Skip to content
docsv0.1.0

AuthContext

The trusted answer to "who is making this request, and may we trust it?" — an {@see AuthState} and, when authenticated, the {@see Actor} it resolved to. This is the *product* the whole package exists to make: a credential verifier turns a raw {@see Credential} into one of these, and the policy layer authorises against it. It carries the scope helpers so a caller can ask "may this * request do X?" without first unwrapping (and null-checking) the actor. Immutable by construction.

AuthContext::__construct()

public function __construct(?Milpa\Auth\Actor $actor, Milpa\Auth\AuthState $state, array $metadata = []):

Parameters

Parameters of __construct()
NameTypeDescription
$actor?Actorthe verified identity, or `null` when there is none (anonymous or invalid)
$stateAuthStatehow the request authenticated
$metadataarray<string, mixed>out-of-band detail — e.g. the rejection `reason` on an invalid context, the source ip, the request id

AuthContext::anonymous()

public static function anonymous(): self

A context for a request that presented no credential: no actor, state {@see AuthState::Anonymous}.

AuthContext::authenticated()

public static function authenticated(Milpa\Auth\Actor $actor): self

A context for a request whose credential verified into `$actor`: state {@see AuthState::Authenticated}.

Parameters

Parameters of authenticated()
NameTypeDescription
$actorMilpa\Auth\Actor

AuthContext::invalid()

public static function invalid(?string $reason = null): self

A context for a request that presented a credential which was rejected: no actor, state {@see AuthState::Invalid}, and `$reason` recorded under the `reason` metadata key. Distinct from {@see self::anonymous()} on purpose — a bad credential is not the same as no credential.

Parameters

Parameters of invalid()
NameTypeDescription
$reason?string

AuthContext::isAuthenticated()

public function isAuthenticated(): bool

Whether this request authenticated to an actor — true only in the {@see AuthState::Authenticated} state.

AuthContext::hasScope()

public function hasScope(string $scope): bool

Whether the request's actor holds `$scope`. Fail-closed: with no actor (anonymous or invalid) this is always false, and otherwise it delegates to {@see Actor::hasScope()}.

Parameters

Parameters of hasScope()
NameTypeDescription
$scopestring

AuthContext::hasAnyScope()

public function hasAnyScope(array $scopes): bool

Whether the request's actor holds at least one of `$scopes`. Fail-closed: with no actor this is always false; otherwise it delegates to {@see Actor::hasAnyScope()}.

Parameters

Parameters of hasAnyScope()
NameTypeDescription
$scopeslist<string>