Authentication

The authentication system follows Clean Architecture and CQRS principles, providing clear separation of concerns and testability.

Authentication Flow

Login

1. Controller dispatches AuthenticateUserCommand
2. Handler verifies credentials via PasswordHasherInterface
3. Handler dispatches UserAuthenticatedEvent
4. Event listener sets user ID in session
5. Redirect to protected area

Logout

1. Controller dispatches LogoutUserCommand
2. Handler dispatches UserLogoutEvent
3. Event listener clears session
4. Redirect to login page

Session Service

The SessionServiceInterface centralizes session management:

$this->sessionService->setCurrentUserId($user->id());
$this->sessionService->addFlashMessage('success', 'Welcome back!');

User Context Middleware

The UserContextMiddleware adds user information to request attributes:

$isAuthenticated = $request->getAttribute('is_authenticated', false);
$userId = $request->getAttribute('user_id');

Security Best Practices

Password Handling

The Password Hasher plugin handles secure hashing:

$hashedPassword = $passwordHasher->hash($plainPassword);
$isValid = $passwordHasher->verify($plainPassword, $hashedPassword);

Session Protection

• Regenerate session ID after authentication
• Use HttpOnly cookies (prevents XSS access)
• Use SameSite=Lax (basic CSRF protection)

Error Messages

Generic messages prevent user enumeration:

throw new InvalidCredentialsException('Invalid email or password');

See Also

• Commands & Handlers - AuthenticateUserCommand flow
• Domain Events - UserAuthenticatedEvent
• Password Hasher - Credential verification
• User Module - Authentication implementation