PHPackages                             loadsys/cakephp-stateless-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication & Authorization](/categories/authentication)
4. /
5. loadsys/cakephp-stateless-auth

ActiveCakephp-plugin[Authentication & Authorization](/categories/authentication)

loadsys/cakephp-stateless-auth
==============================

A replacement CakePHP Authentication/Authorization Component that is fully and strictly stateless. Designed to be used with Cake apps that are only accessed RESTfully.

2.0.0-rc2(11y ago)73714[3 issues](https://github.com/loadsys/CakePHP-Stateless-Auth/issues)MITPHPPHP >=5.4.0

Since Apr 8Pushed 10y ago7 watchersCompare

[ Source](https://github.com/loadsys/CakePHP-Stateless-Auth)[ Packagist](https://packagist.org/packages/loadsys/cakephp-stateless-auth)[ Docs](https://github.com/loadsys/CakePHP-Stateless-Auth)[ RSS](/packages/loadsys-cakephp-stateless-auth/feed)WikiDiscussions master Synced 1mo ago

READMEChangelog (2)Dependencies (1)Versions (4)Used By (0)

CakePHP Stateless AuthComponent
===============================

[](#cakephp-stateless-authcomponent)

[![Latest Version](https://camo.githubusercontent.com/06460fc0f6ac94cfcb61f773b1ad486ea08ac399d2bf448c010d1982340144bb/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f72656c656173652f6c6f61647379732f43616b655048502d53746174656c6573732d417574682e7376673f7374796c653d666c61742d737175617265)](https://github.com/loadsys/CakePHP-Stateless-Auth/releases)[![Software License](https://camo.githubusercontent.com/55c0218c8f8009f06ad4ddae837ddd05301481fcf0dff8e0ed9dadda8780713e/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)](LICENSE.md)[![Build Status](https://camo.githubusercontent.com/12d40a0062f3cf30de6a2bc3ab23d3a94af8ea05dd781efab75d4a9b465cfa6b/68747470733a2f2f7472617669732d63692e6f72672f6c6f61647379732f43616b655048502d53746174656c6573732d417574682e7376673f6272616e63683d6d6173746572267374796c653d666c61742d737175617265)](https://travis-ci.org/loadsys/CakePHP-Stateless-Auth)[![Coverage Status](https://camo.githubusercontent.com/71e4c02a733269e4c0010bae33198f8929e87330805680e33bfd418d444ab751/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6c6f61647379732f43616b655048502d53746174656c6573732d417574682f62616467652e737667)](https://coveralls.io/r/loadsys/CakePHP-Stateless-Auth)[![Total Downloads](https://camo.githubusercontent.com/475c154be382b4da15727ac843b7e46701addf3abf90d2b4516a89d4193d4e98/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6c6f61647379732f63616b657068702d73746174656c6573732d617574682e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/loadsys/cakephp-stateless-auth)

A replacement CakePHP Authentication/Authorization Component that is fully and strictly stateless. Designed to be used with Cake apps that are only accessed RESTfully.

The provided component is intended to replace Cake's stock `AuthCompnent`. This replacement `StatelessAuthComponent` is a stripped down and simplified version that by default looks for an `Authorization` header in the HTTP request and populates `Auth->User()` using the `Bearer [token]` value from that header. (This is instead of the stock AuthComponent's default operation of looking up data from an active `$_SESSION` on repeat connections using the cookie provided by the browser.) It supports plug-able Authenticate and Authorize objects, and the package includes a few that may be of use.

⚠️ This is still unstable software and probably not suitable for public use yet.

Requirements
------------

[](#requirements)

- PHP >= 5.4.0
- CakePHP >= 2.6

Installation
------------

[](#installation)

### Composer

[](#composer)

- Run this shell command

```
$ composer require loadsys/cakephp-stateless-auth:dev-master
```

### Setup

[](#setup)

Load the plugin and be sure that bootstrap is set to true:

```
// Config/boostrap.php
CakePlugin::load('StatelessAuth', array('bootstrap' => true));
// or
CakePlugin::loadAll(array(
	'StatelessAuth' => array('bootstrap' => true),
));
```

The [CakePHP book has more information on doing REST APIs](http://book.cakephp.org/2.0/en/development/rest.html) with CakePHP and this feature.

Sample Usage
------------

[](#sample-usage)

In your project's `AppController`, change your `$components` array to use this plugin's StatelessAuthComponent, but alias it to allow access by the common name:

```
	public $components = array(
		'Auth' => array(
			'className' => 'StatelessAuth.StatelessAuth',
			'authenticate' => array(
				'className' => 'StatelessAuth.Token',

				// Additional examples:

				// 'userModel' => 'User',
				// 'tokenField' => 'token',
				// 'recursive' => -1,
				// 'contain' => array('Permission'),
				// 'conditions' => array('User.is_active' => true),
				// 'passwordHasher' => 'Blowfish',
			),
		),
		'Paginator',
		'DebugKit.Toolbar',
	);
```

How you authenticate your requests to your Cake app is up to you. If you use the bundled `TokenAuthenticate` object as demonstrated above, you must include an `Authorization` header in your request that includes a `Bearer [token]` that matches a valid token in your User table. The token represents the User's login session, in effect replacing `$_SESSION`. A sample HTTP request might look like the following:

```
GET /users/view HTTP/1.1
Host: vagrant.dev:80
Authorization: Bearer 0193d044dd2034bfdeb1ffa33c5fff9b

```

⚠️ Just like normal Auth, the token will be sent in the clear and could be intercepted and re-used, so be sure to secure your connections using SSL.

`TokenAuthenticate` will attempt to look up a User record using the provided token. You can define the name of your User model to query and the name of the token field to check in the component configuration as shown above.

The StatelessAuthComponent uses this authenticate object by default.

You will still access the Component as usual In your controllers:

```
	/**
	 * Allow the logged-in User to view their own record.
	 *
	 * @return void
	 * @throws NotFoundException If the passed id record does not exist
	 */
	public function view() {
		$id = $this->Auth->user('id'); //  array(
				'User.' . $this->User->primaryKey => $id,
			),
		);
		$user = $this->User->find('first', $options);
		$this->set(compact('user'));
	}
```

You must define an `::isAuthorized($user)` method either in each controller or your `AppController` that returns true or false based on whether the current `Auth->user()` should be allowed to access the current controller action.

If you wish for all authenticated Users to have access to all methods, you can place the following in your project's AppController:

```
	public function isAuthorized($user) {
		return true;
	}
```

Alternatively, you can supply your own authorization object to perform the appropriate checks yourself. See Cake's cookbook section on [Authorization](http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#authorization) for details.

Error and Exception Handling Setup
----------------------------------

[](#error-and-exception-handling-setup)

Errors and Exceptions are handled via a separate CakePHP plugin, included via Composer: [SerializersErrors](https://github.com/loadsys/CakePHP-Serializers-Errors)

Please read the documentation there for more information on the specifics.

Modify your `app/Config/core.php` file to use the Custom Exceptions/Error handling in SerializersErrors.

```
Configure::write('Exception', array(
	'handler' => 'ErrorHandler::handleException',
	'renderer' => 'SerializersErrors.SerializerExceptionRenderer',
	'log' => true,
));
```

This does two things:

- Errors and Exceptions get output as correctly formatted JSON API, JSON or HTML depending on the request type
- Allows the use of Custom Exceptions that match Ember Data exceptions for error cases
- The classes in this plugin use this format to enable easier use for API Authentication Handling

### Swapping authentication and authorization objects

[](#swapping-authentication-and-authorization-objects)

The project comes with additional Auth objects that can be used to extend the functionality surrounding HTTP header authentication. The `TokenLoginLogoutAuthenticate` object, for example, allows you to hook callback behavior into the `Auth->login()` and `Auth->logout()` processes to perform additional Model operations.

See `Controller/Component/Auth/TokenLoginLogoutAuthenticate.php`, specifically `::requireUserModelMethods()` for details and expected method signatures.

@TODO: Write up proper documentation on the callback methods needed.

Contributing
------------

[](#contributing)

### Reporting Issues

[](#reporting-issues)

Please use [GitHub Isuses](https://github.com/loadsys/CakePHP-Stateless-Auth/issues) for listing any known defects or issues.

### Development

[](#development)

When developing this plugin, please fork and issue a PR for any new development.

The Complete Test Suite for the Plugin can be run via this command:

`./lib/Cake/Console/cake test StatelessAuth AllStatelessAuth`

License
-------

[](#license)

[MIT](https://github.com/loadsys/CakePHP-Stateless-Auth/blob/master/LICENSE.md)

Copyright
---------

[](#copyright)

[Loadsys Web Strategies](http://www.loadsys.com) 2015

###  Health Score

25

—

LowBetter than 37% of packages

Maintenance11

Infrequent updates — may be unmaintained

Popularity20

Limited adoption so far

Community15

Small or concentrated contributor base

Maturity46

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 58.8% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~24 days

Total

2

Last Release

4032d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/58c6913a72757502a801ebc71f995eb1c4f7a53a7de7314a20b9a1f1d6131b60?d=identicon)[jtyost2](/maintainers/jtyost2)

![](https://www.gravatar.com/avatar/2380c6ad9546e6c8ce5c5b641f5a4bce0c4d3e7f3a377dc287936dff50cc3064?d=identicon)[ricog](/maintainers/ricog)

---

Top Contributors

[![beporter](https://avatars.githubusercontent.com/u/637270?v=4)](https://github.com/beporter "beporter (57 commits)")[![justinyost](https://avatars.githubusercontent.com/u/85320?v=4)](https://github.com/justinyost "justinyost (40 commits)")

---

Tags

Authenticationcakephpauthorizationcomponentrestfulcakephp-pluginstateless

### Embed Badge

![Health badge](/badges/loadsys-cakephp-stateless-auth/health.svg)

```
[![Health](https://phpackages.com/badges/loadsys-cakephp-stateless-auth/health.svg)](https://phpackages.com/packages/loadsys-cakephp-stateless-auth)
```

###  Alternatives

[lusitanian/oauth

PHP 7.2 oAuth 1/2 Library

1.1k23.2M121](/packages/lusitanian-oauth)[dereuromark/cakephp-tinyauth

A CakePHP plugin to handle user authentication and authorization the easy way.

129228.6k10](/packages/dereuromark-cakephp-tinyauth)[uzyn/cakephp-opauth

Opauth plugin for CakePHP v2.x, allowing simple plug-n-play 3rd-party authentication with CakePHP

129276.5k](/packages/uzyn-cakephp-opauth)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)