mod_authentication
This module contains the main Zotonic authentication mechanism. It contains the logon and logoff controllers, and implements the various hooks as described in the Access control manual.
Configuration keys:
mod_authentication.password_min_length
The minimumum length of passwords. Defaults to 8, set this to an integer value.
mod_authentication.is_rememberme
Set this to 1 to check the remember me checkbox per default
mod_authentication.is_one_step_logon
Normally a two-step logon is used, first the username is requested, then the password is requested. In between the
server checks the username and is able to show alternative authentication methods based on the username. Set this to 1
to show the username and password field at once, and disable the display of alternative authentication methods.
mod_authentication.is_signup_confirm
Set to 1 to force user confirmation of new accounts. This is useful when using 3rd party authentication services. If a
new identity is found then a new account is automatically added. With this option set the user will be asked if they
want to make a new account. This prevents duplicate accounts when using multiple authentication methods.
mod_authentication.reset_token_maxage
The maximum age of the emailed reset token in seconds. Defaults to 48 hours (172800 seconds). This must be an integer value.
mod_authentication.email_reminder_if_nomatch
On the password reset form, a user can enter their email address for receiving an email to reset their password. If a
user enters an email address that is not connected to an active account then we do not send an email. If this option is
set to 1 then an email is sent. This prevents the user waiting for an email, but enables sending emails to arbitrary addresses.
mod_authentication.auth_secret
The secret used to sign authentication cookies. This secret is automatically generated. Changing this secret will invalidate all authentication cookies.
mod_authentication.auth_anon_secret
The secret to sign authentication cookies for the anonymous user. This secret is automatically generated. Changing this secret will invalidate all authentication cookies for anonymous users.
mod_authentication.auth_user_secret
The secret to sign authentication cookies for the identified users if there is no database to store individual secrets.
mod_authentication.auth_autologon_secret
The secret to sign remember me cookies. This secret is automatically generated. Changing this secret will invalidate all remember me cookies for all users.
Related configurations:
site.password_force_different
Set to 1 to force a user picking a different password if they reset their password.
site.ip_allowlist
If the admin password is set to admin then logon is only allowed from local IP addresses. This configuration overrules
the ip_allowlist global configuration and enables other IP addresses to login as admin if the password is set to admin.
Accepted Events
This module handles the following notifier callbacks:
observe_admin_menu: Contribute module entries to the admin menu tree.observe_auth_client_logon_user: Send a request to the client to login a user usingz_context:client_topic.observe_auth_client_switch_user: Send a request to the client to switch users usingz_acl:sudo_user.observe_auth_options_update: Merge allowed external-auth options into the logon context for templates and handlers.observe_auth_validated: Match validated external identities to local users and trigger signup or logon continuation.observe_logon_options: Normalize and enrich logon options before authentication starts.observe_logon_submit: Check username/password against the identity tables usingm_identity:check_username_pw.observe_request_context: Check for authentication cookies in the request usingz_context:get.observe_tick_1h: Remove stale authentication and logon-history records in hourly maintenance.
Delegate callbacks:
event/2withpostbackmessages:close_all_sessions.event/2withsubmitmessages:signup_confirm.