sonnt/cakephp-jwt-auth

cake php jwt auth with password

CakePHP JWT Authenticate plugin

, _(*1)

Plugin containing AuthComponent's authenticate class for authenticating using JSON Web Tokens. You can read about JSON Web Token specification in detail here., _(*2)

Requirements

• CakePHP 3.1+

Installation

composer require sonnt/cakephp-jwt-auth

Usage

In your app's config/bootstrap.php add:, _(*3)

// In config/bootstrap.php
Plugin::load(‘Sonnt/JwtAuth');

or using cake's console:, _(*4)

./bin/cake plugin load ADmad/JwtAuth

Configuration:

Setup AuthComponent:, _(*5)

    // In your controller, for e.g. src/Api/AppController.php
    public function initialize()
    {
        parent::initialize();

        $this->loadComponent('Auth', [
            'storage' => 'Memory',
            'authenticate' => [
                ‘Sonnt/JwtAuth.Jwt' => [
                    'userModel' => 'Users',
                    'fields' => [
                        'username' => 'id'
                    ],

                    'parameter' => 'token',

                    // Boolean indicating whether the "sub" claim of JWT payload
                    // should be used to query the Users model and get user info.
                    // If set to `false` JWT's payload is directly returned.
                    'queryDatasource' => true,
                ]
            ],

            'unauthorizedRedirect' => false,
            'checkAuthIn' => 'Controller.initialize',

            // If you don't have a login action in your application set
            // 'loginAction' to false to prevent getting a MissingRouteException.
            'loginAction' => false
        ]);
    }

Working

The authentication class checks for the token in two locations:, _(*6)

• HTTP_AUTHORIZATION environment variable:, _(*7)

  It first checks if token is passed using Authorization request header. The value should be of form Bearer <token>. The Authorization header name and token prefix Bearer can be customzied using options header and prefix respectively., _(*8)

  Note: Some servers don't populate $_SERVER['HTTP_AUTHORIZATION'] when Authorization header is set. So it's upto you to ensure that either $_SERVER['HTTP_AUTHORIZATION'] or $_ENV['HTTP_AUTHORIZATION'] is set., _(*9)

  For e.g. for apache you could use the following:, _(*10)

  RewriteEngine On
  RewriteCond %{HTTP:Authorization} ^(.*)
  RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
  

• The query string variable specified using parameter config:, _(*11)

  Next it checks if the token is present in query string. The default variable name is token and can be customzied by using the parameter config shown above., _(*12)

Token Generation

You can use \Firebase\JWT\JWT::encode() of the firebase/php-jwt lib, which this plugin depends on, to generate tokens., _(*13)

The payload should have the "sub" (subject) claim whos value is used to query the Users model and find record matching the "id" field., _(*14)

You can set the queryDatasource option to false to directly return the token's payload as user info without querying datasource for matching user record., _(*15)

Further reading

For an end to end usage example check out this blog post by Bravo Kernel., _(*16)