admad / cakephp-jwt-auth
CakePHP plugin for authenticating using JSON Web Tokens
Installs: 581 194
Dependents: 14
Suggesters: 1
Security: 0
Stars: 163
Watchers: 19
Forks: 44
Open Issues: 0
Type:cakephp-plugin
Requires
- cakephp/cakephp: ^4.0
- firebase/php-jwt: ^5.0
Requires (Dev)
- phpunit/phpunit: ~8.5.0
README
Plugin containing AuthComponent's authenticate class for authenticating using JSON Web Tokens. You can read about JSON Web Token specification in detail here.
Installation
composer require admad/cakephp-jwt-auth
Usage
Load the plugin using Cake's console:
./bin/cake plugin load ADmad/JwtAuth
Configuration:
Setup AuthComponent
:
// In your controller, for e.g. src/Api/AppController.php public function initialize(): void { parent::initialize(); $this->loadComponent('Auth', [ 'storage' => 'Memory', 'authenticate' => [ 'ADmad/JwtAuth.Jwt' => [ 'userModel' => 'Users', 'fields' => [ 'username' => 'id' ], 'parameter' => 'token', // Boolean indicating whether the "sub" claim of JWT payload // should be used to query the Users model and get user info. // If set to `false` JWT's payload is directly returned. 'queryDatasource' => true, ] ], 'unauthorizedRedirect' => false, 'checkAuthIn' => 'Controller.initialize', // If you don't have a login action in your application, set // 'loginAction' to empty string to prevent getting a MissingRouteException. 'loginAction' => '', ]); }
Working
The authentication class checks for the token in two locations:
-
HTTP_AUTHORIZATION
environment variable:It first checks if token is passed using
Authorization
request header. The value should be of formBearer <token>
. TheAuthorization
header name and token prefixBearer
can be customized using optionsheader
andprefix
respectively. -
The query string variable specified using
parameter
config:Next it checks if the token is present in query string. The default variable name is
token
and can be customzied by using theparameter
config shown above.
Known Issue
Some servers don't populate $_SERVER['HTTP_AUTHORIZATION']
when
Authorization
header is set. So it's up to you to ensure that either
$_SERVER['HTTP_AUTHORIZATION']
or $_ENV['HTTP_AUTHORIZATION']
is set.
For e.g. for apache you could use the following:
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
or
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
Token Generation
You can use \Firebase\JWT\JWT::encode()
of the firebase/php-jwt
lib, which this plugin depends on, to generate tokens.
The payload must have the "sub" (subject) claim whose value is used to query the Users model and find record matching the "id" field.
Ideally you should also specify the token expiry time using exp
claim.
You can set the queryDatasource
option to false
to directly return the token's
payload as user info without querying datasource for matching user record.
Further reading
For an end to end usage example check out this blog post by Bravo Kernel.