Feature: Per-Tenant Authentication Strategy Resolution #25

Closed
opened 2026-07-05 20:20:11 +00:00 by psycodepath · 0 comments
Owner

Motivation

Currently, the authentication strategy is global. Tenants need to use different authentication methods (e.g., family A uses the local user database, family B uses their LDAP directory, production uses Authelia headers).

Description

Implement a dynamic TenantAwarePasswordAuthenticator that checks the current tenant's database settings at runtime and delegates credentials checking to the appropriate authenticator (LocalPasswordAuthenticator, LdapPasswordAuthenticator).

User Story

As a tenant user, I want to log in using the authentication strategy configured for my specific family/subdomain so that I can use my preferred credentials provider.

Gherkin Feature

Feature: Tenant-Specific Authentication Strategy
  As a tenant user
  I want to log in with my tenant's configured auth strategy
  So that I am authenticated against the correct backend

  Scenario: Tenant uses LDAP strategy
    Given the current tenant is configured to use "ldap" auth strategy
    When I submit my credentials
    Then the request is handled by the LdapPasswordAuthenticator

Acceptance Criteria

  • TenantAwarePasswordAuthenticator implemented, delegating based on runtime tenant settings.
  • LdapPasswordAuthenticator refactored to accept configuration settings dynamically instead of reading $_ENV directly.
  • DI container configuration updated in AppBootstrap.php to wire the new tenant-aware authenticators.
  • Unit and integration tests covering multi-tenant auth routing.
### Motivation Currently, the authentication strategy is global. Tenants need to use different authentication methods (e.g., family A uses the local user database, family B uses their LDAP directory, production uses Authelia headers). ### Description Implement a dynamic `TenantAwarePasswordAuthenticator` that checks the current tenant's database settings at runtime and delegates credentials checking to the appropriate authenticator (`LocalPasswordAuthenticator`, `LdapPasswordAuthenticator`). ### User Story As a tenant user, I want to log in using the authentication strategy configured for my specific family/subdomain so that I can use my preferred credentials provider. ### Gherkin Feature ```gherkin Feature: Tenant-Specific Authentication Strategy As a tenant user I want to log in with my tenant's configured auth strategy So that I am authenticated against the correct backend Scenario: Tenant uses LDAP strategy Given the current tenant is configured to use "ldap" auth strategy When I submit my credentials Then the request is handled by the LdapPasswordAuthenticator ``` ### Acceptance Criteria - [ ] `TenantAwarePasswordAuthenticator` implemented, delegating based on runtime tenant settings. - [ ] `LdapPasswordAuthenticator` refactored to accept configuration settings dynamically instead of reading `$_ENV` directly. - [ ] DI container configuration updated in `AppBootstrap.php` to wire the new tenant-aware authenticators. - [ ] Unit and integration tests covering multi-tenant auth routing.
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
psycodepath/hrp#25
No description provided.