PdoRepository::authenticate Should Not Return SessionEntity

[nomadicjosh]

Currently the Codefy\Framework\Auth\Repository\PdoRepository::authenticate() method returns Qubus\Http\Session\SessionEntity. SessionEntity should only be returned in context of a session/cookie. The alternative is to return the database result or a DTO. Would love input from others as what's most desired.

The lines in question are 52-58:

if (Password::verify(password: $password ?? '', hash: $passwordHash)) {
    $user = new UserSession();
    $user
        ->withToken($result->token);

    return $user;
}

If we go the route of returning the database result:

if (Password::verify(password: $password ?? '', hash: $passwordHash)) {
    return $result;
}

If we go the route of a DTO:

final class UserObject
{
    public function __construct(
            protected string $id,
            protected string $token,
            protected string $email
    ) {
    }
}

// in PdoRepository

if (Password::verify(password: $password ?? '', hash: $passwordHash)) {
    return new UserObject(
        $result->user_id,
        $result->token,
        $result->email,
    );
}

The DTO maybe overengineering since the token is the only thing used from the result which is passed to the UserSessionMiddleware through the AuthenticationMiddleware and then to the UserSession entity.

Maybe it's just simpler to return the user token?

if (Password::verify(password: $password ?? '', hash: $passwordHash)) {
    return $result->token;
}

Or UserToken value object?

if (Password::verify(password: $password ?? '', hash: $passwordHash)) {
    return UserToken::fromNative($result->token);
}