Localhost fake login

What's Changed

• Localhost fake login - not needing to have the provider server running while testing locally
• Querystrings are preserved during login
• Log out via remote provider by @g105b in #9

Full Changelog: v0.2.0...v0.3.0

Introduction of App ID

Authwave/provider now creates an application ID for each application that uses a friendly name to identify the application to developers and the provider itself.

This follows on from issue #5, allowing local development to be made to an existing application without having to hard-code any values or change settings within the live application during development. From the provider, you can create development keys that will redirect to different hostnames such as localhost.

Full test coverage

This patch pre-release increases the test coverage to 100% which is a good starting point for the project.

Sessions containing user data are automatically handled in the construction of the Authenticator class. New logins are sent to the remote provider, with the correct encrypted request ciphers. Logins are automatically completed when returning from the remote provider, correctly decrypting response ciphers.

From now on, there are no new features planned before v1 release is made, which is expected to be within a week, while work is made on Authwave/provider.

Data persistence

This minor pre-release takes steps to persisting the data to the session. The session can be the default PHP $_SESSION superglobal, or any class that implements the SessionContainer interface, as supplied by PHP.Gt/Session.

Using an object-oriented session handler allows developers to encapsulate the session data from the rest of their application and third party dependencies, which is really important for writing secure applications.

The login flow is started in this release, redirecting the user agent to the remote Authwave provider.

Authenticator class

The Authenticator class is the main part of the client library. This patch pre-release introduces the use of Token and InitVector classes.

Integration has been made with PHP.Gt/Session to allow for any object oriented session handler to be used, which allows for encapsulated session data storage. The decision has been made to design this library to still work with the standard PHP $_SESSION superglobal, which is especially useful for helping learning how Authwave works.

OpenSSL development

In this patch pre-release we see the introduction of OpenSSL, which is used on the provider and client to transport user data securely.

The AuthURI class implements the PSR-7 UriInterface, and is separated from the IV which must be passed to the provider. In future development the IV may be extracted into a request and response IV, or shared/secret.

Initial functionality

The design of the API has been decided upon after much experimentation. The next few releases will be to bring the API to full functionality.

The continuous integration is set up to work with Github Actions, which has been stable released for a while now but still seems to have some room for growth.

The functionality in this patch pre-release is checking that the main Authenticator class can only be used to authenticate against HTTPS endpoints, unless the endpoint it localhost.