Bug: User `isActivated()` always returns true, even when custom activator is configured

[drumichael611]

PHP Version

8.3.9

CodeIgniter4 Version

4.5.7

Shield Version

1.1.0

Which operating systems have you tested for this bug?

Windows

Which server did you use?

cli-server (PHP built-in webserver)

Database

Mysql 8

Did you customize Shield?

Yes. I created a php class that uses TwilioVerify. It sends a code to the user via SMS, then the user enters the code and the verify method checks the code.

I am using the same class for both login and register. the user must receive a code to log in, and also when registering.

What happened?

The functionality in general works fine. The user must enter the code (and it must be valid) or they are not able to log in. The same with registration.
One thing I noticed is that I forgot about executing $user->activate() after registering and entering a code. Then I realized that I was able to log in regardless of this.

I added a check in my Login controller so that if $user->isActivated() returns false, they must not have entered a code upon registration, so they should not be permitted to log in. However, this always returns true.

I read in the documentation that this will always return true, unless an activator is specified in Auth.php. My Auth.php DOES have actions configured, as can be seen below, so it seems like it should not always be returning true.

    /**
     * --------------------------------------------------------------------
     * Authentication Actions
     * --------------------------------------------------------------------
     * Specifies the class that represents an action to take after
     * the user logs in or registers a new account at the site.
     *
     * You must register actions in the order of the actions to be performed.
     *
     * Available actions with Shield:
     * - register: \CodeIgniter\Shield\Authentication\Actions\EmailActivator::class
     * - login:    \CodeIgniter\Shield\Authentication\Actions\Email2FA::class
     *
     * @var array<string, class-string<ActionInterface>|null>
     */
    public array $actions = [
        'register' => TwilioVerify::class,
        'login'    => TwilioVerify::class,
        //'login'    => null,
    ];

Steps to Reproduce

Create a custom class and use it as an authentication action on both register and login. Leave the user's active flag = 0, and you will still always receive a true in response to $user->isActivated()

Expected Output

I expect to receive false when using $user->isActivated(), and the user's active flag = false, since I have the action specified in Auth.php

Anything else?

No response

[datamweb]

I read in the documentation that this will always return true, unless an activator is specified in Auth.php. My Auth.php DOES have actions configured, as can be seen below, so it seems like it should not always be returning true.

The isActivated() method depends on the value of:

public array $actions = [
    'register' => null,
];

Additionally, your class name must be TwilioVerifyActivator, as the Activator suffix is essential.

Please rename your class to TwilioVerifyActivator and verify it.

[drumichael611]

Ah, thank you!! Changing the name of the file fixed my issue! Maybe the documentation could be updated to indicate that.