Application Security: Controller

The controller that manages the interaction between the Login application module and the AppUserFactory model object is the ApplicationSecurityDelegate. This singleton class is created when an application is installed using the Istarel Workshop Application Framework. As part of that process, several stub methods are built, including those that support login and authentication. I need to modify them to provide actual security.

Partial Listing: rsrc/model/application/ApplicationSecurityDelegate.php

class ApplicationSecurityDelegate
{
   protected $user;

   ...

   function validateLogin($form)
   {
      // If a valid user results from authentication, login is valid
      if ($this->user = AppUserFactory::authenticatedUser($_POST)) return null;

      // Failed validation should result in a field-keyed array of errors
      return array('password' => 'Invalid email address or password');
   }

   function handleSuccessfulLogin()
   {
      // Establish the session
      $this->establishSession();

      // Redirect the user to either his original destination or his home page
      $uri = IWRequest::postValue('uri', null);
      $location = $uri ? base64_decode($uri) :  $this->user->home();

      header('Location: ' . $location);
   }

   function establishSession()
   {
      $_SESSION['USER'] = $this->user;
   }
}

The LoginWorkflow calls validateLogin() on the ApplicationSecurityDelegate after the user submits the form presented by the Login application module. If no errors are returned, the LoginWorkflow calls handleSuccessfulLogin(). My version of that method establishes a session with the AppUser object and then redirects the user to the appropriate destination. If validateLogin() returns errors (which is done in the form of an associative array where the keys indicate the field where the error occurred), the LoginWorkflow uses the Login application module to redisplay the Login form and present the error messages.