Class DigestAuthenticate

Digest Authentication adapter for AuthComponent.

Provides Digest HTTP authentication support for AuthComponent.

Using Digest auth

In your controller's components array, add auth + the required config

 public $components = [
     'Auth' => [
         'authenticate' => ['Digest']
     ]
 ];

You should also set AuthComponent::$sessionKey = false; in your AppController's beforeFilter() to prevent CakePHP from sending a session cookie to the client.

Since HTTP Digest Authentication is stateless you don't need a login() action in your controller. The user credentials will be checked on each request. If valid credentials are not provided, required authentication headers will be sent by this authentication provider which triggers the login dialog in the browser/client.

You may also want to use $this->Auth->unauthorizedRedirect = false;. This causes AuthComponent to throw a ForbiddenException exception instead of redirecting to another page.

Generating passwords compatible with Digest authentication.

DigestAuthenticate requires a special password hash that conforms to RFC2617. You can generate this password using DigestAuthenticate::password()

$digestPass = DigestAuthenticate::password($username, $password, env('SERVER_NAME'));

If you wish to use digest authentication alongside other authentication methods, it's recommended that you store the digest authentication separately. For example User.digest_pass could be used for a digest password, while User.password would store the password hash for use with other methods like Basic or Form.

Namespace: Cake\Auth

Property Summary

$_config protected

array

Runtime config
$_configInitialized protected

bool

Whether the config property has already been configured with defaults
$_defaultConfig protected

array

Default config for this object.
$_needsPasswordRehash protected

bool

Whether or not the user authenticated by this class requires their password to be rehashed with another algorithm.
$_passwordHasher protected

Cake\Auth\AbstractPasswordHasher

Password hasher instance.
$_registry protected

Cake\Controller\ComponentRegistry

A Component registry, used to get more components.

Method Summary

__construct() public

Constructor
_configDelete() protected

Deletes a single config key.
_configRead() protected

Reads a config key.
_configWrite() protected

Writes a config key.
_findUser() protected

Find a user record using the username and password provided.
_getDigest() protected

Gets the digest headers from the request/environment.
_query() protected

Get query object for fetching user from database.
authenticate() public

Authenticate a user using HTTP auth. Will use the configured User model and attempt a login using HTTP auth.
config() public deprecated

Gets/Sets the config.
configShallow() public

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.
generateNonce() protected

Generate a nonce value that is validated in future requests.
generateResponseHash() public

Generate the response hash for a given digest array.
getConfig() public

Returns the config.
getUser() public

Get a user based on information in the request. Used by cookie-less auth for stateless clients.
implementedEvents() public

Returns a list of all events that this authenticate class will listen to.
loginHeaders() public

Generate the login headers
needsPasswordRehash() public

Returns whether or not the password stored in the repository for the logged in user requires to be rehashed with another algorithm
parseAuthData() public

Parse the digest authentication headers and split them up.
password() public static

Creates an auth digest password hash to store
passwordHasher() public

Return password hasher object
setConfig() public

Sets the config.
unauthenticated() public

Handles an unauthenticated access attempt by sending appropriate login headers
validNonce() protected

Check the nonce to ensure it is valid and not expired.

Method Detail

__construct() ¶ public

__construct(Cake\Controller\ComponentRegistry $registry, array $config = [])

Constructor

Besides the keys specified in BaseAuthenticate::$_defaultConfig, DigestAuthenticate uses the following extra keys:

secret The secret to use for nonce validation. Defaults to Security.salt.
realm The realm authentication is for, Defaults to the servername.
qop Defaults to 'auth', no other values are supported at this time.
opaque A string that must be returned unchanged by clients. Defaults to md5($config['realm'])
nonceLifetime The number of seconds that nonces are valid for. Defaults to 300.

Parameters

Cake\Controller\ComponentRegistry $registry: The Component registry used on this request.
array $config optional: Array of config to use.

_configDelete() ¶ protected

_configDelete(string $key): void

Deletes a single config key.

Parameters

string $key: Key to delete.

Returns

void

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

_configRead() ¶ protected

_configRead(string|null $key): mixed

Reads a config key.

Parameters

string|null $key: Key to read.

Returns

mixed

_configWrite() ¶ protected

_configWrite(string|array $key, mixed $value, bool|string $merge = false): void

Writes a config key.

Parameters

string|array $key: Key to write to.
mixed $value: Value to write.
bool|string $merge optional: True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Returns

void

Throws

Cake\Core\Exception\Exception
if attempting to clobber existing config

_findUser() ¶ protected

_findUser(string $username, string|null $password = null): bool|array

Find a user record using the username and password provided.

Input passwords will be hashed even when a user doesn't exist. This helps mitigate timing attacks that are attempting to find valid usernames.

Parameters

string $username: The username/identifier.
string|null $password optional: The password, if not provided password checking is skipped and result of find is returned.

Returns

bool|array

Either false on failure, or an array of user data.

_getDigest() ¶ protected

_getDigest(Cake\Http\ServerRequest $request): array|bool

Gets the digest headers from the request/environment.

Parameters

Cake\Http\ServerRequest $request: Request object.

Returns

array|bool

Array of digest information.

_query() ¶ protected

_query(string $username): Cake\ORM\Query

Get query object for fetching user from database.

Parameters

string $username: The username/identifier.

Returns

Cake\ORM\Query

authenticate() ¶ public

authenticate(Cake\Http\ServerRequest $request, Cake\Http\Response $response): mixed

Authenticate a user using HTTP auth. Will use the configured User model and attempt a login using HTTP auth.

Parameters

Cake\Http\ServerRequest $request: The request to authenticate with.
Cake\Http\Response $response: The response to add headers to.

Returns

mixed

Either false on failure, or an array of user data on success.

config() ¶ public

config(string|array|null $key = null, mixed|null $value = null, bool $merge = true): mixed

Gets/Sets the config.

Usage

Reading the whole config:

$this->config();

Reading a specific value:

$this->config('key');

Reading a nested value:

$this->config('some.nested.key');

Setting a specific value:

$this->config('key', $value);

Setting a nested value:

$this->config('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->config(['one' => 'value', 'another' => 'value']);

Parameters

string|array|null $key optional: The key to get/set, or a complete array of configs.
mixed|null $value optional: The value to set.
bool $merge optional: Whether to recursively merge or overwrite existing config, defaults to true.

Returns

mixed

Config value being read, or the object itself on write operations.

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

configShallow() ¶ public

configShallow(string|array $key, mixed|null $value = null): $this

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key: The key to set, or a complete array of configs.
mixed|null $value optional: The value to set.

Returns

$this

generateNonce() ¶ protected

generateNonce(): string

Generate a nonce value that is validated in future requests.

Returns

string

generateResponseHash() ¶ public

generateResponseHash(array $digest, string $password, string $method): string

Generate the response hash for a given digest array.

Parameters

array $digest: Digest information containing data from DigestAuthenticate::parseAuthData().
string $password: The digest hash password generated with DigestAuthenticate::password()
string $method: Request method

Returns

string

Response hash

getConfig() ¶ public

getConfig(string|null $key = null): mixed

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Parameters

string|null $key optional: The key to get or null for the whole config.

Returns

mixed

Config value being read.

getUser() ¶ public

getUser(Cake\Http\ServerRequest $request): mixed

Get a user based on information in the request. Used by cookie-less auth for stateless clients.

Parameters

Cake\Http\ServerRequest $request: Request object.

Returns

mixed

Either false or an array of user information

implementedEvents() ¶ public

implementedEvents(): array

Returns a list of all events that this authenticate class will listen to.

An authenticate class can listen to following events fired by AuthComponent:

Auth.afterIdentify - Fired after a user has been identified using one of configured authenticate class. The callback function should have signature like afterIdentify(Event $event, array $user) when $user is the identified user record.
Auth.logout - Fired when AuthComponent::logout() is called. The callback function should have signature like logout(Event $event, array $user) where $user is the user about to be logged out.

Returns

array

List of events this class listens to. Defaults to [].

loginHeaders() ¶ public

loginHeaders(Cake\Http\ServerRequest $request): string

Generate the login headers

Parameters

Cake\Http\ServerRequest $request: Request object.

Returns

string

Headers for logging in.

needsPasswordRehash() ¶ public

needsPasswordRehash(): bool

Returns whether or not the password stored in the repository for the logged in user requires to be rehashed with another algorithm

Returns

bool

parseAuthData() ¶ public

parseAuthData(string $digest): array|null

Parse the digest authentication headers and split them up.

Parameters

string $digest: The raw digest authentication headers.

Returns

array|null

An array of digest authentication headers

password() ¶ public static

password(string $username, string $password, string $realm): string

Creates an auth digest password hash to store

Parameters

string $username: The username to use in the digest hash.
string $password: The unhashed password to make a digest hash for.
string $realm: The realm the password is for.

Returns

string

the hashed password that can later be used with Digest authentication.

passwordHasher() ¶ public

passwordHasher(): Cake\Auth\AbstractPasswordHasher

Return password hasher object

Returns

Cake\Auth\AbstractPasswordHasher

Password hasher instance

Throws

RuntimeException
If password hasher class not found or it does not extend AbstractPasswordHasher

setConfig() ¶ public

setConfig(string|array $key, mixed|null $value = null, bool $merge = true): $this

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);

Parameters

string|array $key: The key to set, or a complete array of configs.
mixed|null $value optional: The value to set.
bool $merge optional: Whether to recursively merge or overwrite existing config, defaults to true.

Returns

$this

Throws

Cake\Core\Exception\Exception
When trying to set a key that is invalid.

unauthenticated() ¶ public

unauthenticated(Cake\Http\ServerRequest $request, Cake\Http\Response $response): void

Handles an unauthenticated access attempt by sending appropriate login headers

Null - No action taken, AuthComponent should return appropriate response.
Cake\Http\Response - A response object, which will cause AuthComponent to simply return that response.

Parameters

Cake\Http\ServerRequest $request: A request object.
Cake\Http\Response $response: A response object.

Returns

void

Throws

Cake\Network\Exception\UnauthorizedException

validNonce() ¶ protected

validNonce(string $nonce): bool

Check the nonce to ensure it is valid and not expired.

Parameters

string $nonce: The nonce value to check.

Returns

bool

Property Detail

`$_config` ¶ protected

Runtime config

Type

array

`$_configInitialized` ¶ protected

Whether the config property has already been configured with defaults

Type

bool

`$_defaultConfig` ¶ protected

Default config for this object.

fields The fields to use to identify a user by.
userModel The alias for users table, defaults to Users.
finder The finder method to use to fetch user record. Defaults to 'all'. You can set finder name as string or an array where key is finder name and value is an array passed to Table::find() options. E.g. ['finderName' => ['some_finder_option' => 'some_value']]
passwordHasher Password hasher class. Can be a string specifying class name or an array containing className key, any other keys will be passed as config to the class. Defaults to 'Default'.
Options scope and contain have been deprecated since 3.1. Use custom finder instead to modify the query to fetch user record.

Type

array

`$_needsPasswordRehash` ¶ protected

Whether or not the user authenticated by this class requires their password to be rehashed with another algorithm.

Type

bool

`$_passwordHasher` ¶ protected

Password hasher instance.

Type

Cake\Auth\AbstractPasswordHasher

`$_registry` ¶ protected

A Component registry, used to get more components.

Type

Cake\Controller\ComponentRegistry

Namespaces

Class DigestAuthenticate

Using Digest auth

Generating passwords compatible with Digest authentication.

Property Summary

Method Summary

__construct() public

_configDelete() protected

_configRead() protected

_configWrite() protected

_findUser() protected

_getDigest() protected

_query() protected

authenticate() public

config() public deprecated

configShallow() public

generateNonce() protected

generateResponseHash() public

getConfig() public

getUser() public

implementedEvents() public

loginHeaders() public

needsPasswordRehash() public

parseAuthData() public

password() public static

passwordHasher() public

setConfig() public

unauthenticated() public

validNonce() protected

Method Detail

__construct() ¶ public

Parameters

_configDelete() ¶ protected

Parameters

Returns

Throws

_configRead() ¶ protected

Parameters

Returns

_configWrite() ¶ protected

Parameters

Returns

Throws

_findUser() ¶ protected

Parameters

Returns

_getDigest() ¶ protected

Parameters

Returns

_query() ¶ protected

Parameters

Returns

authenticate() ¶ public

Parameters

Returns

config() ¶ public

Usage

Parameters

Returns

Throws

configShallow() ¶ public

Parameters

Returns

generateNonce() ¶ protected

Returns

generateResponseHash() ¶ public

Parameters

Returns

getConfig() ¶ public

Usage

Parameters

Returns

getUser() ¶ public

Parameters

Returns

implementedEvents() ¶ public

Returns

loginHeaders() ¶ public

Parameters

Returns

`$_config` ¶ protected

`$_configInitialized` ¶ protected

`$_defaultConfig` ¶ protected

`$_needsPasswordRehash` ¶ protected

`$_passwordHasher` ¶ protected

`$_registry` ¶ protected