mod_authentication

This module contains the main Zotonic authentication mechanism. It contains the logon and logoff controllers, and implements the various hooks as described in the Access control manual.

Configuration keys:

KeyDescription
mod_authentication.password_min_lengthThe minimum length of passwords. Defaults to 8; set this to an integer value.
mod_authentication.is_remembermeSet this to 1 to check the remember me checkbox per default.
mod_authentication.is_one_step_logonNormally a two-step logon is used, first the username is requested, then the password is requested. In between the server checks the username and is able to show alternative authentication methods based on the username. Set this to 1 to show the username and password field at once, and disable the display of alternative authentication methods.
mod_authentication.is_signup_confirmSet to 1 to force user confirmation of new accounts. This is useful when using 3rd party authentication services. If a new identity is found then a new account is automatically added. With this option set the user will be asked if they want to make a new account. This prevents duplicate accounts when using multiple authentication methods.
mod_authentication.reset_token_maxageThe maximum age of the emailed reset token in seconds. Defaults to 48 hours (172800 seconds). This must be an integer value.
mod_authentication.email_reminder_if_nomatchOn the password reset form, a user can enter their email address for receiving an email to reset their password. If a user enters an email address that is not connected to an active account then we do not send an email. If this option is set to 1 then an email is sent. This prevents the user waiting for an email, but enables sending emails to arbitrary addresses.
mod_authentication.auth_secretThe secret used to sign authentication cookies. This secret is automatically generated. Changing this secret will invalidate all authentication cookies.
mod_authentication.auth_anon_secretThe secret to sign authentication cookies for the anonymous user. This secret is automatically generated. Changing this secret will invalidate all authentication cookies for anonymous users.
mod_authentication.auth_user_secretThe secret to sign authentication cookies for the identified users if there is no database to store individual secrets.
mod_authentication.auth_autologon_secretThe secret to sign remember me cookies. This secret is automatically generated. Changing this secret will invalidate all remember me cookies for all users.

Related configurations:

KeyDescription
site.password_force_differentSet to 1 to force a user picking a different password if they reset their password.
site.ip_allowlistIf the admin password is set to admin then logon is only allowed from local IP addresses. This configuration overrules the ip_allowlist global configuration and enables other IP addresses to login as admin if the password is set to admin.

Accepted Events

This module handles the following notifier callbacks:

  • observe_admin_menu: Contribute module entries to the admin menu tree.

  • observe_auth_client_logon_user: Send a request to the client to login a user using z_context:client_topic.

  • observe_auth_client_switch_user: Send a request to the client to switch users using z_acl:sudo_user.

  • observe_auth_options_update: Merge allowed external-auth options into the logon context for templates and handlers.

  • observe_auth_validated: Match validated external identities to local users and trigger signup or logon continuation.

  • observe_logon_options: Normalize and enrich logon options before authentication starts.

  • observe_logon_submit: Check username/password against the identity tables using m_identity:check_username_pw.

  • observe_m_config_update: Flush the auth_secret depcache key when mod_authentication.auth_secret changes, and flush the auth_anon_secret depcache key when mod_authentication.auth_anon_secret changes.

  • observe_request_context: Check for authentication cookies in the request using z_context:get.

  • observe_tick_1h: Remove stale authentication and logon-history records in hourly maintenance.

Delegate callbacks:

  • event/2 with postback messages: close_all_sessions.

  • event/2 with submit messages: signup_confirm.

Edit on GitHub

Models

authentication

Model for authentication state and login support checks, including password authentication flow helpers and reminder…

Controllers

controller_authentication

This controller manages all authentication cookies. It is called by the auth model in the browser.

controller_logoff

Controller that logs off a user, destroying the session. It also removes any “remember me” cookies the user has, so…

controller_logon_done

This controller is used as a jumping stone after a log on from the /logon page. The p argument is passed from the…

Dispatch rules

dispatch

Dispatch rules Name Path Resource Args logoff [“logoff”] controller_logoff [] logon [“logon”] controller_template…

Actions

auth_disconnect

Todo

Validators

acceptable_password

A validator to check whether a password conforms to the password secutiry requirements.

See also

identity

The m_identity model manages usernames and other user identities. mod_authentication uses it to store and check salted…

Referred by

Customizing the sign up and sign in form

You want to change parts of the form, or change its appearance.

identity

The m_identity model manages usernames and other user identities. mod_authentication uses it to store and check salted…

All dispatch rules

All the dispatch rules from all modules. For a background on dispatch rules, see The URL dispatch system.