PHPackages                             salines/cakephp-verification - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. salines/cakephp-verification

ActiveCakephp-plugin[Authentication &amp; Authorization](/categories/authentication)

salines/cakephp-verification
============================

Verification and step-up authentication for CakePHP 5: email verification links, Email OTP, SMS OTP, and TOTP.

1.0.0(4mo ago)125↓86.7%1[1 PRs](https://github.com/salines/cakephp-verification/pulls)MITPHPPHP ^8.2CI passing

Since Feb 22Pushed 4mo agoCompare

[ Source](https://github.com/salines/cakephp-verification)[ Packagist](https://packagist.org/packages/salines/cakephp-verification)[ Fund](https://www.paypal.me/paradzikn)[ RSS](/packages/salines-cakephp-verification/feed)WikiDiscussions master Synced today

READMEChangelog (1)Dependencies (5)Versions (3)Used By (0)

CakePHP Verification
====================

[](#cakephp-verification)

[![CI](https://github.com/salines/cakephp-verification/actions/workflows/ci.yml/badge.svg)](https://github.com/salines/cakephp-verification/actions/workflows/ci.yml)

A CakePHP 5.x plugin for step-up verification and MFA: email verification links, Email OTP, SMS OTP, and TOTP (authenticator apps).

Features
--------

[](#features)

- `emailVerify` — email verification link
- `emailOtp` — email one-time code
- `smsOtp` — SMS one-time code
- `totp` — TOTP / authenticator apps (RFC 6238, no external library needed for code generation)
- Pluggable SMS transports (dummy driver included)
- Optional at-rest encryption of the TOTP secret (Sodium or AES-256-GCM)
- Rate-limiting, lockout, and resend cooldown for OTP codes
- `VerificationComponent` handles all controller logic (auto-start, verify, mark verified, redirect)

Requirements
------------

[](#requirements)

- PHP 8.2+
- CakePHP 5.3+
- cakephp/authentication ^4.0
- bacon/bacon-qr-code (optional, for SVG QR rendering in TOTP enrollment)

How It Works
------------

[](#how-it-works)

The plugin adds two verification gates to your application:

**1. Setup flow** — runs once, immediately after registration. The user must complete every step listed in `requiredSetupSteps` before they can access the app. Steps are executed in order:

1. `emailVerify` — user receives a confirmation link; clicks it to confirm their address. Until confirmed, all other steps are blocked.
2. OTP enrollment — if `emailOtp`, `smsOtp`, or `totp` are listed, the user enrolls in the chosen method (enters a code, scans a QR, etc.).

> If more than one OTP driver is listed in `requiredSetupSteps` the user is first directed to a **choose-verification** screen where they pick which method they want to use. See [docs/verification\_flow.md](docs/verification_flow.md).

**2. Login flow** — runs on every subsequent login, after the user authenticates with their password. The plugin checks which OTP method the user enrolled in and redirects them to enter a code before they reach the app.

The plugin relies on the CakePHP Authentication identity object to identify the current user. It does not manage its own session. Persistent verification results (`email_verified_at`, `totp_secret`, `verification_preferences`, …) are written to your `users` table. OTP codes and rate-limiting state are stored temporarily in the CakePHP Cache (auto-deleted after use or expiry).

Installation
------------

[](#installation)

```
composer require salines/cakephp-verification
bin/cake plugin load Verification
bin/cake verification:install
```

Add the required columns to your `users` table (see migration example in the full guide), then implement the `UsersController` actions.

See [docs/installation.md](docs/installation.md) for the full installation guide.

Configuration
-------------

[](#configuration)

Open `config/verification.php` and set the steps your app needs:

```
'Verification' => [
    'enabled' => true,

    // Available steps: 'emailVerify', 'emailOtp', 'smsOtp', 'totp'
    // emailVerify always runs first (blocks other steps until confirmed).
    // If more than one OTP step is listed, the user is asked to choose one.
    'requiredSetupSteps' => ['emailVerify', 'emailOtp'],

    'routing' => [
        'nextRoute'               => ['plugin' => false, 'controller' => 'Users', 'action' => 'verify'],
        'pendingRoute'            => ['plugin' => false, 'controller' => 'Users', 'action' => 'pending'],
        'enrollRoute'             => ['plugin' => false, 'controller' => 'Users', 'action' => 'enroll'],
        'enrollPhoneRoute'        => ['plugin' => false, 'controller' => 'Users', 'action' => 'enrollPhone'],
        'chooseVerificationRoute' => ['plugin' => false, 'controller' => 'Users', 'action' => 'chooseVerification'],
        'onVerifiedRoute'         => ['plugin' => false, 'controller' => 'Users', 'action' => 'index'],
    ],

    'storage' => [
        'maxAttempts'    => 5,
        'lockoutSeconds' => 900,
        'resendCooldown' => 60,
    ],
],
```

See [docs/configuration.md](docs/configuration.md) for the full configuration reference.

Setup
-----

[](#setup)

### Component

[](#component)

Load `VerificationComponent` alongside `Authentication` in `AppController`:

```
// src/Controller/AppController.php
public function initialize(): void
{
    parent::initialize();
    $this->loadComponent('Flash');
    $this->loadComponent('Authentication.Authentication');
    $this->loadComponent('CakeVerification.Verification');
}
```

See [docs/verification\_component.md](docs/verification_component.md) for the full component API.

### Helper

[](#helper)

`VerificationHelper` is auto-loaded by the plugin. It provides `qrCode()` for TOTP enrollment views and `lastSmsCode()` for debug-mode SMS inspection.

See [docs/verification\_helper.md](docs/verification_helper.md) for details.

Available Steps
---------------

[](#available-steps)

KeyTypeDescription`emailVerify`Setup onlySend link by email; user clicks to confirm`emailOtp`Setup/LoginSend numeric code by email`smsOtp`Setup/LoginSend numeric code by SMS`totp`Setup/LoginTOTP code from authenticator app (RFC 6238)Documentation
-------------

[](#documentation)

TopicFileVerification flows (setup, login, OTP choice)[docs/verification\_flow.md](docs/verification_flow.md)Installation[docs/installation.md](docs/installation.md)Configuration reference[docs/configuration.md](docs/configuration.md)Environment variables[docs/env.md](docs/env.md)UsersController actions[docs/users\_controller.md](docs/users_controller.md)VerificationComponent[docs/verification\_component.md](docs/verification_component.md)VerificationHelper[docs/verification\_helper.md](docs/verification_helper.md)Email verification &amp; Email OTP[docs/email\_verification.md](docs/email_verification.md)SMS OTP[docs/sms\_verification.md](docs/sms_verification.md)TOTP[docs/totp\_verification.md](docs/totp_verification.md)Enable / disable individual steps[docs/verificator\_enable\_disable.md](docs/verificator_enable_disable.md)API reference[docs/api/index.md](docs/api/index.md)License
-------

[](#license)

MIT License. See [LICENSE](LICENSE) for details.

###  Health Score

37

—

LowBetter than 81% of packages

Maintenance76

Regular maintenance activity

Popularity11

Limited adoption so far

Community4

Small or concentrated contributor base

Maturity48

Maturing project, gaining track record

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

132d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/c76b15b14e0fcff89ce5823c02769ee5d3ae3b3e7523d74c619d744390af5967?d=identicon)[salines](/maintainers/salines)

---

Tags

2facakephpcakephp-plugincakephp5otp-verificationtwo-factor-authenticationpluginotptotpAuthenticationemailcakephp2fasmsverificationMFA

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Type Coverage Yes

### Embed Badge

![Health badge](/badges/salines-cakephp-verification/health.svg)

```
[![Health](https://phpackages.com/badges/salines-cakephp-verification/health.svg)](https://phpackages.com/packages/salines-cakephp-verification)
```

###  Alternatives

[dereuromark/cakephp-tinyauth

A CakePHP plugin to handle user authentication and authorization the easy way.

131240.2k13](/packages/dereuromark-cakephp-tinyauth)[ellaisys/aws-cognito

Laravel Authentication using AWS Cognito (Web and API)

123256.9k1](/packages/ellaisys-aws-cognito)[bedita/manager

BEdita Manager - official admin webapp for BEdita4 API

131.2k](/packages/bedita-manager)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
