Merge branch '3.x' into 4.x

- Use lazy identifier initialization in getIdentifier() (3.x approach)
- Add AuthenticationPlugin as main plugin class, Plugin as deprecated alias
- Add redirect validation feature from 3.x
- Update all authenticators to use getIdentifier() instead of direct property access

Author: dereuromark

.github/workflows/deploy_docs_2x.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/deploy_docs_3x.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

docs/en/index.rst

@@ -256,6 +256,7 @@ Further Reading
 * :doc:`/authentication-component`
 * :doc:`/impersonation`
 * :doc:`/url-checkers`
+* :doc:`/redirect-validation`
 * :doc:`/testing`
 * :doc:`/view-helper`
 * :doc:`/migration-from-the-authcomponent`

docs/en/migration-from-the-authcomponent.rst

@@ -263,7 +263,8 @@ this exception into a redirect using the ``unauthenticatedRedirect``
 when configuring the ``AuthenticationService``.
 
 You can also pass the current request target URI as a query parameter
-using the ``queryParam`` option::
+using the ``queryParam`` option. Note that the redirect parameter is only
+appended for GET requests to prevent redirecting to non-GET actions after login::
 
    // In the getAuthenticationService() method of your src/Application.php
 
@@ -308,8 +309,9 @@ leveraging the ``AuthenticationService``::
        if ($result->isValid()) {
            $authService = $this->Authentication->getAuthenticationService();
 
-           // Assuming you are using the `Password` identifier.
-           if ($authService->identifiers()->get('Password')->needsPasswordRehash()) {
+           // Get the identifier that was used for authentication.
+           $identifier = $authService->getIdentificationProvider();
+           if ($identifier !== null && $identifier->needsPasswordRehash()) {
                // Rehash happens on save.
                $user = $this->Users->get($this->Authentication->getIdentityData('id'));
                $user->password = $this->request->getData('password');

docs/en/redirect-validation.rst

@@ -0,0 +1,187 @@
+Redirect Validation
+###################
+
+The Authentication plugin provides optional redirect validation to prevent redirect loop attacks
+and malicious redirect patterns that could be exploited by bots or attackers.
+
+.. _security-redirect-loops:
+
+Preventing Redirect Loops
+==========================
+
+By default, the authentication service does not validate redirect URLs beyond checking that they
+are relative (not external). This means that malicious actors or misconfigured bots could create
+deeply nested redirect chains like:
+
+.. code-block:: text
+
+    /login?redirect=/login?redirect=/login?redirect=/protected/page
+
+These nested redirects can waste server resources, pollute logs, and potentially enable security
+exploits.
+
+Enabling Redirect Validation
+=============================
+
+To enable redirect validation, configure the ``redirectValidation`` option in your
+``AuthenticationService``:
+
+.. code-block:: php
+
+    // In src/Application.php getAuthenticationService() method
+    $service = new AuthenticationService();
+    $service->setConfig([
+        'unauthenticatedRedirect' => '/users/login',
+        'queryParam' => 'redirect',
+        'redirectValidation' => [
+            'enabled' => true,  // Enable validation (default: false)
+        ],
+    ]);
+
+Configuration Options
+=====================
+
+The ``redirectValidation`` configuration accepts the following options:
+
+enabled
+    **Type:** ``bool`` | **Default:** ``false``
+
+    Whether to enable redirect validation. Disabled by default for backward compatibility.
+
+maxDepth
+    **Type:** ``int`` | **Default:** ``1``
+
+    Maximum number of nested redirect parameters allowed. For example, with ``maxDepth`` set to 1,
+    ``/login?redirect=/articles`` is valid, but ``/login?redirect=/login?redirect=/articles`` is blocked.
+
+maxEncodingLevels
+    **Type:** ``int`` | **Default:** ``1``
+
+    Maximum URL encoding levels allowed. This prevents obfuscation attacks using double or triple
+    encoding (e.g., ``%252F`` for double-encoded ``/``).
+
+maxLength
+    **Type:** ``int`` | **Default:** ``2000``
+
+    Maximum allowed length of the redirect URL in characters. This helps prevent DOS attacks
+    via excessively long URLs.
+
+Example Configuration
+=====================
+
+Here's a complete example with custom configuration:
+
+.. code-block:: php
+
+    $service = new AuthenticationService();
+    $service->setConfig([
+        'unauthenticatedRedirect' => '/users/login',
+        'queryParam' => 'redirect',
+        'redirectValidation' => [
+            'enabled' => true,
+            'maxDepth' => 1,
+            'maxEncodingLevels' => 1,
+            'maxLength' => 2000,
+        ],
+    ]);
+
+How Validation Works
+====================
+
+When redirect validation is enabled and a redirect URL fails validation, ``getLoginRedirect()``
+will return ``null`` instead of the invalid URL. Your application should handle this by
+redirecting to a default location:
+
+.. code-block:: php
+
+    // In your controller
+    $target = $this->Authentication->getLoginRedirect() ?? '/';
+    return $this->redirect($target);
+
+Validation Checks
+=================
+
+The validation performs the following checks in order:
+
+1. **Redirect Depth**: Counts occurrences of ``redirect=`` in the decoded URL
+2. **Encoding Level**: Counts occurrences of ``%25`` (percent-encoded percent sign)
+3. **URL Length**: Checks total character count
+
+If any check fails, the URL is rejected.
+
+Custom Validation
+=================
+
+You can extend ``AuthenticationService`` and override the ``validateRedirect()`` method
+to implement custom validation logic, such as blocking specific URL patterns:
+
+.. code-block:: php
+
+    namespace App\Auth;
+
+    use Authentication\AuthenticationService;
+
+    class CustomAuthenticationService extends AuthenticationService
+    {
+        protected function validateRedirect(string $redirect): ?string
+        {
+            // Call parent validation first
+            $redirect = parent::validateRedirect($redirect);
+
+            if ($redirect === null) {
+                return null;
+            }
+
+            // Add your custom validation
+            // Example: Block redirects to authentication pages
+            if (preg_match('#/(login|logout|register)#i', $redirect)) {
+                return null;
+            }
+
+            // Example: Block redirects to admin areas
+            if (str_contains($redirect, '/admin')) {
+                return null;
+            }
+
+            return $redirect;
+        }
+    }
+
+Backward Compatibility
+======================
+
+Redirect validation is **disabled by default** to maintain backward compatibility with existing
+applications. To enable it, explicitly set ``'enabled' => true`` in the configuration.
+
+Security Considerations
+=======================
+
+While redirect validation helps prevent common attacks, it should be part of a comprehensive
+security strategy that includes:
+
+* Rate limiting to prevent bot abuse
+* Monitoring and logging of blocked redirects
+* Regular security audits
+* Keeping the Authentication plugin up to date
+
+Real-World Attack Example
+=========================
+
+In production environments, bots (especially AI crawlers like GPTBot) have been observed
+creating redirect chains with 6-7 levels of nesting:
+
+.. code-block:: text
+
+    /login?redirect=%2Flogin%3Fredirect%3D%252Flogin%253Fredirect%253D...
+
+Enabling redirect validation prevents these attacks and protects your application from:
+
+* Resource exhaustion (CPU wasted parsing deeply nested URLs)
+* Log pollution (malformed URLs flooding access logs)
+* SEO damage (search engines indexing login pages with loops)
+* Potential security exploits when combined with other vulnerabilities
+
+For more information on redirect attacks, see:
+
+* `OWASP: Unvalidated Redirects and Forwards <https://owasp.org/www-community/attacks/Unvalidated_Redirects_and_Forwards>`_
+* `CWE-601: URL Redirection to Untrusted Site <https://cwe.mitre.org/data/definitions/601.html>`_

docs/fr/migration-from-the-authcomponent.rst

@@ -257,7 +257,9 @@ pouvez convertir cette exception en redirection en utilisant
 l'\ ``AuthenticationService``.
 
 Vous pouvez aussi passer l'URI ciblée par la requête en cours en tant que
-paramètre dans la query string de la redirection avec l'option ``queryParam``::
+paramètre dans la query string de la redirection avec l'option ``queryParam``.
+Notez que le paramètre de redirection n'est ajouté que pour les requêtes GET afin
+d'éviter de rediriger vers des actions non-GET après la connexion::
 
    // Dans la méthode getAuthenticationService() de votre src/Application.php
 
@@ -303,8 +305,9 @@ parti de l'\ ``AuthenticationService``::
        if ($result->isValid()) {
            $authService = $this->Authentication->getAuthenticationService();
 
-           // En supposant que vous utilisez l'identificateur `Password`.
-           if ($authService->identifiers()->get('Password')->needsPasswordRehash()) {
+           // Obtenir l'identificateur qui a été utilisé pour l'authentification.
+           $identifier = $authService->getIdentificationProvider();
+           if ($identifier !== null && $identifier->needsPasswordRehash()) {
                // Le re-hachage se produit lors de la sauvegarde.
                $user = $this->Users->get($this->Authentication->getIdentityData('id'));
                $user->password = $this->request->getData('password');

docs/ja/migration-from-the-authcomponent.rst

@@ -229,7 +229,8 @@ this exception into a redirect using the ``unauthenticatedRedirect``
 when configuring the ``AuthenticationService``.
 
 You can also pass the current request target URI as a query parameter
-using the ``queryParam`` option::
+using the ``queryParam`` option. Note that the redirect parameter is only
+appended for GET requests to prevent redirecting to non-GET actions after login::
 
    // In the getAuthenticationService() method of your src/Application.php
 
@@ -273,8 +274,9 @@ using the ``queryParam`` option::
        if ($result->isValid()) {
            $authService = $this->Authentication->getAuthenticationService();
 
-           // 識別子に `Password` を使用していると仮定します。
-           if ($authService->identifiers()->get('Password')->needsPasswordRehash()) {
+           // 認証に使用された識別子を取得します。
+           $identifier = $authService->getIdentificationProvider();
+           if ($identifier !== null && $identifier->needsPasswordRehash()) {
                // セーブ時にリハッシュが発生します。
                $user = $this->Users->get($this->Authentication->getIdentityData('id'));
                $user->password = $this->request->getData('password');

src/AuthenticationPlugin.php

@@ -0,0 +1,45 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * CakePHP(tm) : Rapid Development Framework (https://cakephp.org)
+ * Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
+ *
+ * Licensed under The MIT License
+ * Redistributions of files must retain the above copyright notice.
+ *
+ * @copyright     Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
+ * @link          https://cakephp.org CakePHP(tm) Project
+ * @since         1.0.2
+ * @license       https://www.opensource.org/licenses/mit-license.php MIT License
+ */
+namespace Authentication;
+
+use Cake\Core\BasePlugin;
+
+/**
+ * Plugin class for CakePHP.
+ */
+class AuthenticationPlugin extends BasePlugin
+{
+    /**
+     * Do bootstrapping or not
+     *
+     * @var bool
+     */
+    protected bool $bootstrapEnabled = false;
+
+    /**
+     * Load routes or not
+     *
+     * @var bool
+     */
+    protected bool $routesEnabled = false;
+
+    /**
+     * Console middleware
+     *
+     * @var bool
+     */
+    protected bool $consoleEnabled = false;
+}