CakePHP 4 is out for some time (4.0.2 at the time of writing this post) and some of you already asked "Is there a cakedc/users version for cake4?" a couple times...
The answer is YES!.
We had a meeting after we realized AuthComponent was going to be deprecated, the authentication/authorization layer was leaning towards
Middlewares and getting a new Plugin home ourside of the core.
We decided to embrace the new middlewares and provide native compatibility from version 9.x of the plugin.
Before we explain how is it going to work, and proceed to setup a project from scratch a couple answers to potential questions:
* Are you going to maintain cakedc/users 8.x for CakePHP 3.x?
* Yes, as long as you use it, we'll keep it maintained. Version 8.x will be a LTS version. We'll consider backporting some features from 9.x but the
main objective of 8.x is to provide stability over time to existing CakePHP 3 projects.
* I'm planning to migrate my project from CakePHP 3 to CakePHP 4, what's the migration path for cakedc/users?
* Keep the version 8.x of the plugin for some time. Complete your upgrade and then decide if you want to migrate to cakedc/users 9.x.
We wrote a migration guide here when you decide it's time to move forward.
* AuthComponent is going to explode in CakePHP 4.x ?
* No, it's deprecated, but deprecated also means it's completely functional. Just keep it until you decide to upgrade it.
This blog post is the first of a series of articles about cakedc/users 9.x where we'll explain how to use the plugin from scratch, it's benefits and
also the way the new authentication & authorization layers work for a CakePHP 4.x application.
We've kept our main objectives for this plugin: provide a quick, easy, flexible users management plugin to help you build awesome products on top of CakePHP 4.
So let's create a new project
* Ensure you have a working develop environment, download a development vagrant machine or pick some other's environment.
composer create-project cakephp/app:^4 users9
Now we have a new CakePHP 4 project skeleton created under folder
Test it using
bin/cake server then go to
http://localhost:8765 and check it's all green.
* Install the plugin using
composer require cakedc/users:^9
* Now configure your application to use the plugin in your
src/Application.php bootstrap() method, add
* Create the required tables in your configured Datasource using Migrations:
bin/cake migrations migrate -p CakeDC/Users
This will create an empty `users` table and `social_accounts` to hold your authenticatio data.
* Now create a superadmin user
bin/cake users addSuperuser
It will create a superadmin user and a random password, copy the user and password to a safe place.
Now start the standalone server using
bin/cake server again, and go to the home page
http://localhost:8765... you'll see the login form.
If you use the superadmin credentials previously generated, you'll be able to login and continue to the home page.
Total setup process, possibly less than 5 minutes if your network allows it...
How is it actually working?
* Once the plugin is added to you Application class through the Plugin class, we implement the `AuthenticationService` and `AuthorizationService` provider interfaces, and use
the `middleware()` plugin callback to inject the configured middlewares into the Application middleware queue, see the `MiddlewareQueueLoader`.
We do it to keep the loading and configuration of the middlewares in one place, and decide the middlewares needed based on your configuration, for example if you are using
social login with Facebook, we configure which middlewares you need loaded and the correct order.
Check LINK for customization options of the plugin. We'll deal with customization in other articles of this series.
* CakePHP core Authentication and Authorization middlewares are also loaded, with the provided configuration. Check file vendor/cakedc/users/config/users.php for the
default configuratio used. You'll see there we're using by default Session, Form, Token, Cookie and Social. Depending on your configuration we'll check if you're authenticated in the following order:
* Your identity already in the session
* You've posted login form and your credentials are in the request data
* There is a token present we can retrieve, usually for API stateless token based auth
* There is a remember me cookie present
* Your identity is available after social login, and we can use it to login into the app
If all these methods fail, you're redirected to the login page, `/login` by default (configurable, of course).
* But that's the first step, once we can identify who are you, the next step (Authorization) is to determine if you're allowed to access the page you're trying to open. The plugin default configuration has 2
Authorization methods, superuser and rbac.
* If you're user is a superuser, you are granted
* If there is a rule in the rbac configuration to match your role and the current page, you are granted
If none of the above, you are not authorized, and redirected to the home page.
One of the important concepts about the new authentication layer in CakePHP is: "Authentication happens before you hit AppController".
So when you get to your Controller, CakePHP alreay knows you're an existing user and you have permission to access the page. All the abstraction and complexity
of maintaining the authentication is now extracted and managed OUTSIDE of your controllers, reducing their complexity.
Give it a try in your next project! Let us know how it goes and share you experiences with us, we'll be happy to help in the community channels.