codeigniter4
diff --git a/‎src/Authentication/Actions/ActionInterface.php
+6 b/‎src/Authentication/Actions/ActionInterface.php
+6
diff --git a/‎src/Authentication/Actions/Email2FA.php
+59-25 b/‎src/Authentication/Actions/Email2FA.php
+59-25
diff --git a/‎src/Authentication/Actions/EmailActivator.php
+52-26 b/‎src/Authentication/Actions/EmailActivator.php
+52-26
diff --git a/‎src/Authentication/Authenticators/AccessTokens.php
+21-5 b/‎src/Authentication/Authenticators/AccessTokens.php
+21-5
@@ -39,4 +39,10 @@ public function handle(IncomingRequest $request);
      * @return Response|string
      */
     public function verify(IncomingRequest $request);
+
+    /**
+     * Returns the string type of the action class.
+     * E.g., 'email_2fa', 'email_activate'.
+     */
+    public function getType(): string;
 }
@@ -5,6 +5,7 @@
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\RedirectResponse;
 use CodeIgniter\Shield\Authentication\Authenticators\Session;
+use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Exceptions\RuntimeException;
 use CodeIgniter\Shield\Models\UserIdentityModel;
 
@@ -15,33 +16,25 @@
  */
 class Email2FA implements ActionInterface
 {
+    private string $type = 'email_2fa';
+
     /**
      * Displays the "Hey we're going to send you an number to your email"
      * message to the user with a prompt to continue.
      */
     public function show(): string
     {
-        $user = auth()->user();
-
-        /** @var UserIdentityModel $identityModel */
-        $identityModel = model(UserIdentityModel::class);
+        /** @var Session $authenticator */
+        $authenticator = auth('session')->getAuthenticator();
 
-        // Delete any previous activation identities
-        $identityModel->deleteIdentitiesByType($user->getAuthId(), 'email_2fa');
+        $user = $authenticator->getPendingUser();
+        if ($user === null) {
+            throw new RuntimeException('Cannot get the pending login User.');
+        }
 
-        // Create an identity for our 2fa hash
-        helper('text');
-        $code = random_string('nozero', 6);
+        $this->createIdentity($user);
 
-        $identityModel->insert([
-            'user_id' => $user->getAuthId(),
-            'type'    => 'email_2fa',
-            'secret'  => $code,
-            'name'    => 'login',
-            'extra'   => lang('Auth.need2FA'),
-        ]);
-
-        return view(setting('Auth.views')['action_email_2fa']);
+        return view(setting('Auth.views')['action_email_2fa'], ['user' => $user]);
     }
 
     /**
@@ -54,20 +47,23 @@ public function show(): string
     public function handle(IncomingRequest $request)
     {
         $email = $request->getPost('email');
-        $user  = auth()->user();
 
-        if (empty($email) || $email !== $user->getAuthEmail()) {
-            return redirect()->route('auth-action-show')->with('error', lang('Auth.invalidEmail'));
-        }
+        /** @var Session $authenticator */
+        $authenticator = auth('session')->getAuthenticator();
 
+        $user = $authenticator->getPendingUser();
         if ($user === null) {
-            throw new RuntimeException('Cannot get the User.');
+            throw new RuntimeException('Cannot get the pending login User.');
+        }
+
+        if (empty($email) || $email !== $user->getAuthEmail()) {
+            return redirect()->route('auth-action-show')->with('error', lang('Auth.invalidEmail'));
         }
 
         /** @var UserIdentityModel $identityModel */
         $identityModel = model(UserIdentityModel::class);
 
-        $identity = $identityModel->getIdentityByType($user->getAuthId(), 'email_2fa');
+        $identity = $identityModel->getIdentityByType($user->getAuthId(), $this->type);
 
         if (empty($identity)) {
             return redirect()->route('auth-action-show')->with('error', lang('Auth.need2FA'));
@@ -101,7 +97,7 @@ public function verify(IncomingRequest $request)
         $authenticator = auth('session')->getAuthenticator();
 
         // Token mismatch? Let them try again...
-        if (! $authenticator->checkAction('email_2fa', $token)) {
+        if (! $authenticator->checkAction($this->type, $token)) {
             session()->setFlashdata('error', lang('Auth.invalid2FAToken'));
 
             return view(setting('Auth.views')['action_email_2fa_verify']);
@@ -110,4 +106,42 @@ public function verify(IncomingRequest $request)
         // Get our login redirect url
         return redirect()->to(config('Auth')->loginRedirect());
     }
+
+    /**
+     * Called from `Session::attempt()`.
+     */
+    public function afterAttempt(User $user): void
+    {
+        $this->createIdentity($user);
+    }
+
+    /**
+     * Create an identity for Email 2FA
+     */
+    private function createIdentity(User $user): void
+    {
+        helper('text');
+
+        /** @var UserIdentityModel $userIdentityModel */
+        $userIdentityModel = model(UserIdentityModel::class);
+
+        // Delete any previous activation identities
+        $userIdentityModel->deleteIdentitiesByType($user->getAuthId(), $this->type);
+
+        // Create an identity for our 2fa hash
+        $code = random_string('nozero', 6);
+
+        $userIdentityModel->insert([
+            'user_id' => $user->getAuthId(),
+            'type'    => $this->type,
+            'secret'  => $code,
+            'name'    => 'login',
+            'extra'   => lang('Auth.need2FA'),
+        ]);
+    }
+
+    public function getType(): string
+    {
+        return $this->type;
+    }
 }
@@ -13,17 +13,21 @@
 
 class EmailActivator implements ActionInterface
 {
+    private string $type = 'email_activate';
+
     /**
      * Shows the initial screen to the user telling them
      * that an email was just sent to them with a link
      * to confirm their email address.
      */
     public function show(): string
     {
-        $user = auth()->user();
+        /** @var Session $authenticator */
+        $authenticator = auth('session')->getAuthenticator();
 
+        $user = $authenticator->getPendingUser();
         if ($user === null) {
-            throw new RuntimeException('Cannot get the User.');
+            throw new RuntimeException('Cannot get the pending login User.');
         }
 
         $userEmail = $user->getAuthEmail();
@@ -33,23 +37,7 @@ public function show(): string
             );
         }
 
-        /** @var UserIdentityModel $identityModel */
-        $identityModel = model(UserIdentityModel::class);
-
-        // Delete any previous activation identities
-        $identityModel->deleteIdentitiesByType($user->getAuthId(), 'email_activate');
-
-        //  Create an identity for our activation hash
-        helper('text');
-        $code = random_string('nozero', 6);
-
-        $identityModel->insert([
-            'user_id' => $user->getAuthId(),
-            'type'    => 'email_activate',
-            'secret'  => $code,
-            'name'    => 'register',
-            'extra'   => lang('Auth.needVerification'),
-        ]);
+        $code = $this->createIdentity($user);
 
         // Send the email
         helper('email');
@@ -85,25 +73,63 @@ public function verify(IncomingRequest $request)
     {
         $token = $request->getVar('token');
 
-        $auth = auth('session');
-
         /** @var Session $authenticator */
-        $authenticator = $auth->getAuthenticator();
+        $authenticator = auth('session')->getAuthenticator();
 
         // No match - let them try again.
-        if (! $authenticator->checkAction('email_activate', $token)) {
+        if (! $authenticator->checkAction($this->type, $token)) {
             session()->setFlashdata('error', lang('Auth.invalidActivateToken'));
 
             return view(setting('Auth.views')['action_email_activate_show']);
         }
 
-        /** @var User $user */
-        $user = $auth->user();
+        $user = $authenticator->getUser();
 
         // Set the user active now
-        $auth->activateUser($user);
+        $authenticator->activateUser($user);
 
         // Get our login redirect url
         return redirect()->to(config('Auth')->loginRedirect());
     }
+
+    /**
+     * Called from `RegisterController::registerAction()`
+     */
+    public function afterRegister(User $user): void
+    {
+        $this->createIdentity($user);
+    }
+
+    /**
+     * Create an identity for Email Activation
+     *
+     * @return string The secret code
+     */
+    private function createIdentity(User $user): string
+    {
+        helper('text');
+
+        /** @var UserIdentityModel $userIdentityModel */
+        $userIdentityModel = model(UserIdentityModel::class);
+
+        $userIdentityModel->deleteIdentitiesByType($user->getAuthId(), $this->type);
+
+        //  Create an identity for our activation hash
+        $code = random_string('nozero', 6);
+
+        $userIdentityModel->insert([
+            'user_id' => $user->getAuthId(),
+            'type'    => $this->type,
+            'secret'  => $code,
+            'name'    => 'register',
+            'extra'   => lang('Auth.needVerification'),
+        ]);
+
+        return $code;
+    }
+
+    public function getType(): string
+    {
+        return $this->type;
+    }
 }
@@ -26,7 +26,9 @@ class AccessTokens implements AuthenticatorInterface
     public function __construct(UserModel $provider)
     {
         helper('session');
-        $this->provider   = $provider;
+
+        $this->provider = $provider;
+
         $this->loginModel = model(LoginModel::class); // @phpstan-ignore-line
     }
 
@@ -48,7 +50,12 @@ public function attempt(array $credentials): Result
 
         if (! $result->isOK()) {
             // Always record a login attempt, whether success or not.
-            $this->loginModel->recordLoginAttempt('token: ' . ($credentials['token'] ?? ''), false, $ipAddress, $userAgent);
+            $this->loginModel->recordLoginAttempt(
+                'token: ' . ($credentials['token'] ?? ''),
+                false,
+                $ipAddress,
+                $userAgent
+            );
 
             return $result;
         }
@@ -61,7 +68,13 @@ public function attempt(array $credentials): Result
 
         $this->login($user);
 
-        $this->loginModel->recordLoginAttempt('token: ' . ($credentials['token'] ?? ''), true, $ipAddress, $userAgent, $this->user->getAuthId());
+        $this->loginModel->recordLoginAttempt(
+            'token: ' . ($credentials['token'] ?? ''),
+            true,
+            $ipAddress,
+            $userAgent,
+            $this->user->getAuthId()
+        );
 
         return $result;
     }
@@ -99,7 +112,10 @@ public function check(array $credentials): Result
         }
 
         // Hasn't been used in a long time
-        if ($token->last_used_at && $token->last_used_at->isBefore(Time::now()->subSeconds(config('Auth')->unusedTokenLifetime))) {
+        if (
+            $token->last_used_at
+            && $token->last_used_at->isBefore(Time::now()->subSeconds(config('Auth')->unusedTokenLifetime))
+        ) {
             return new Result([
                 'success' => false,
                 'reason'  => lang('Auth.oldToken'),
@@ -218,7 +234,7 @@ public function recordActiveDate(): void
     {
         if (! $this->user instanceof User) {
             throw new InvalidArgumentException(
-                self::class . '::recordActiveDate() requires logged in user before calling.'
+                __METHOD__ . '() requires logged in user before calling.'
             );
         }