PHPackages                             dereuromark/cakephp-tinyauth-backend - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication & Authorization](/categories/authentication)
4. /
5. dereuromark/cakephp-tinyauth-backend

ActiveCakephp-plugin[Authentication & Authorization](/categories/authentication)

dereuromark/cakephp-tinyauth-backend
====================================

A CakePHP plugin for DB based authentication and authorization handling

3.2.1(2w ago)23233MITPHPPHP >=8.2CI passing

Since Dec 9Pushed 1w ago4 watchersCompare

[ Source](https://github.com/dereuromark/cakephp-tinyauth-backend)[ Packagist](https://packagist.org/packages/dereuromark/cakephp-tinyauth-backend)[ Docs](https://github.com/dereuromark/cakephp-tinyauth-backend)[ RSS](/packages/dereuromark-cakephp-tinyauth-backend/feed)WikiDiscussions master Synced 6d ago

READMEChangelog (10)Dependencies (15)Versions (19)Used By (0)

CakePHP TinyAuth backend
========================

[](#cakephp-tinyauth-backend)

[![CI](https://github.com/dereuromark/cakephp-tinyauth-backend/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/dereuromark/cakephp-tinyauth-backend/actions/workflows/ci.yml?query=branch%3Amaster)[![Coverage Status](https://camo.githubusercontent.com/299c3b0fa038f781913f50cb1690176b27c431f5fe2d8f1feaabce2b7f63d8e2/68747470733a2f2f696d672e736869656c64732e696f2f636f6465636f762f632f6769746875622f6465726575726f6d61726b2f63616b657068702d74696e79617574682d6261636b656e642f6d61737465722e737667)](https://codecov.io/github/dereuromark/cakephp-tinyauth-backend/branch/master)[![PHPStan](https://camo.githubusercontent.com/f60d96f7c2579690ab6dfa8918f777fe93a02a92301c661eb38a85861a92b780/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d6c6576656c253230382d627269676874677265656e2e7376673f7374796c653d666c6174)](https://phpstan.org/)[![Minimum PHP Version](https://camo.githubusercontent.com/ec21f169d70b69344c67d6f18fa1a24d20476d2f0cd680e8c4a1534c22f34e5f/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d253345253344253230382e322d3838393242462e737667)](https://php.net/)[![License](https://camo.githubusercontent.com/71f9ae0f2f706cc09b029d76271e760b1ecc2e7c1b15ab61f70309112a352126/68747470733a2f2f706f7365722e707567782e6f72672f6465726575726f6d61726b2f63616b657068702d74696e79617574682d6261636b656e642f6c6963656e73652e737667)](LICENSE)[![Latest Stable Version](https://camo.githubusercontent.com/66886b451e7bed8b108de52966a745a5e18167aa35813c542e88518192c156e0/68747470733a2f2f706f7365722e707567782e6f72672f6465726575726f6d61726b2f63616b657068702d74696e79617574682d6261636b656e642f762f737461626c652e737667)](https://packagist.org/packages/dereuromark/cakephp-tinyauth-backend)[![Total Downloads](https://camo.githubusercontent.com/0d2a79a011ea2917a0354c3d59d450e9a813c4c4896b56f2f1042c4d79619fce/68747470733a2f2f706f7365722e707567782e6f72672f6465726575726f6d61726b2f63616b657068702d74696e79617574682d6261636b656e642f642f746f74616c)](https://packagist.org/packages/dereuromark/cakephp-tinyauth-backend)[![Coding Standards](https://camo.githubusercontent.com/4788bab10b61ca8b0d56334238717a9191fe9cceecb154973f8854146a2bb5a6/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f63732d5053522d2d322d2d522d707572706c652e7376673f7374796c653d666c61742d737175617265)](https://github.com/php-fig-rectified/fig-rectified-standards)

A database driven backend for CakePHP [TinyAuth plugin](https://github.com/dereuromark/cakephp-tinyauth). This replaces the native INI file approach.

This branch is for use with **CakePHP 5.1+**. For details see [version map](https://github.com/dereuromark/cakephp-tinyauth-backend/wiki#cakephp-version-map).

Installation
------------

[](#installation)

Install the plugin with composer from your CakePHP project's ROOT directory (where composer.json file is located)

```
composer require dereuromark/cakephp-tinyauth-backend
```

It will auto-require `dereuromark/cakephp-tinyauth` dependency.

### Admin Access Requirement

[](#admin-access-requirement)

The plugin mounts its admin UI under `/admin/auth`.

As of the current `master`, admin access is **fail-closed outside debug mode**:

- `debug = true`: the admin UI is accessible by default for local setup and demos
- `debug = false`: the admin UI returns `403` unless your app explicitly configures `TinyAuthBackend.editorCheck`

Production apps should always set `TinyAuthBackend.editorCheck` to a callable that decides who may edit TinyAuth rules:

```
use Cake\Core\Configure;
use Psr\Http\Message\ServerRequestInterface;

Configure::write(
    'TinyAuthBackend.editorCheck',
    function (mixed $identity, ServerRequestInterface $request): bool {
        if ($identity === null) {
            return false;
        }

        $roleId = is_object($identity) && method_exists($identity, 'get')
            ? $identity->get('role_id')
            : ($identity['role_id'] ?? null);

        return (int)$roleId === 3;
    },
);
```

### Strict Content-Security-Policy (optional)

[](#strict-content-security-policy-optional)

The plugin's admin UI is built to run under a strict Content-Security-Policy header — no `script-src 'unsafe-eval'`, no `style-src 'unsafe-inline'`. Inline `` blocks in the layout carry a per-request nonce read from `$this->getRequest()->getAttribute('cspNonce')`, so any host-app middleware that sets that attribute and emits a matching `Content-Security-Policy` header will Just Work.

Two host-app concerns to be aware of:

1. **CSP middleware** — the plugin does not ship its own. Add a small middleware to your app that generates a per-request nonce, exposes it as the `cspNonce` request attribute, and emits a `Content-Security-Policy` header with `'nonce-…'` in `script-src`. The companion [cakephp-tinyauth-demo](https://github.com/dereuromark/cakephp-tinyauth-demo) shows a ~50-line implementation in `src/Middleware/StrictCspMiddleware.php`.
2. **FormHelper `hiddenBlock` template** — out of the box, CakePHP wraps every CSRF token in `…`, which violates strict `style-src`. Override the template once in your `AppView::initialize()`:

    ```
    public function initialize(): void
    {
        $this->loadHelper('Form', [
            'templates' => [
                'hiddenBlock' => '{{content}}',
            ],
        ]);
    }
    ```

    This swaps the inline style for the HTML5 `hidden` attribute, which needs no CSS. A single override eliminates one CSP violation per `Form->postLink()` / `Form->postButton()` on every page.

The included `tests/TestCase/CspComplianceTest.php` (template-source scan) and `tests/TestCase/Controller/Admin/RenderedCspComplianceTest.php` (rendered-HTML check) guard against regressions.

Usage
-----

[](#usage)

See [Docs](/docs/README.md).

###  Health Score

56

—

FairBetter than 98% of packages

Maintenance98

Actively maintained with recent releases

Popularity19

Limited adoption so far

Community13

Small or concentrated contributor base

Maturity78

Established project with proven stability

 Bus Factor1

Top contributor holds 99.3% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~179 days

Recently: every ~5 days

Total

14

Last Release

14d ago

Major Versions

0.1.1 → 1.0.0-beta2020-12-14

1.1.0 → 2.0.02023-11-08

2.1.1 → 3.0.0-RC2026-04-11

PHP version history (6 changes)0.1.0PHP >=5.6

1.0.0-betaPHP >=7.2

1.0.0PHP >=7.3

1.1.0PHP >=7.4

2.0.0PHP >=8.1

2.1.1PHP >=8.2

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/39854?v=4)[Mark Scherer](/maintainers/dereuromark)[@dereuromark](https://github.com/dereuromark)

---

Top Contributors

[![dereuromark](https://avatars.githubusercontent.com/u/39854?v=4)](https://github.com/dereuromark "dereuromark (147 commits)")[![Nicks18](https://avatars.githubusercontent.com/u/42540597?v=4)](https://github.com/Nicks18 "Nicks18 (1 commits)")

---

Tags

authauthentication-backendauthorizationauthorization-backendpoliciesrbactinyauthpluginAuthenticationcakephpauthorizationrolesadmin-paneltinyauthstandalone-ui

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/dereuromark-cakephp-tinyauth-backend/health.svg)

```
[![Health](https://phpackages.com/badges/dereuromark-cakephp-tinyauth-backend/health.svg)](https://phpackages.com/packages/dereuromark-cakephp-tinyauth-backend)
```

###  Alternatives

[dereuromark/cakephp-tinyauth

A CakePHP plugin to handle user authentication and authorization the easy way.

129228.6k10](/packages/dereuromark-cakephp-tinyauth)[pktharindu/nova-permissions

Laravel Nova Grouped Permissions (ACL)

136387.1k](/packages/pktharindu-nova-permissions)[hasinhayder/tyro

Tyro - The ultimate Authentication, Authorization, and Role & Privilege Management solution for Laravel 12 & 13

6712.1k2](/packages/hasinhayder-tyro)[dereuromark/cakephp-translate

A CakePHP plugin for managing translations

1710.4k](/packages/dereuromark-cakephp-translate)[hosseinhezami/laravel-permission-manager

Advanced permission manager for Laravel.

403.3k](/packages/hosseinhezami-laravel-permission-manager)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)