This tutorial describes how you can set up a simple user authentication for CakePHP using the officially supported authentication plugin.
Authentication in web applications deals with the identity of a user, i.e. is the user who he claims to be. Authentication usually is realized via username/password, sessions/cookies or JWT/OAuth. Whether a certain user is allowed to access a certain resource (e.g. website) is part of authorization and is described in a further article.
You can install this plugin into your CakePHP application using composer in your application root:
Load the plugin:
Middleware
The authentication plug-in is integrated using a PSR-7 middleware; This checks the identity of the user with each request using an authenticator (e.g. form authenticator with username/password). In order to be able to use the middleware, our application must implement the AuthenticationProviderInterface and add the middleware in the middleware() method:
Next we implement our getAuthenticationService() method:
Create AuthenticationService
The AuthenticationService is created and configured here. The unauthenticatedRedirect option specifies where unauthenticated users should be redirected. You’ll find further configuration options under configuration.
Add Authenticator
Next we add a Authenticator with loadAuthenticator(). This example uses form-based
authentication (form) and PHP sessions. Sessions should always be loaded first. The form fields are configured in the fields option.
Add Identifier
Finally, the identifier gets loaded with loadIdentifier(). If your data model should look different, you can use the resolver option here to set a different one. The passwordHasher option can be used to replace older password hashes with new ones. More on this at https://book.cakephp.org/authentication/2/en/identifiers.html#password
Add the Authentication Controller Component
In our AppController we then load the Authentication Component:
Implement User Login Action
In order for the user to be able to log in, access to the login() action must be possible to unauthenticated users. For this purpose, access is allowed with ʻallowUnauthenticated in the beforeFilter()` Callback of the UsersController.
The login action uses the Authentication Component and receives the result of the login attempt. If the login attempt was successful, you can forward the user to a specific page.
Next we need a login form for our login() action. We use the FormHelper for this:
Implement User Registration Action
However, there is currently no user in our database with a corresponding
Password hash. To do this, we change the setter method for our password in the user entity so that it saves the password as a hash:
In order to register new users we create a register() action. This action creates a new entity and the password entered is saved as a hash in the database.
For the corresponding form, the content of the templates/Users/login.php can simply be copied into the template of the register action in templates/Users/register.php.
Via the corresponding URL (in our case http://localhost/users/register)
a new user can now be created. You should see this user with the hashed password under http://localhost/users/.
We're happy to get in touch with you