Update CMS authentication tutorial for Authentication plugin v4

- Update version requirement to ^4.0
- Use allowUnauthenticated() instead of deprecated addUnauthenticatedActions()
- Use array URLs instead of Router::url() strings for better maintainability
- Use setConfig() method for service configuration
- Use AbstractIdentifier constants for field mapping
- Use getLoginRedirect() method for handling post-login redirects
- Simplify login action (remove redundant allowMethod, cleaner flash logic)
- Simplify logout action (no need to check auth status first)
- Update template to use Form->button() instead of Form->submit()
- Fix legend text from "username" to "email" to match form field

Author: dereuromark

docs/en/tutorials-and-examples/cms/authentication.md

@@ -16,7 +16,7 @@ enable new users to register.
 Use composer to install the Authentication Plugin:
 
 ```bash
-composer require "cakephp/authentication:~3.0"
+composer require "cakephp/authentication:^4.0"
 ```
 
 ### Adding Password Hashing
@@ -50,15 +50,15 @@ add the following:
 <?php
 namespace App\Model\Entity;
 
-use Authentication\PasswordHasher\DefaultPasswordHasher; // Add this line
+use Authentication\PasswordHasher\DefaultPasswordHasher;
 use Cake\ORM\Entity;
 
 class User extends Entity
 {
     // Code from bake.
 
     // Add this method
-    protected function _setPassword(string $password) : ?string
+    protected function _setPassword(string $password): ?string
     {
         if (mb_strlen($password) > 0) {
             return (new DefaultPasswordHasher())->hash($password);
@@ -112,8 +112,8 @@ In **src/Application.php**, add the following imports:
 use Authentication\AuthenticationService;
 use Authentication\AuthenticationServiceInterface;
 use Authentication\AuthenticationServiceProviderInterface;
+use Authentication\Identifier\AbstractIdentifier;
 use Authentication\Middleware\AuthenticationMiddleware;
-use Cake\Routing\Router;
 use Psr\Http\Message\ServerRequestInterface;
 ```
 
@@ -144,31 +144,42 @@ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
 
 public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
 {
-    $authenticationService = new AuthenticationService([
-        'unauthenticatedRedirect' => Router::url('/users/login'),
+    $service = new AuthenticationService();
+
+    // Define where users should be redirected to when they are not authenticated
+    $service->setConfig([
+        'unauthenticatedRedirect' => [
+            'prefix' => false,
+            'plugin' => null,
+            'controller' => 'Users',
+            'action' => 'login',
+        ],
         'queryParam' => 'redirect',
     ]);
 
-    // Load the authenticators, you want session first
-    $authenticationService->loadAuthenticator('Authentication.Session');
-    // Configure form data check to pick email and password
-    $authenticationService->loadAuthenticator('Authentication.Form', [
-        'fields' => [
-            'username' => 'email',
-            'password' => 'password',
+    $fields = [
+        AbstractIdentifier::CREDENTIAL_USERNAME => 'email',
+        AbstractIdentifier::CREDENTIAL_PASSWORD => 'password',
+    ];
+
+    // Load the authenticators. Session should be first.
+    $service->loadAuthenticator('Authentication.Session');
+    $service->loadAuthenticator('Authentication.Form', [
+        'fields' => $fields,
+        'loginUrl' => [
+            'prefix' => false,
+            'plugin' => null,
+            'controller' => 'Users',
+            'action' => 'login',
         ],
-        'loginUrl' => Router::url('/users/login'),
         'identifier' => [
             'Authentication.Password' => [
-                'fields' => [
-                    'username' => 'email',
-                    'password' => 'password',
-                ],
+                'fields' => $fields,
             ],
         ],
     ]);
 
-    return $authenticationService;
+    return $service;
 }
 ```
 
@@ -183,6 +194,7 @@ public function initialize(): void
 
     // Add this line to check authentication result and lock your site
     $this->loadComponent('Authentication.Authentication');
+}
 ```
 
 Now, on every request, the `AuthenticationMiddleware` will inspect
@@ -203,7 +215,7 @@ If you visit your site, you'll get an "infinite redirect loop" so let's fix that
 > If your application serves from both SSL and non-SSL protocols, then you might have problems
 > with sessions being lost, in case your application is on non-SSL protocol. You need to enable
 > access by setting session.cookie_secure to false in your config/app.php or config/app_local.php.
-> (See [CakePHP’s defaults on session.cookie_secure](../../development/sessions))
+> (See [CakePHP's defaults on session.cookie_secure](../../development/sessions))
 
 In your `UsersController`, add the following code:
 
@@ -213,25 +225,18 @@ public function beforeFilter(\Cake\Event\EventInterface $event): void
     parent::beforeFilter($event);
     // Configure the login action to not require authentication, preventing
     // the infinite redirect loop issue
-    $this->Authentication->addUnauthenticatedActions(['login']);
+    $this->Authentication->allowUnauthenticated(['login']);
 }
 
 public function login()
 {
-    $this->request->allowMethod(['get', 'post']);
     $result = $this->Authentication->getResult();
-    // regardless of POST or GET, redirect if user is logged in
+    // If the user is logged in send them away.
     if ($result && $result->isValid()) {
-        // redirect to /articles after login success
-        $redirect = $this->request->getQuery('redirect', [
-            'controller' => 'Articles',
-            'action' => 'index',
-        ]);
-
-        return $this->redirect($redirect);
+        $target = $this->Authentication->getLoginRedirect() ?? ['controller' => 'Articles', 'action' => 'index'];
+        return $this->redirect($target);
     }
-    // display error if user submitted and authentication failed
-    if ($this->request->is('post') && !$result->isValid()) {
+    if ($this->request->is('post')) {
         $this->Flash->error(__('Invalid username or password'));
     }
 }
@@ -241,16 +246,16 @@ Add the template logic for your login action:
 
 ```php
 <!-- in /templates/Users/login.php -->
-<div class="users form">
+<div class="users form content">
     <?= $this->Flash->render() ?>
     <h3>Login</h3>
     <?= $this->Form->create() ?>
     <fieldset>
-        <legend><?= __('Please enter your username and password') ?></legend>
+        <legend><?= __('Please enter your email and password') ?></legend>
         <?= $this->Form->control('email', ['required' => true]) ?>
         <?= $this->Form->control('password', ['required' => true]) ?>
     </fieldset>
-    <?= $this->Form->submit(__('Login')); ?>
+    <?= $this->Form->button(__('Login')); ?>
     <?= $this->Form->end() ?>
 
     <?= $this->Html->link("Add User", ['action' => 'add']) ?>
@@ -274,7 +279,7 @@ public function beforeFilter(\Cake\Event\EventInterface $event): void
     parent::beforeFilter($event);
     // for all controllers in our application, make index and view
     // actions public, skipping the authentication check
-    $this->Authentication->addUnauthenticatedActions(['index', 'view']);
+    $this->Authentication->allowUnauthenticated(['index', 'view']);
 }
 ```
 
@@ -297,13 +302,8 @@ Add the logout action to the `UsersController` class:
 // in src/Controller/UsersController.php
 public function logout()
 {
-    $result = $this->Authentication->getResult();
-    // regardless of POST or GET, redirect if user is logged in
-    if ($result && $result->isValid()) {
-        $this->Authentication->logout();
-
-        return $this->redirect(['controller' => 'Users', 'action' => 'login']);
-    }
+    $this->Authentication->logout();
+    return $this->redirect(['controller' => 'Users', 'action' => 'login']);
 }
 ```
 
@@ -318,7 +318,7 @@ sign up for our application. In the `UsersController` fix the following line:
 
 ```php
 // Add to the beforeFilter method of UsersController
-$this->Authentication->addUnauthenticatedActions(['login', 'add']);
+$this->Authentication->allowUnauthenticated(['login', 'add']);
 ```
 
 The above tells `AuthenticationComponent` that the `add()` action of the