I have a REST API endpoint that i use to get a user logged in and retrieve informations about his account.
That implementation was running fine…but now it’s broken.
I am using basicauth override to use USERNAME:PASSWORD instead of the token
Below controller and MODEL code
Into the response i find now all the users…instead of one
can’t understand as in the first place we use findOne to select ONE user and THEN password is checked.
Maybe i missed something here 
USER MODEL :
<?php
namespace common\models;
use yii\base\NotSupportedException;
use yii\behaviors\TimestampBehavior;
use yii\db\ActiveRecord;
use yii\web\IdentityInterface;
class User extends ActiveRecord implements IdentityInterface
{
public static function tableName()
{
return '{{%user}}';
}
public function behaviors()
{
return [
TimestampBehavior::className(),
];
}
public function rules()
{
return [
[['username', 'auth_key', 'password_hash', 'email'], 'required'],
[['status', 'created_at', 'updated_at', 'background'], 'integer'],
[['username', 'password_hash', 'password_reset_token', 'email', 'hmac_shopify', 'shop_address', 'room_id', 'wp_address', 'blog_address', 'iosRegisterID', 'androidRegisterID', 'timeZone'], 'string', 'max' => 255],
[['auth_key'], 'string', 'max' => 32],
[['account_level'], 'string', 'max' => 45],
[['username'], 'unique'],
[['email'], 'unique'],
[['password_reset_token'], 'unique'],
];
}
public static function findIdentity($id)
{
return static::findOne(['id' => $id]);
}
public static function findIdentityByAccessToken($token, $type = null)
{
return static::findOne(['auth_key' => $token]);
}
public static function findByUsername($username)
{
return static::findOne(['username' => $username]);
}
public static function findByPasswordResetToken($token)
{
if (!static::isPasswordResetTokenValid($token)) {
return null;
}
return static::findOne([
'password_reset_token' => $token,
'status' => self::STATUS_ACTIVE,
]);
}
public static function isPasswordResetTokenValid($token)
{
if (empty($token)) {
return false;
}
$timestamp = (int) substr($token, strrpos($token, '_') + 1);
$expire = Yii::$app->params['user.passwordResetTokenExpire'];
return $timestamp + $expire >= time();
}
public function getId()
{
return $this->getPrimaryKey();
}
public function getAuthKey()
{
return $this->auth_key;
return $this->hmac_shopify;
}
public function validateAuthKey($authKey)
{
return $this->getAuthKey() === $authKey;
}
public function validatePassword($password)
{
return Yii::$app->security->validatePassword($password, $this->password_hash);
}
public function setPassword($password)
{
$this->password_hash = Yii::$app->security->generatePasswordHash($password);
}
public function generateAuthKey()
{
$this->auth_key = Yii::$app->security->generateRandomString();
$this->room_id = "_r_".Yii::$app->security->generateRandomString();
}
public function generatePasswordResetToken()
{
$this->password_reset_token = Yii::$app->security->generateRandomString() . '_' . time();
}
public function removePasswordResetToken()
{
$this->password_reset_token = null;
}
public static function find()
{
return new UserQuery(get_called_class());
}
}
This is controller :
<?php
namespace api\controllers;
use yii;
use yii\rest\ActiveController;
use \common\models\User;
class RestController extends ActiveController
{
public $modelClass = '\common\models\User';
public $password_hash;
public function behaviors()
{
$behaviors = parent::behaviors();
$behaviors['verbs'] = [
'class' => \yii\filters\VerbFilter::className(),
'actions' => [
'index' => ['get', 'head'],
],
];
$behaviors['access'] = [
'class' => \yii\filters\AccessControl::className(),
'only' => ['index'],
'rules' => [
[
'actions' => ['index'],
'allow' => true,
'roles' => ['@'],
],
],
];
$behaviors['authenticator'] = [
'class' => \yii\filters\auth\HttpBasicAuth::className(),
'auth' => function ($username, $password) {
$user = \common\models\User::findByUsername($username);
if ($user ) {
$password_valid = \common\models\User::validatePassword($password,$user->password_hash);
if($password_valid)
return $user;
}
}
];
return $behaviors;
}
}
Data response from REST AUTH
<pre>
<response>
<item>...</item>
<item>...</item>
<item>...</item>
<item>...</item>
<item>...</item>
<item>...</item>
<item>...</item>
</response>
</pre>