CakePHP
  • Documentation
    • Book
    • API
    • Videos
    • Reporting Security Issues
    • Privacy Policy
    • Logos & Trademarks
  • Business Solutions
  • Swag
  • Road Trip
  • Team
  • Community
    • Community
    • Get Involved
    • Issues (Github)
    • Bakery
    • Featured Resources
    • Training
    • Meetups
    • My CakePHP
    • CakeFest
    • Newsletter
    • Linkedin
    • YouTube
    • Facebook
    • Twitter
    • Mastodon
    • Help & Support
    • Forum
    • Stack Overflow
    • IRC
    • Slack
    • Paid Support
CakePHP

C CakePHP 4.1 Strawberry API

  • Project:
    • CakePHP
      • CakePHP
      • Authentication
      • Authorization
      • Chronos
      • Elastic Search
      • Queue
  • Version:
    • 4.1
      • 5.2
      • 5.1
      • 5.0
      • 4.6
      • 4.5
      • 4.4
      • 4.3
      • 4.2
      • 4.1
      • 4.0
      • 3.10
      • 3.9
      • 3.8
      • 3.7
      • 3.6
      • 3.5
      • 3.4
      • 3.3
      • 3.2
      • 3.1
      • 3.0
      • 2.10
      • 2.9
      • 2.8
      • 2.7
      • 2.6
      • 2.5
      • 2.4
      • 2.3
      • 2.2
      • 2.1
      • 2.0
      • 1.3
      • 1.2

Namespaces

  • Global
  • Cake
    • Auth
      • Storage
    • Cache
    • Collection
    • Command
    • Console
    • Controller
    • Core
    • Database
    • Datasource
    • Error
    • Event
    • Filesystem
    • Form
    • Http
    • I18n
    • Log
    • Mailer
    • Network
    • ORM
    • Routing
    • Shell
    • TestSuite
    • Utility
    • Validation
    • View

Class DigestAuthenticate

Digest Authentication adapter for AuthComponent.

Provides Digest HTTP authentication support for AuthComponent.

Using Digest auth

Load AuthComponent in your controller's initialize() and add 'Digest' in 'authenticate' key

 $this->loadComponent('Auth', [
     'authenticate' => ['Digest'],
     'storage' => 'Memory',
     'unauthorizedRedirect' => false,
 ]);

You should set storage to Memory to prevent CakePHP from sending a session cookie to the client.

You should set unauthorizedRedirect to false. This causes AuthComponent to throw a ForbiddenException exception instead of redirecting to another page.

Since HTTP Digest Authentication is stateless you don't need call setUser() in your controller. The user credentials will be checked on each request. If valid credentials are not provided, required authentication headers will be sent by this authentication provider which triggers the login dialog in the browser/client.

Generating passwords compatible with Digest authentication.

DigestAuthenticate requires a special password hash that conforms to RFC2617. You can generate this password using DigestAuthenticate::password()

$digestPass = DigestAuthenticate::password($username, $password, env('SERVER_NAME'));

If you wish to use digest authentication alongside other authentication methods, it's recommended that you store the digest authentication separately. For example User.digest_pass could be used for a digest password, while User.password would store the password hash for use with other methods like Basic or Form.

Namespace: Cake\Auth
See: https://book.cakephp.org/4/en/controllers/components/authentication.html

Property Summary

  • $_config protected
    array

    Runtime config

  • $_configInitialized protected
    bool

    Whether the config property has already been configured with defaults

  • $_defaultConfig protected
    array

    Default config for this object.

  • $_needsPasswordRehash protected
    bool

    Whether or not the user authenticated by this class requires their password to be rehashed with another algorithm.

  • $_passwordHasher protected
    Cake\Auth\AbstractPasswordHasher|null

    Password hasher instance.

  • $_registry protected
    Cake\Controller\ComponentRegistry

    A Component registry, used to get more components.

  • $_tableLocator protected
    Cake\ORM\Locator\LocatorInterface|null

    Table locator instance

Method Summary

  • __construct() public

    Constructor

  • _configDelete() protected

    Deletes a single config key.

  • _configRead() protected

    Reads a config key.

  • _configWrite() protected

    Writes a config key.

  • _findUser() protected

    Find a user record using the username and password provided.

  • _getDigest() protected

    Gets the digest headers from the request/environment.

  • _query() protected

    Get query object for fetching user from database.

  • authenticate() public

    Authenticate a user using HTTP auth. Will use the configured User model and attempt a login using HTTP auth.

  • configShallow() public

    Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

  • generateNonce() protected

    Generate a nonce value that is validated in future requests.

  • generateResponseHash() public

    Generate the response hash for a given digest array.

  • getConfig() public

    Returns the config.

  • getConfigOrFail() public

    Returns the config for this specific key.

  • getTableLocator() public

    Gets the table locator.

  • getUser() public

    Get a user based on information in the request. Used by cookie-less auth for stateless clients.

  • implementedEvents() public

    Returns a list of all events that this authenticate class will listen to.

  • loginHeaders() public

    Generate the login headers

  • needsPasswordRehash() public

    Returns whether or not the password stored in the repository for the logged in user requires to be rehashed with another algorithm

  • parseAuthData() public

    Parse the digest authentication headers and split them up.

  • password() public static

    Creates an auth digest password hash to store

  • passwordHasher() public

    Return password hasher object

  • setConfig() public

    Sets the config.

  • setTableLocator() public

    Sets the table locator.

  • unauthenticated() public

    Handles an unauthenticated access attempt by sending appropriate login headers

  • validNonce() protected

    Check the nonce to ensure it is valid and not expired.

Method Detail

__construct() ¶ public 

__construct(Cake\Controller\ComponentRegistry $registry, array $config = [])

Constructor

Besides the keys specified in BaseAuthenticate::$_defaultConfig, DigestAuthenticate uses the following extra keys:

  • secret The secret to use for nonce validation. Defaults to Security::getSalt().
  • realm The realm authentication is for, Defaults to the servername.
  • qop Defaults to 'auth', no other values are supported at this time.
  • opaque A string that must be returned unchanged by clients. Defaults to md5($config['realm'])
  • nonceLifetime The number of seconds that nonces are valid for. Defaults to 300.
Parameters
Cake\Controller\ComponentRegistry $registry

The Component registry used on this request.

array $config optional

Array of config to use.

_configDelete() ¶ protected 

_configDelete(string $key): void

Deletes a single config key.

Parameters
string $key

Key to delete.

Returns
void
Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config

_configRead() ¶ protected 

_configRead(string|null $key): mixed

Reads a config key.

Parameters
string|null $key

Key to read.

Returns
mixed

_configWrite() ¶ protected 

_configWrite(string|array $key, mixed $value, bool|string $merge = false): void

Writes a config key.

Parameters
string|array $key

Key to write to.

mixed $value

Value to write.

bool|string $merge optional

True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.

Returns
void
Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config

_findUser() ¶ protected 

_findUser(string $username, string|null $password = null): array|false

Find a user record using the username and password provided.

Input passwords will be hashed even when a user doesn't exist. This helps mitigate timing attacks that are attempting to find valid usernames.

Parameters
string $username

The username/identifier.

string|null $password optional

The password, if not provided password checking is skipped and result of find is returned.

Returns
array|false

Either false on failure, or an array of user data.

_getDigest() ¶ protected 

_getDigest(Cake\Http\ServerRequest $request): array|null

Gets the digest headers from the request/environment.

Parameters
Cake\Http\ServerRequest $request

Request object.

Returns
array|null

Array of digest information.

_query() ¶ protected 

_query(string $username): Cake\ORM\Query

Get query object for fetching user from database.

Parameters
string $username

The username/identifier.

Returns
Cake\ORM\Query

authenticate() ¶ public 

authenticate(Cake\Http\ServerRequest $request, Cake\Http\Response $response): array|false

Authenticate a user using HTTP auth. Will use the configured User model and attempt a login using HTTP auth.

Parameters
Cake\Http\ServerRequest $request

The request to authenticate with.

Cake\Http\Response $response

The response to add headers to.

Returns
array|false

Either false on failure, or an array of user data on success.

configShallow() ¶ public 

configShallow(string|array $key, mixed|null $value = null): $this

Merge provided config with existing config. Unlike config() which does a recursive merge for nested keys, this method does a simple merge.

Setting a specific value:

$this->configShallow('key', $value);

Setting a nested value:

$this->configShallow('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->configShallow(['one' => 'value', 'another' => 'value']);
Parameters
string|array $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

Returns
$this

generateNonce() ¶ protected 

generateNonce(): string

Generate a nonce value that is validated in future requests.

Returns
string

generateResponseHash() ¶ public 

generateResponseHash(array $digest, string $password, string $method): string

Generate the response hash for a given digest array.

Parameters
array $digest

Digest information containing data from DigestAuthenticate::parseAuthData().

string $password

The digest hash password generated with DigestAuthenticate::password()

string $method

Request method

Returns
string

Response hash

getConfig() ¶ public 

getConfig(string|null $key = null, mixed $default = null): mixed

Returns the config.

Usage

Reading the whole config:

$this->getConfig();

Reading a specific value:

$this->getConfig('key');

Reading a nested value:

$this->getConfig('some.nested.key');

Reading with default value:

$this->getConfig('some-key', 'default-value');
Parameters
string|null $key optional

The key to get or null for the whole config.

mixed $default optional

The return value when the key does not exist.

Returns
mixed

Configuration data at the named key or null if the key does not exist.

getConfigOrFail() ¶ public 

getConfigOrFail(string $key): mixed

Returns the config for this specific key.

The config value for this key must exist, it can never be null.

Parameters
string $key

The key to get.

Returns
mixed

Configuration data at the named key

Throws
InvalidArgumentException

getTableLocator() ¶ public 

getTableLocator(): Cake\ORM\Locator\LocatorInterface

Gets the table locator.

Returns
Cake\ORM\Locator\LocatorInterface

getUser() ¶ public 

getUser(Cake\Http\ServerRequest $request): array|false

Get a user based on information in the request. Used by cookie-less auth for stateless clients.

Parameters
Cake\Http\ServerRequest $request

Request object.

Returns
array|false

Either false or an array of user information

implementedEvents() ¶ public 

implementedEvents(): array

Returns a list of all events that this authenticate class will listen to.

An authenticate class can listen to following events fired by AuthComponent:

  • Auth.afterIdentify - Fired after a user has been identified using one of configured authenticate class. The callback function should have signature like afterIdentify(EventInterface $event, array $user) when $user is the identified user record.

  • Auth.logout - Fired when AuthComponent::logout() is called. The callback function should have signature like logout(EventInterface $event, array $user) where $user is the user about to be logged out.

Returns
array

List of events this class listens to. Defaults to [].

loginHeaders() ¶ public 

loginHeaders(Cake\Http\ServerRequest $request): string[]

Generate the login headers

Parameters
Cake\Http\ServerRequest $request

Request object.

Returns
string[]

Headers for logging in.

needsPasswordRehash() ¶ public 

needsPasswordRehash(): bool

Returns whether or not the password stored in the repository for the logged in user requires to be rehashed with another algorithm

Returns
bool

parseAuthData() ¶ public 

parseAuthData(string $digest): array|null

Parse the digest authentication headers and split them up.

Parameters
string $digest

The raw digest authentication headers.

Returns
array|null

An array of digest authentication headers

password() ¶ public static 

password(string $username, string $password, string $realm): string

Creates an auth digest password hash to store

Parameters
string $username

The username to use in the digest hash.

string $password

The unhashed password to make a digest hash for.

string $realm

The realm the password is for.

Returns
string

the hashed password that can later be used with Digest authentication.

passwordHasher() ¶ public 

passwordHasher(): Cake\Auth\AbstractPasswordHasher

Return password hasher object

Returns
Cake\Auth\AbstractPasswordHasher

Password hasher instance

Throws
RuntimeException
If password hasher class not found or it does not extend AbstractPasswordHasher

setConfig() ¶ public 

setConfig(string|array $key, mixed|null $value = null, bool $merge = true): $this

Sets the config.

Usage

Setting a specific value:

$this->setConfig('key', $value);

Setting a nested value:

$this->setConfig('some.nested.key', $value);

Updating multiple config settings at the same time:

$this->setConfig(['one' => 'value', 'another' => 'value']);
Parameters
string|array $key

The key to set, or a complete array of configs.

mixed|null $value optional

The value to set.

bool $merge optional

Whether to recursively merge or overwrite existing config, defaults to true.

Returns
$this
Throws
Cake\Core\Exception\Exception
When trying to set a key that is invalid.

setTableLocator() ¶ public 

setTableLocator(Cake\ORM\Locator\LocatorInterface $tableLocator): $this

Sets the table locator.

Parameters
Cake\ORM\Locator\LocatorInterface $tableLocator

LocatorInterface instance.

Returns
$this

unauthenticated() ¶ public 

unauthenticated(Cake\Http\ServerRequest $request, Cake\Http\Response $response): Cake\Http\Response|null|void

Handles an unauthenticated access attempt by sending appropriate login headers

  • Null - No action taken, AuthComponent should return appropriate response.
  • Cake\Http\Response - A response object, which will cause AuthComponent to simply return that response.
Parameters
Cake\Http\ServerRequest $request

A request object.

Cake\Http\Response $response

A response object.

Returns
Cake\Http\Response|null|void
Throws
Cake\Http\Exception\UnauthorizedException

validNonce() ¶ protected 

validNonce(string $nonce): bool

Check the nonce to ensure it is valid and not expired.

Parameters
string $nonce

The nonce value to check.

Returns
bool

Property Detail

$_config ¶ protected

Runtime config

Type
array

$_configInitialized ¶ protected

Whether the config property has already been configured with defaults

Type
bool

$_defaultConfig ¶ protected

Default config for this object.

  • fields The fields to use to identify a user by.
  • userModel The alias for users table, defaults to Users.
  • finder The finder method to use to fetch user record. Defaults to 'all'. You can set finder name as string or an array where key is finder name and value is an array passed to Table::find() options. E.g. ['finderName' => ['some_finder_option' => 'some_value']]
  • passwordHasher Password hasher class. Can be a string specifying class name or an array containing className key, any other keys will be passed as config to the class. Defaults to 'Default'.
Type
array

$_needsPasswordRehash ¶ protected

Whether or not the user authenticated by this class requires their password to be rehashed with another algorithm.

Type
bool

$_passwordHasher ¶ protected

Password hasher instance.

Type
Cake\Auth\AbstractPasswordHasher|null

$_registry ¶ protected

A Component registry, used to get more components.

Type
Cake\Controller\ComponentRegistry

$_tableLocator ¶ protected

Table locator instance

Type
Cake\ORM\Locator\LocatorInterface|null
OpenHub
Pingping
Linode
  • Business Solutions
  • Showcase
  • Documentation
  • Book
  • API
  • Videos
  • Reporting Security Issues
  • Privacy Policy
  • Logos & Trademarks
  • Community
  • Get Involved
  • Issues (Github)
  • Bakery
  • Featured Resources
  • Training
  • Meetups
  • My CakePHP
  • CakeFest
  • Newsletter
  • Linkedin
  • YouTube
  • Facebook
  • Twitter
  • Mastodon
  • Help & Support
  • Forum
  • Stack Overflow
  • IRC
  • Slack
  • Paid Support

Generated using CakePHP API Docs