PHPackages blastanders/myth-auth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. blastanders/myth-auth ActiveLibrary[Authentication & Authorization](/categories/authentication) blastanders/myth-auth ===================== Flexible authentication/authorization system for CodeIgniter 4. Added support for Two-Factor Authentication using authenticator apps. 1.2.8(5mo ago)37711MITPHPPHP ^8.2 Since Nov 23Pushed 5mo agoCompare [ Source](https://github.com/blastanders/myth-auth)[ Packagist](https://packagist.org/packages/blastanders/myth-auth)[ Docs](https://github.com/blastanders/myth-auth)[ GitHub Sponsors](https://github.com/lonnieezell)[ GitHub Sponsors](https://github.com/mgatner)[ RSS](/packages/blastanders-myth-auth/feed)WikiDiscussions develop Synced 1mo ago READMEChangelog (10)Dependencies (5)Versions (18)Used By (1) Myth:Auth ========= [](#mythauth) [![](https://github.com/blastanders/myth-auth/workflows/PHPUnit/badge.svg)](https://github.com/blastanders/myth-auth/actions/workflows/phpunit.yml)[![](https://github.com/blastanders/myth-auth/workflows/PHPStan/badge.svg)](https://github.com/blastanders/myth-auth/actions/workflows/phpstan.yml)[![](https://github.com/blastanders/myth-auth/workflows/Deptrac/badge.svg)](https://github.com/blastanders/myth-auth/actions/workflows/deptrac.yml)[![Coverage Status](https://camo.githubusercontent.com/dad1f30ea600581314dc411e4863a69662483cf196a599a356c3f57a7be03662/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f626c617374616e646572732f6d7974682d617574682f62616467652e7376673f6272616e63683d646576656c6f70)](https://coveralls.io/github/blastanders/myth-auth?branch=develop) Flexible, Powerful, Secure auth package for CodeIgniter 4. Now with two-factor authentication with authenticator apps. =========================================================== [](#now-with-two-factor-authentication-with-authenticator-apps) Project Notice -------------- [](#project-notice) As of [June 2022](https://forum.codeigniter.com/showthread.php?tid=82003) CodeIgniter now has an official Authentication library, [CodeIgniter Shield](https://www.codeigniter.com/user_guide/libraries/official_packages.html#shield). If you are looking for an authentication solution for a new project then that is the recommended solution. This project is now maintained by volunteers. If you interact with the project repository there may be delays in receiving a response. Please direct support questions to [GitHub Discussions](https://github.com/blastanders/myth-auth/discussions)or to CodeIgniter's [Forums](https://forum.codeigniter.com/forumdisplay.php?fid=34) or [Slack Channel](https://codeigniterchat.slack.com/). Requirements ------------ [](#requirements) - PHP 7.4+, 8.0+ - CodeIgniter 4.1+ Features -------- [](#features) This is meant to be a one-stop shop for 99% of your web-based authentication needs with CI4. It includes the following primary features: - Password-based authentication with remember-me functionality for web apps - Flat RBAC per NIST standards, described [here](https://csrc.nist.gov/Projects/Role-Based-Access-Control) and [here](https://pdfs.semanticscholar.org/aeb1/e9676e2d7694f268377fc22bdb510a13fab7.pdf). - All views necessary for login, registration and forgotten password flows. - Publish files to the main application via a CLI command for easy customization - Debug Toolbar integration - Email-based account verification Installation ------------ [](#installation) Installation is best done via Composer. Assuming Composer is installed globally, you may use the following command: ``` > composer require blastanders/myth-auth ``` This will add the latest stable release of **Myth:Auth** as a module to your project. ### Manual Installation [](#manual-installation) Should you choose not to use Composer to install, you can clone or download this repo and then enable it by editing **app/Config/Autoload.php** and adding the `Myth\Auth`namespace to the `$psr4` array. For example, if you copied it into **app/ThirdParty/**: ``` $psr4 = [ 'Config' => APPPATH . 'Config', APP_NAMESPACE => APPPATH, 'App' => APPPATH, 'Myth\Auth' => APPPATH . 'ThirdParty/myth-auth/src', ]; ``` ### Upgrading [](#upgrading) Be sure to check the [Changes Docs](https://github.com/blastanders/myth-auth/blob/develop/docs/_changes.md)for necessary steps to take after upgrading versions. ``` > composer update blastanders/myth-auth ``` Views: Be sure to make a copy of the $views in the module config under **src/Config/Auth.php** Configuration ------------- [](#configuration) Once installed you need to configure the framework to use the **Myth\\Auth** library. In your application, perform the following setup: **0. Copy vendor/blastanders/myth-auth/src/Config/Auth.php to app/Config/Auth.php. All changes to configs should be done in app/Config/Auth.php.** 1. Edit **app/Config/Email.php** and verify that a **fromName** and **fromEmail** are set as that is used when sending emails for password reset, etc. 2. Edit **app/Config/Validation.php** and add the following value to the **ruleSets** array: `\Myth\Auth\Authentication\Passwords\ValidationRules::class` 3. Ensure your database is setup correctly, then run the Auth migrations: ``` > php spark migrate -all ``` NOTE: This library uses your application's cache settings to reduce database lookups. If you want to make use of this, simply make sure that your are using a cache engine other than `dummy` and it is properly setup. The `GroupModel` and `PermissionModel` will handle caching and invalidation in the background for you. Overview -------- [](#overview) When first installed, Myth:Auth is setup to provide all of the basic authentication services for you, including new user registration, login/logout, and forgotten password flows. "Remember Me" functionality is turned off by default though it can be turned on by setting the `$allowRemembering` variable to be `true` in Config/Auth.php. ### Routes [](#routes) Routes are defined in Auth's **Config/Routes.php** file. This file is automatically located by CodeIgniter when it is processing the routes. If you would like to customize the routes, you should copy the file to the **app/Config** directory, update the namespace, and make your route changes there. You may also use the `$reservedRoutes` property of `Config\Auth` to redirect internal route names. ### Views [](#views) Basic views are provided that are based on [Bootstrap 4](https://getbootstrap.com/) for all features. You can easily override the views used by editing **Config/Auth.php**, and changing the appropriate values within the `$views` variable: ``` public $views = [ 'login' => 'App\Views\auth\login', //assume you have a view under app\Views\auth\login.php 'register' => 'Myth\Auth\Views\register', 'forgot' => 'Myth\Auth\Views\forgot', 'reset' => 'Myth\Auth\Views\reset', 'emailForgot' => 'Myth\Auth\Views\emails\forgot', ]; ``` NOTE: If you're not familiar with how views can be namespaced in CodeIgniter, please refer to [the CodeIgniter User Guide](https://codeigniter.com/user_guide/general/modules.html) for section on Code Module support. Services -------- [](#services) The following Services are provided by the package: **authentication** Provides access to any of the authentication packages that Myth:Auth knows about. By default it will return the "Local Authentication" library, which is the basic password-based system. ``` $authenticate = service('authentication'); ``` You can specify the library to use as the first argument: ``` $authenticate = service('authentication', 'jwt'); ``` **authorization** Provides access to any of the authorization libraries that Myth:Auth knows about. By default it will return the "Flat" authorization library, which is a Flat RBAC (role-based access control) as defined by NIST. It provides user-specific permissions as well as group (role) based permissions. ``` $authorize = service('authorization'); ``` **passwords** Provides direct access to the Password validation system. This is an expandable system that currently supports many of [NIST's latest Digital Identity guidelines](https://pages.nist.gov/800-63-3/). The validator comes with a dictionary of over 620,000 common/leaked passwords that can be checked against. A handful of variations on the user's email/username are automatically checked against. ``` $authenticate = service('passwords'); ``` Most of the time you should not need to access this library directly, though, as a new Validation rule is provided that can be used with the Validation library, `strong_password`. In order to enable this, you must first edit **app/Config/Validation.php** and add the new ruleset to the available rule sets: ``` public $ruleSets = [ \CodeIgniter\Validation\Rules::class, \CodeIgniter\Validation\FormatRules::class, \CodeIgniter\Validation\FileRules::class, \CodeIgniter\Validation\CreditCardRules::class, \Myth\Auth\Authentication\Passwords\ValidationRules::class, ]; ``` Now you can use `strong_password` in any set of rules for validation: ``` $validation->setRules([ 'username' => 'required', 'password' => 'required|strong_password' ]); ``` Helper Functions ---------------- [](#helper-functions) Myth:Auth comes with its own [Helper](https://codeigniter4.github.io/CodeIgniter4/general/helpers.html)that includes the following helper functions to ease access to basic features. Be sure to load the helper before using these functions: `helper('auth');` **Hint**: Add `'auth'` to any controller's `$helper` property to have it loaded automatically, or the same in **app/Controllers/BaseController.php** to have it globally available. the auth filters all pre-load the helper so it is available on any filtered routes. **logged\_in()** - Function: Checks to see if any user is logged in. - Parameters: None - Returns: `true` or `false` **user()** - Function: Returns the User instance for the current logged in user. - Parameters: None - Returns: The current User entity, or `null` **user\_id()** - Function: Returns the User ID for the current logged in user. - Parameters: None - Returns: The current User's integer ID, or `null` **in\_groups()** - Function: Ensures that the current user is in at least one of the passed in groups. - Parameters: Group IDs or names, as either a single item or an array of items. - Returns: `true` or `false` **has\_permission()** - Function: Ensures that the current user has at least one of the passed in permissions. - Parameters: Permission ID or name. - Returns: `true` or `false` Users ----- [](#users) Myth:Auth uses [CodeIgniter Entities](https://codeigniter4.github.io/CodeIgniter4/models/entities.html)for it's User object, and your application must also use that class. This class provides automatic password hashing as well as utility methods for banning/un-banning, password reset hash generation, and more. It also provides a UserModel that should be used as it provides methods needed during the password-reset flow, as well as basic validation rules. You are free to extend this class or modify it as needed. The UserModel can automatically assign a role during user creation. Pass the group name to the `withGroup()` method prior to calling `insert()` or `save()` to create a new user and the user will be automatically added to that group. ``` $user = $userModel ->withGroup('guests') ->insert($data); ``` User registration already handles this for you, and looks to the Auth config file's, `$defaultUserGroup`setting for the name of the group to add the user to. Please, keep in mind that `$defaultUserGroup` variable is not set by default. ### Toolbar [](#toolbar) Myth:Auth includes a toolbar collector to make it easy for developers to work with and troubleshoot the authentication process. To enable the collector, edit **app/Config/Toolbar.php** and add it to the list of active collectors: ``` public $collectors = [ \CodeIgniter\Debug\Toolbar\Collectors\Timers::class, \CodeIgniter\Debug\Toolbar\Collectors\Database::class, ... \Myth\Auth\Collectors\Auth::class, ]; ``` Restricting by Route -------------------- [](#restricting-by-route) If you specify each of your routes within the `app/Config/Routes.php` file, you can restrict access to users by group/role or permission with [Controller Filters](https://codeigniter4.github.io/CodeIgniter4/incoming/filters.html). First, edit `application/Config/Filters.php` and add the following entries to the `aliases` property: ``` 'login' => \Myth\Auth\Filters\LoginFilter::class, 'role' => \Myth\Auth\Filters\RoleFilter::class, 'permission' => \Myth\Auth\Filters\PermissionFilter::class, ``` **Global restrictions** The role and permission filters require additional parameters, but `LoginFilter` can be used to restrict portions of a site (or the entire site) to any authenticated user. If no logged in user is detected then the filter will redirect users to the login form. Restrict routes based on their URI pattern by editing **app/Config/Filters.php** and adding them to the `$filters` array, e.g.: ``` public filters = [ 'login' => ['before' => ['account/*']], ]; ``` Or restrict your entire site by adding the `LoginFilter` to the `$globals` array: ``` public $globals = [ 'before' => [ 'honeypot', 'login', ... ``` **Restricting a single route** Any single route can be restricted by adding the `filter` option to the last parameter in any of the route definition methods: ``` $routes->get('admin/users', 'UserController::index', ['filter' => 'permission:manage-user']) $routes->get('admin/users', 'UserController::index', ['filter' => 'role:admin,superadmin']) ``` The filter can be either `role` or `permission`, which restricts the route by either group or permission. You must add a comma-separated list of groups or permissions to check the logged in user against. **Restricting Route Groups** In the same way, entire groups of routes can be restricted within the `group()` method: ``` $routes->group('admin', ['filter' => 'role:admin,superadmin'], function($routes) { ... }); ``` Customization ------------- [](#customization) See the [Extending](docs/extending.md) documentation. ### Health Score 44 — FairBetter than 92% of packages Maintenance72 Regular maintenance activity Popularity13 Limited adoption so far Community22 Small or concentrated contributor base Maturity63 Established project with proven stability Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~46 days Recently: every ~66 days Total 17 Last Release 160d ago PHP version history (2 changes)1.0.0PHP ^7.4 || ^8.0 1.2.5PHP ^8.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/98a37e33996e44c8973439a3007eb45ce9f9f1086f620d81467630f27eaed10f?d=identicon)[blastanders](/maintainers/blastanders) --- Top Contributors [![lonnieezell](https://avatars.githubusercontent.com/u/51931?v=4)](https://github.com/lonnieezell "lonnieezell (272 commits)")[![MGatner](https://avatars.githubusercontent.com/u/17572847?v=4)](https://github.com/MGatner "MGatner (201 commits)")[![michalsn](https://avatars.githubusercontent.com/u/459185?v=4)](https://github.com/michalsn "michalsn (41 commits)")[![manageruz](https://avatars.githubusercontent.com/u/86323842?v=4)](https://github.com/manageruz "manageruz (27 commits)")[![fefo-p](https://avatars.githubusercontent.com/u/42467872?v=4)](https://github.com/fefo-p "fefo-p (24 commits)")[![blastanders](https://avatars.githubusercontent.com/u/5242720?v=4)](https://github.com/blastanders "blastanders (18 commits)")[![dafriend](https://avatars.githubusercontent.com/u/3369733?v=4)](https://github.com/dafriend "dafriend (16 commits)")[![nControl88](https://avatars.githubusercontent.com/u/22215556?v=4)](https://github.com/nControl88 "nControl88 (10 commits)")[![lizeshakya](https://avatars.githubusercontent.com/u/20186159?v=4)](https://github.com/lizeshakya "lizeshakya (7 commits)")[![titounnes](https://avatars.githubusercontent.com/u/5718690?v=4)](https://github.com/titounnes "titounnes (7 commits)")[![yassinedoghri](https://avatars.githubusercontent.com/u/11021441?v=4)](https://github.com/yassinedoghri "yassinedoghri (6 commits)")[![lyimolucasl](https://avatars.githubusercontent.com/u/81020211?v=4)](https://github.com/lyimolucasl "lyimolucasl (6 commits)")[![mjamilasfihani](https://avatars.githubusercontent.com/u/51300528?v=4)](https://github.com/mjamilasfihani "mjamilasfihani (6 commits)")[![paulbalandan](https://avatars.githubusercontent.com/u/51850998?v=4)](https://github.com/paulbalandan "paulbalandan (6 commits)")[![xlii-chl](https://avatars.githubusercontent.com/u/42654312?v=4)](https://github.com/xlii-chl "xlii-chl (4 commits)")[![rafinhaa](https://avatars.githubusercontent.com/u/18116996?v=4)](https://github.com/rafinhaa "rafinhaa (3 commits)")[![hatsat32](https://avatars.githubusercontent.com/u/24492518?v=4)](https://github.com/hatsat32 "hatsat32 (3 commits)")[![GuxMartin](https://avatars.githubusercontent.com/u/9992433?v=4)](https://github.com/GuxMartin "GuxMartin (3 commits)")[![ballpumpe](https://avatars.githubusercontent.com/u/82635012?v=4)](https://github.com/ballpumpe "ballpumpe (2 commits)")[![nynsen](https://avatars.githubusercontent.com/u/3337415?v=4)](https://github.com/nynsen "nynsen (2 commits)") --- Tags Authenticationcodeigniterauthorization ### Embed Badge ![Health badge](/badges/blastanders-myth-auth/health.svg) ``` [![Health](https://phpackages.com/badges/blastanders-myth-auth/health.svg)](https://phpackages.com/packages/blastanders-myth-auth) ``` ### Alternatives [league/oauth2-server A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API. 6.6k136.0M248](/packages/league-oauth2-server)[league/oauth2-client OAuth 2.0 Client Library 3.8k118.6M1.2k](/packages/league-oauth2-client)[league/oauth1-client OAuth 1.0 Client Library 99698.8M106](/packages/league-oauth1-client)[lusitanian/oauth PHP 7.2 oAuth 1/2 Library 1.1k23.2M121](/packages/lusitanian-oauth)[league/oauth2-google Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client 41721.2M118](/packages/league-oauth2-google)[codeigniter4/shield Authentication and Authorization for CodeIgniter 4 417372.4k22](/packages/codeigniter4-shield) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)