Merge pull request #79 from silinternational/develop

allow consumers to provide email or username during authentication

application/common/models/Authentication.php

@@ -26,18 +26,18 @@ public function __construct(
         $ldap = null
     ) {
         /* @var $user User */
-        $user = User::findByUsername($username) ?? new User();
+        $user = User::findByUsername($username) ??
+                User::findByEmail($username)    ?? // maybe we got an email
+                new User();
 
         $user->scenario = User::SCENARIO_AUTHENTICATE;
 
-        $user->attributes = [
-            'username' => $username,
-            'password' => $password,
-        ];
         if ($ldap instanceof Ldap) {
             $user->setLdap($ldap);
         }
 
+        $user->password = $password;
+
         if ($user->validate()) {
             $this->authenticatedUser = $user;
         } else {

application/common/models/User.php

@@ -207,6 +207,11 @@ public static function findByUsername(string $username)
         return User::findOne(['username' => $username]);
     }
 
+    public static function findByEmail(string $email)
+    {
+        return User::findOne(['email' => $email]);
+    }
+
     private function validateExpiration(): Closure
     {
         return function ($attributeName) {

application/features/authentication.feature

@@ -178,3 +178,4 @@ Feature: Authentication
 
 #    TODO: attempt to authenticate a user who doesn't have a password yet, expect 400 (ensure timing attack protection is enforced)
 # TODO: need test for check that a user's password is good all the way until midnight of the expiration/grace period dates
+# TODO: need test to allow username or email address to be used for authentication