Tiger_Service_Authentication

@api

Tiger_Service_Authentication — the AUTHENTICATION kernel service.

Authentication = "who are you" (identity + session). Distinct from AUTHORIZATION = "what may you do" (the ACL layer: TigerAcl* + the authorization plugin). Named in full to keep that boundary unambiguous.

Ported from AskLevi's Core_Service_Auth, adapted to Tiger's substrate:

  • Password lives in user_credential (Tiger_Model_UserCredential::verifyPassword), NOT on the user row.
  • THE ROLE IS PER-ORG. AskLevi put a single global role on the user; Tiger resolves the role from the caller's org_user MEMBERSHIP for the active org. So the identity carries { user_id, org_id, role } where role is the role in THAT org. Switching orgs (useOrg) re-resolves the role. This is the multi- tenant heart of Tiger.

This is a KERNEL service (Tiger_Service_*): reserved from /api (see Tiger_Ajax_ServiceFactory), called in-process by a login controller. It is NOT itself an /api service and does not extend Tiger_Service_Service.

On success it also sets the request-wide actor (Tiger_Model_Table::setActor) so created_by/updated_by stamps start flowing.

Methods

login()

login($identifier, $password)

Authenticate by identifier + password. The identifier is email, username, or any verified factor identifier (phone/oauth/… once those exist) — see Tiger_Model_User::findByIdentifier. Returns the identity object on success, self::TWOFA_REQUIRED when a second factor is needed, or false on any failure (unknown user, inactive, bad password).

  • $identifier string — email, username, or a verified factor identifier
  • $password string — the plaintext password

Returns object|false

logout()

logout()

Destroy the authenticated session.

requestPasswordReset()

requestPasswordReset($email, $baseUrl)

Request a password reset. If the email maps to an ACTIVE user, issue a password_reset challenge and email a reset link (built on $baseUrl, e.g. "https://host"). ALWAYS returns void so the caller can respond success either way — never revealing whether an account exists (no user enumeration).

  • $email string — the address requesting a reset
  • $baseUrl string — the site base URL the reset link is built on

resetPassword()

resetPassword($challengeId, $code, $newPassword, $confirm)

Complete a reset. Validates the new password against the policy BEFORE burning the token (so a weak password doesn't waste the link), then redeems the challenge (verifies the code + single-use), sets the new password, and clears any brute-force lockout.

  • $challengeId string — the reset challenge id from the link
  • $code string — the reset token from the link
  • $newPassword string — the chosen new password
  • $confirm string — the confirmation of the new password

Returns array{ok:bool,error:?string} — error = a ready-to-show message on failure