Checking user credentials requires Authorization Bearer

[Pardner]

I am fairly new to ci4 and very new to shield.

I am creating a routine to update the users password, but first I would like to have them enter their old password. I am doing this with:
$check = auth()->check(['password'=>$oldPassword]); var_dump($check);
which returns:

object(CodeIgniter\Shield\Result)#127 (3) {
  ["success":protected]=>
  bool(false)
  ["reason":protected]=>
  string(67) "Every request must have a bearer token in the Authorization header."
  ["extraInfo":protected]=>
  NULL
}

I get this same response whether I use the correct old password or an incorrect old password.

I am submitting the old password, new password, and new re-password via post along with 'Authorization': 'Bearer ' in the header. I pass the request through a token filter in my Config\Routes:

$routes->post("updatePassword", "Home::updatePassword", ['filter' => 'tokens']);

I have checked this filter by not passing the token in the header is it gives me invalid token errors.

Why does auth()->check() require an Authorization header? How to I pass an Authorization header from within my own controller? (probably also explains why I am having trouble with auth()->logout() too!)

Any help would be appreciated!

EDIT:
I am passing the password via javascript:

<script>
    function updateProfile(){
      const formData = new FormData();

      formData.append("oldPassword", document.getElementById("oldPassword").value);
      formData.append("newPassword1", document.getElementById("newPassword1").value);
      formData.append("newPassword2", document.getElementById("newPassword2").value);
     
      fetch(window.location.protocol + "//" + window.location.host + "/updateProfile", {
      method: "POST",
      body: formData,
      headers: {
          'Cache-Control': 'no-cache', 
          'Sec-Fetch-Site': 'none',
          'Authorization': 'Bearer ' + getCookie('access_token'), 
      }
    })
      .then((response) => response.json())
      .then((json) => {
          //console.log(json);
          if(json.status == true){
             // window.location.reload();
          } else {
              // error 
          }
       });
    }
<script>

[datamweb]

You are currently using the tokens filter, which requires the Authorization value to be present in the request header for processing. This is why, when using auth()->check(), you encounter an error if this value is not correctly set.

I recommend referring to implementation number #639 for guidance and using it as a reference to properly implement the password change page.

[Pardner]

Thanks datamweb for the replay.

Yes, removing the filter from the Routes returns an successfull reponse from auth()->check(). The example you linked to also used auth()->check() to verify the old password, but it does not protect the api reqests via access_tokens.

I'm sorry, I am still failing to see why calling auth()->check() from a controller that has already passed the token filter is returning an Autherization error. The token filter is applied to the Home::updatePassword, inside the updatePassword() function I call the auth()->check().

[datamweb]

I hope I understood your question correctly. 😊
In CodeIgniter Shield, we have multiple methods for authentication, such as session, tokens, hmac and jwt. By default, Shield is set to use method session (session-based authentication).

Therefore, when you mention the auth()->check() function, it refers to session-based authentication. However, if you want to use token-based authentication, you can adjust Shield's configuration to use method Auth::defaultAuthenticator = 'tokens'; or utilize functions like auth('tokens')->check() to ensure the token's validity.

[Pardner]

datamweb,

I guess I need to read more into how to authenticate. I am already authenticating the uses access_token in the Config\Routes:
$routes->post("updatePassword", "Home::updatePassword", ['filter' => 'tokens']);
Honestly the only reason I did token authentication is because it was easy to add a Authentication: Bearer to my exsisting javascript:

<script>
    function updateProfile(){
      const formData = new FormData();

      formData.append("oldPassword", document.getElementById("oldPassword").value);
      formData.append("newPassword1", document.getElementById("newPassword1").value);
      formData.append("newPassword2", document.getElementById("newPassword2").value);
     
      fetch(window.location.protocol + "//" + window.location.host + "/updateProfile", {
      method: "POST",
      body: formData,
      headers: {
          'Cache-Control': 'no-cache', 
          'Sec-Fetch-Site': 'none',
          'Authorization': 'Bearer ' + getCookie('access_token'), 
      }
    })
      .then((response) => response.json())
      .then((json) => {
          //console.log(json);
          if(json.status == true){
             // window.location.reload();
          } else {
              // error 
          }
       });
    }
<script>

So the users request has allready passed the authentication before my Home controller. In your linked exampleto, you also use the auth()->check() funciton:

            $result = auth()->check([
                'email'    => auth()->user()->email,
                'password' => $this->request->getPost('old_password'),
            ]);

            if (!$result->isOK()) {
                return redirect()->to(config('Auth')->forcePasswordResetRedirect())->withInput()->with('error', 'Auth.oldPasswordWrong');
            }

But I don't see ywhere you authenticate the session as your session filter is still commented out:

    public array $globals = [
        'before' => [
        'force-reset' => ['except' => ['login*', 'register', 'auth/a/*', 'change-password', 'logout']],
        // 'session' => ['except' => ['login*', 'register', 'auth/a/*']],
        ],
        'after' => [
            'toolbar',
            // 'honeypot',
            // 'secureheaders',
        ],
    ];

Right now the PHP password_verify() function works, but I would prefere to verify the old password in shield:

if(password_verify($data['oldPassword'],auth()->user()->password_hash)){
    // ...
}