PHP download

Download the PHP package mixerapi/jwt-auth without Composer

On this page you can find all versions of the php package mixerapi/jwt-auth. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download mixerapi/jwt-auth
More information about mixerapi/jwt-auth
Files in mixerapi/jwt-auth

Vendor mixerapi
Package jwt-auth
Short Description A JWT authentication plugin for CakePHP.
License MIT

Keywords cakephp jwt cakephp jwt cakephp jwt auth cakephp jwt authentication

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Example code of mixerapi/jwt-auth

Informations about the package jwt-auth

MixerApi JwtAuth

A JWT authentication library for CakePHP supporting both HMAC (HS256 or HS512) and RSA (RS256 or RS512) with JSON Web Keys. Before starting, you should determine which signing algorithm best fits your needs. It is the goal of this library to make both easy.

Installation
Defining Your JWT
JSON Web Keys
Login Controller
Security

For an alternative approach see admad/cakephp-jwt-auth.

Installation

You can install this plugin into your CakePHP application using composer.

And then load the plugin

Configuration

Next create a config file (e.g. config/mixerapi_jwtauth.php) and load it into your application.

alg

The alg string is required and must be either HS256, HS512, RS256, or RS512.

secret

The secret string is required when using HMAC. The secret should not be committed to your VCS and be at least 32 characters long. You can generate a strong secret using a tool like openssl or gpg:

keys

The keys array is required when using RSA. The keys should not be committed to your VCS and be at least 2048 bits long. You can generate a public/private keypair using openssl:

Service Provider

Using the JwtAuthServiceProvider is recommended to inject dependencies automatically.

Authentication

You will need to configure CakePHP Authentication to use this library. There are several ways to do this documented in the quick start. See the mixerapi demo for a complete example.

Be sure to load the CakePHP Authentication.Component (generally in your AppController).

Here is an example that supports both HMAC and RSA with form and password based authentication. However way you implement authentication, it is advised to use \MixerApi\JwtAuth\Configuration\Configuration to pull values from your MixerApi.JwtAuth configuration file config/mixerapi_jwtauth.php. This will validate your configuration before applying it to your applications authentication.

Defining your JWT

On your User entity implement JwtEntityInterface. This will be used to generate the JWT, example:

JSON Web Keys

Signing your tokens with RSA uses a public/private key pair. You can skip this section if you are using HMAC.

Building Keys

We'll store the keys in config/keys/1/ but you can store these anywhere. Keys should not be stored in version control, example:

JWK Set Controller

Read more about JSON Web Keys here. Let's create an endpoint to expose your JWK Set.

Add a route to your controller in your config/routes.php file.

Example response:

You may add/remove keys to your MixerApi.JwtAuth.keys config as part of your key rotation strategy.

Note, if you are not using dependency injection:

Login Controller

In the example below we'll authenticate, create the JWT we defined earlier and return it to the requester.

Add a route to the controller in your config/routes.php file.

This will build the JWT we defined earlier in the User Entity.

Note, if you're not using dependency injection:

Or, if you prefer to handle the authentication yourself you may pass an instance of JwtInterface instead, example:

Security

Some security measures are baked into this library:

Weak HMAC secrets

JWT signed with HMAC can be brute forced with a tool like JWT Tool. Once cracked the JWT can be altered. This library mitigates this by requiring a minimum secret length of 32 characters though you may want to consider using 64 characters if security is more important than speed and token size. Generating a strong random secret and securing it is up to you.

Weak RSA Keys

Weak keys can be cracked as well. This library requires a minimum key length of 2048 bits. You may want to consider a key length of 4096 bits depending on your security requirements. Securing your keys is up to you.

Alg None Bypass

The alg=none signature-bypass vulnerability is mitigated by requiring a single valid algorithm. Additional protection exists within the firebase/php-jwt library which should be kept up to date.

RS/HS256 public key mismatch vulnerability

Mitigated by requiring a single valid algorithm. Additional protection exists within the firebase/php-jwt library which should be kept up to date.

All versions of jwt-auth with dependencies

PHP Build Version

Package Version

Version v2.0.3 Release 17. Feb 2024
create-project require 0 people chose require and
0 people chose create-project.

Download

Download latest version of jwt-auth from vendor mixerapi

Requires ext-openssl Version *
php Version ^8.1
cakephp/authentication Version ^3.0
cakephp/cakephp Version ^5.0
firebase/php-jwt Version ^6.2

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package mixerapi/jwt-auth contains the following files

Loading the files please wait ....