::fromGlobals(['REQUEST_URI' => '/']);
-
-        $this->sessionMock->expects($this->once())
-            ->method('read')
-            ->with('Auth')
-            ->willReturn([
-                'username' => 'mariano',
-                'password' => 'h45h',
-            ]);
-
-        $request = $request->withAttribute('session', $this->sessionMock);
-
-        $authenticator = new SessionAuthenticator($this->identifier, [
-            'identify' => true,
-        ]);
-        $result = $authenticator->authenticate($request);
-
-        $this->assertInstanceOf(Result::class, $result);
-        $this->assertSame(Result::SUCCESS, $result->getStatus());
-    }
-
-    /**
-     * Test session data verification by database lookup failure
-     *
-     * @return void
-     */
-    public function testVerifyByDatabaseFailure()
-    {
-        $request = ServerRequestFactory::fromGlobals(['REQUEST_URI' => '/']);
-
-        $this->sessionMock->expects($this->once())
-            ->method('read')
-            ->with('Auth')
-            ->willReturn([
-                'username' => 'does-not',
-                'password' => 'exist',
-            ]);
-
-        $request = $request->withAttribute('session', $this->sessionMock);
-
-        $authenticator = new SessionAuthenticator($this->identifier, [
-            'identify' => true,
-        ]);
-        $result = $authenticator->authenticate($request);
-
-        $this->assertInstanceOf(Result::class, $result);
-        $this->assertSame(Result::FAILURE_CREDENTIALS_INVALID, $result->getStatus());
-    }
-
     /**
      * testPersistIdentity
      *