Class AuthModel


public class AuthModel extends FormBaseModel
Model for implementing an authentication view.

This model implements the logic for authenticating a user (the "login" interface). It implements traditional username/password registration, and third party identification methods (although for the latter, it doesn't really do anything).

The model exposes three fields:

  • LoginNameField: the login name (used as an identity for the Identity.LoginName provider)
  • PasswordField: the password
  • RememberMeField: whether the login should be remembered with an authentication cookie (if that is configured in the AuthService).

When the model validates correctly (validate() returns true ), the entered credentials are correct. At that point you can use the login() utility function to login the identified user.

The model can also be used when the user is already known (e.g. to implement password confirmation before a critical operation). In that case you can set a value for the LoginNameField and make this field invisible or read-only.

The model also provides the client-side JavaScript logic to indicate password attempt throttling (configureThrottling() and updateThrottling()).

See Also:
  • Field Details

  • Constructor Details

    • AuthModel

      public AuthModel(AuthService baseAuth, AbstractUserDatabase users)
      Constructor.

      Creates a new authentication model, using a basic authentication service and user database.

  • Method Details

    • reset

      public void reset()
      Description copied from class: WFormModel
      Resets the model.

      The default implementation clears the value of all fields, and resets the validation state to not validated.

      Overrides:
      reset in class WFormModel
    • isVisible

      public boolean isVisible(String field)
      Description copied from class: WFormModel
      Returns whether a field is visible.

      In some cases not all fields of the model need to be shown. This may depend on values input for certain fields, and thus change dynamically. You may specialize this method to indicate that a certain field should be invisible.

      The default implementation returns the value set by setVisible().

      Overrides:
      isVisible in class WFormModel
    • validateField

      public boolean validateField(String field)
      Description copied from class: WFormModel
      Validates a field.

      The default implementation uses the validator configured for the field to validate the field contents, or if no validator has been configured assumes that the field is valid.

      You will typically customize this method for more complex validation cases.

      Overrides:
      validateField in class WFormModel
      See Also:
    • validate

      public boolean validate()
      Description copied from class: WFormModel
      Validates the current input.

      The default implementation calls validateField() for each field and returns true if all fields validated.

      Overrides:
      validate in class WFormModel
      See Also:
    • configureThrottling

      public void configureThrottling(WInteractWidget button)
      Initializes client-side login throttling.

      If login attempt throttling is enabled, then this may also be indicated client-side using JavaScript by disabling the login button and showing a count-down indicator. This method initializes this JavaScript utlity function for a login button.

      See Also:
    • updateThrottling

      public void updateThrottling(WInteractWidget button)
      Updates client-side login throttling.

      This should be called after a call to attemptPasswordLogin(), if you want to reflect throttling using a client-side count-down indicator in the button.

      You need to call configureThrottling() before you can do this.

    • login

      public boolean login(Login login)
      Logs the user in.

      Logs in the user after a successful call to validate(). To avoid mishaps, you should call this method immediately after a call to validate().

      Returns whether the user could be logged in.

      By default the user will be logged into a LoginState.Strong state, but if a second factor is required, the state will be LoginState.RequiresMfa. This indicates additional authentication is required.

    • logout

      public void logout(Login login)
      Logs the user out.

      This also removes the remember-me cookie for the user.

    • processEmailToken

      public EmailTokenResult processEmailToken(String token)
      Processes an email token.

      This simply calls AuthService#processEmailToken().

    • setRememberMeCookie

      public void setRememberMeCookie(User user)
      Creates a token and stores it in a cookie.

      This enables automatic authentication in a next session.

    • processAuthToken

      public User processAuthToken()
      Detects and processes an authentication token.

      This returns a user that was identified with an authentication token found in the application environment, or an invalid User object if this feature is not configured, or no valid cookie was found.

      See Also:
    • isShowResendEmailVerification

      public boolean isShowResendEmailVerification()
      Returns whether to allow resending the email verification.

      Returns true when email verification is required and the user was not yet verified. In this case, a user would be stuck if the verification email was lost.

    • hasMfaStep

      public boolean hasMfaStep(User user)
      Determines whether the MFA step is necessary for the user.

      After the user has logged in, and the MFA step would be shown, this functionality can be changed to determine whether the MFA step is to be shown. If so, LoginState.RequiresMfa will be set to indicate this to the framework.

      If this state is set, the AuthWidget.createMfaView() will be called, which constructs the MFA widget with AuthWidget.createMfaProcess(). If the created widget implements the AbstractMfaProcess interface, the default flow of showing the setup/input views is taken.

      If it does not adhere to the interface, and features a completely custom implementation, developers should override AuthWidget.createMfaProcess() and AuthWidget.createMfaView().

      By default this will return true iff: