FormAuthenticator::_checkLoginUrl() fails when accessing alternative route about authentication HOT 10 CLOSED

I think you would have to compare array values as well.

from authentication.

@markstory exactly my thought but then it is required that you run the routing middleware before authentication. But this brings up a problem if we want to do authorization against routes. authorization requires the identity.

from authentication.

Couldn't the 'loginAction' be defined as a string URL if people have multiple possible routes a login page can be reached at?

from authentication.

We would always require a string then and turn the URI from the request also into an array and then compare them. Or am I missing something? If not I'll do the change.

from authentication.

That sounds like it should work to me.

from authentication.

@markstory does that look OK?

    protected function _checkLoginUrl(ServerRequestInterface $request)
    {
        $loginUrl = $this->getConfig('loginUrl');

        if (!empty($loginUrl)) {
            $requestUrl = Router::parseRequest($request);

            if (is_string($loginUrl)) {
                $loginUrl = Router::parseRequest((new ServerRequest([
                    'uri' => $loginUrl
                ])));
                $this->setConfig('loginUrl', $loginUrl);
            }

            $keysToCompare = array_keys($loginUrl);

            foreach ($keysToCompare as $key) {
                if (!array_key_exists($key, $requestUrl)
                    || $requestUrl[$key] !== $loginUrl[$key]
                ) {
                    return false;
                }
            }

        }

        return true;
    }

from authentication.

You could use Hash::diff or array_key_diff() to check the difference between the two URL arrays.

from authentication.

@markstory I've pushed the code to the branch bug/check-login-url there is an issue with the routing it seems, I'm not sure if we simply want to match against the URL it has generated in this case. Would you mind to look at the code?

from authentication.

Sure, I'll try to take a look in the next few days.

from authentication.

Closing as #146 covers this.

from authentication.