AuthContext
The trusted answer to "who is making this request, and may we trust it?" — an {@see AuthState} and, when authenticated, the {@see Actor} it resolved to. This is the *product* the whole package exists to make: a credential verifier turns a raw {@see Credential} into one of these, and the policy layer authorises against it. It carries the scope helpers so a caller can ask "may this * request do X?" without first unwrapping (and null-checking) the actor. Immutable by construction.
AuthContext::__construct()
public function __construct(?Milpa\Auth\Actor $actor, Milpa\Auth\AuthState $state, array $metadata = []):Parameters
| Name | Type | Description |
|---|---|---|
| $actor | ?Actor | the verified identity, or `null` when there is none (anonymous or invalid) |
| $state | AuthState | how the request authenticated |
| $metadata | array<string, mixed> | out-of-band detail — e.g. the rejection `reason` on an invalid context, the source ip, the request id |
AuthContext::anonymous()
public static function anonymous(): selfA context for a request that presented no credential: no actor, state {@see AuthState::Anonymous}.
AuthContext::authenticated()
public static function authenticated(Milpa\Auth\Actor $actor): selfA context for a request whose credential verified into `$actor`: state {@see AuthState::Authenticated}.
Parameters
| Name | Type | Description |
|---|---|---|
| $actor | Milpa\Auth\Actor |
AuthContext::invalid()
public static function invalid(?string $reason = null): selfA context for a request that presented a credential which was rejected: no actor, state {@see AuthState::Invalid}, and `$reason` recorded under the `reason` metadata key. Distinct from {@see self::anonymous()} on purpose — a bad credential is not the same as no credential.
Parameters
| Name | Type | Description |
|---|---|---|
| $reason | ?string |
AuthContext::isAuthenticated()
public function isAuthenticated(): boolWhether this request authenticated to an actor — true only in the {@see AuthState::Authenticated} state.
AuthContext::hasScope()
public function hasScope(string $scope): boolWhether the request's actor holds `$scope`. Fail-closed: with no actor (anonymous or invalid) this is always false, and otherwise it delegates to {@see Actor::hasScope()}.
Parameters
| Name | Type | Description |
|---|---|---|
| $scope | string |
AuthContext::hasAnyScope()
public function hasAnyScope(array $scopes): boolWhether the request's actor holds at least one of `$scopes`. Fail-closed: with no actor this is always false; otherwise it delegates to {@see Actor::hasAnyScope()}.
Parameters
| Name | Type | Description |
|---|---|---|
| $scopes | list<string> |