PHPackages                             formatd/hmac-authentication - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. formatd/hmac-authentication

ActiveNeos-package[Authentication &amp; Authorization](/categories/authentication)

formatd/hmac-authentication
===========================

Neos Flow package that adds an authentication provider for authenticating a flow account using a token with a configurable timeout.

v1.1.4(3y ago)11.4k1MITPHP

Since Aug 8Pushed 3y agoCompare

[ Source](https://github.com/Format-D/FormatD.HmacAuthentication)[ Packagist](https://packagist.org/packages/formatd/hmac-authentication)[ RSS](/packages/formatd-hmac-authentication/feed)WikiDiscussions master Synced 1mo ago

READMEChangelog (10)Dependencies (1)Versions (13)Used By (0)

FormatD.HmacAuthentication
==========================

[](#formatdhmacauthentication)

This package adds an authentication provider for authenticating a flow account using a token with a configurable timeout. Authentication is done by passing username, timestamp and a hmac. For generating this token the package contains some viewhelpers and a Service.

Keep in mind: The token is usable multiple times and does not invalidate after usage. Only after a timeout.

### Kompatiblität

[](#kompatiblität)

Versioning scheme:

```
 1.0.0
 | | |
 | | Bugfix Releases (non breaking)
 | Neos Compatibility Releases (non breaking except framework dependencies)
 Feature Releases (breaking)

```

Releases und compatibility:

Package-VersionNeos Flow Version1.1.x&gt;= 6.x1.0.x4.x - 5.xConfigure the Authentication Provider
-------------------------------------

[](#configure-the-authentication-provider)

In addition to your usual PersistedUsernamePasswordProvider you have to add a second UsernameHmacTimestampProvider provider to the configuration. Set the providerOption "mainAuthenticationProviderName" to the name of your PersistedUsernamePasswordProvider so that only the accounts of this provider can use the magic links.

```
Neos:
  Flow:
    security:
      authentication:
        providers:
          'HmacProvider':
            provider: 'FormatD\HmacAuthentication\Authentication\UsernameHmacTimestampProvider'
            providerOptions:
              # For an account with this authentication provider name will be searched:
              mainAuthenticationProviderName: 'My.Website:FrontendLoginProvider'
              # optionally only track failed authentication attempts (possible values: 'failed', 'successful', true)
              #trackAuthenticationAttempts: 'failed'
            entryPoint: 'WebRedirect'
            entryPointOptions:
              routeValues:
                '@package': 'My.Website'
                '@controller': 'Authentication'
                '@action': 'index'
```

### Multiple AuthenticationProvider

[](#multiple-authenticationprovider)

To be able to use different AuthenticationProvider you have to add them to the `allowedAuthenticationProviders` configuration and pass the AuthenticationProviderName as the second parameter.

```
FormatD:
  HmacAuthentication:
    allowedAuthenticationProviders:
      user: 'FormatD.UserManagementPlugin:Login'
      singleSignOn: 'Project.Site:SingleSignOnLogin'
```

```
$this->hmacService->encodeAuthToken($accountIdentifier, $authenticationProviderName);
```

Authentication on button click:
-------------------------------

[](#authentication-on-button-click)

```
{namespace hmacauth=FormatD\HmacAuthentication\ViewHelpers}

```

Authentication with a link (not encouraged):
--------------------------------------------

[](#authentication-with-a-link-not-encouraged)

### Be Aware!

[](#be-aware)

This is a very dangerous way to do authentication as the login-link is tracked for example in server logfiles or cached in proxies. Setting the timeout as low as possible is a must. Always prefer the submit button solution mentioned above.

### OK, let me do this anyway

[](#ok-let-me-do-this-anyway)

There are two ways how to generate a authentication link: Use one of the ViewHelpers...

```
{namespace hmacauth=FormatD\HmacAuthentication\ViewHelpers}
Login to MyWebsite
```

```
{namespace hmacauth=FormatD\HmacAuthentication\ViewHelpers}

```

...or use the hmacService directly in your code:

```
	/**
	 * @Flow\Inject
	 * @var \FormatD\HmacAuthentication\Service\HmacService
	 */
	protected $hmacService;

	public function myFunction() {
	    // ...
		$theUserName = 'username';
		$loginLinkQueryPart = $this->hmacService->generateHmacAuthenticationQueryStringPart($theUserName);
		// ...
	}
```

Using only AuthToken:
---------------------

[](#using-only-authtoken)

If you want to use the authToken in your code (for example to authenticate something else) just use the service class

```
	$authToken = $this->hmacService->encodeAuthToken($theUserName);

	$timestampIdentifierAndHmac = $this->hmacService->decodeAndValidateAuthToken($authToken);
```

###  Health Score

33

—

LowBetter than 75% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity21

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity69

Established project with proven stability

 Bus Factor1

Top contributor holds 69.2% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~133 days

Recently: every ~82 days

Total

12

Last Release

1372d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/bb327c5b80466d2d0236e188879eb7bfefe44330e56fe7cc27b5417a5b9689ea?d=identicon)[formatd](/maintainers/formatd)

---

Top Contributors

[![bweinzierl](https://avatars.githubusercontent.com/u/30659291?v=4)](https://github.com/bweinzierl "bweinzierl (9 commits)")[![fdsis](https://avatars.githubusercontent.com/u/54950395?v=4)](https://github.com/fdsis "fdsis (4 commits)")

### Embed Badge

![Health badge](/badges/formatd-hmac-authentication/health.svg)

```
[![Health](https://phpackages.com/badges/formatd-hmac-authentication/health.svg)](https://phpackages.com/packages/formatd-hmac-authentication)
```

###  Alternatives

[gesdinet/jwt-refresh-token-bundle

Implements a refresh token system over Json Web Tokens in Symfony

70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[illuminate/auth

The Illuminate Auth package.

9327.3M1.0k](/packages/illuminate-auth)[beatswitch/lock

A flexible, driver based Acl package for PHP 5.4+

870304.7k2](/packages/beatswitch-lock)[amocrm/amocrm-api-library

amoCRM API Client

182728.5k6](/packages/amocrm-amocrm-api-library)[visanduma/nova-two-factor

Nova Two Factor Authentication

56621.3k](/packages/visanduma-nova-two-factor)[sandstorm/usermanagement

Neos and Flow package for user management, login/logout, password reset and user activation

3828.4k](/packages/sandstorm-usermanagement)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)