Tiger_Service_Authentication
@api
Tiger_Service_Authentication — the AUTHENTICATION kernel service.
Authentication = "who are you" (identity + session). Distinct from AUTHORIZATION = "what may you do" (the ACL layer: TigerAcl* + the authorization plugin). Named in full to keep that boundary unambiguous.
Ported from AskLevi's Core_Service_Auth, adapted to Tiger's substrate:
- Password lives in
user_credential(Tiger_Model_UserCredential::verifyPassword), NOT on the user row. - THE ROLE IS PER-ORG. AskLevi put a single global
roleon the user; Tiger resolves the role from the caller's org_user MEMBERSHIP for the active org. So the identity carries { user_id, org_id, role } whereroleis the role in THAT org. Switching orgs (useOrg) re-resolves the role. This is the multi- tenant heart of Tiger.
This is a KERNEL service (Tiger_Service_*): reserved from /api (see
Tiger_Ajax_ServiceFactory), called in-process by a login controller. It is NOT
itself an /api service and does not extend Tiger_Service_Service.
On success it also sets the request-wide actor (Tiger_Model_Table::setActor) so created_by/updated_by stamps start flowing.
Methods
login()
login($identifier, $password)
Authenticate by identifier + password. The identifier is email, username, or any verified factor identifier (phone/oauth/… once those exist) — see Tiger_Model_User::findByIdentifier. Returns the identity object on success, self::TWOFA_REQUIRED when a second factor is needed, or false on any failure (unknown user, inactive, bad password).
$identifierstring— email, username, or a verified factor identifier$passwordstring— the plaintext password
Returns object|false
logout()
logout()
Destroy the authenticated session.
requestPasswordReset()
requestPasswordReset($email, $baseUrl)
Request a password reset. If the email maps to an ACTIVE user, issue a password_reset challenge and email a reset link (built on $baseUrl, e.g. "https://host"). ALWAYS returns void so the caller can respond success either way — never revealing whether an account exists (no user enumeration).
$emailstring— the address requesting a reset$baseUrlstring— the site base URL the reset link is built on
resetPassword()
resetPassword($challengeId, $code, $newPassword, $confirm)
Complete a reset. Validates the new password against the policy BEFORE burning the token (so a weak password doesn't waste the link), then redeems the challenge (verifies the code + single-use), sets the new password, and clears any brute-force lockout.
$challengeIdstring— the reset challenge id from the link$codestring— the reset token from the link$newPasswordstring— the chosen new password$confirmstring— the confirmation of the new password
Returns array{ok:bool,error:?string} — error = a ready-to-show message on failure