Download the PHP package tuupola/slim-jwt-auth without Composer

On this page you can find all versions of the php package tuupola/slim-jwt-auth. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?
tuupola/slim-jwt-auth
Rate from 1 - 5
Rated 5.00 based on 1 reviews

Example code of tuupola/slim-jwt-auth

Informations about the package slim-jwt-auth

[!IMPORTANT] This package is abandoned. See jimtools/jwt-auth for replacement.

PSR-7 and PSR-15 JWT Authentication Middleware

This middleware implements JSON Web Token Authentication. It was originally developed for Slim but can be used with any framework using PSR-7 and PSR-15 style middlewares. It has been tested with Slim Framework and Zend Expressive.

Latest Version Packagist Build Status Coverage

Heads up! You are reading documentation for 3.x branch which is PHP 7.1 and up only. If you are using older version of PHP see the 2.x branch. These two branches are not backwards compatible, see UPGRADING for instructions how to upgrade.

Middleware does not implement OAuth 2.0 authorization server nor does it provide ways to generate, issue or store authentication tokens. It only parses and authenticates a token when passed via header or cookie. This is useful for example when you want to use JSON Web Tokens as API keys.

For example implementation see Slim API Skeleton.

Install

Install latest version using composer.

If using Apache add the following to the .htaccess file. Otherwise PHP wont have access to Authorization: Bearer header.

Usage

Configuration options are passed as an array. The only mandatory parameter is secret which is used for verifying the token signature. Note again that secret is not the token. It is the secret you use to sign the token.

For simplicity's sake examples show secret hardcoded in code. In real life you should store it somewhere else. Good option is environment variable. You can use dotenv or something similar for development. Examples assume you are using Slim Framework.

An example where your secret is stored as an environment variable:

When a request is made, the middleware tries to validate and decode the token. If a token is not found or there is an error when validating and decoding it, the server will respond with 401 Unauthorized.

Validation errors are triggered when the token has been tampered with or the token has expired. For all possible validation errors, see JWT library source.

Optional parameters

Path

The optional path parameter allows you to specify the protected part of your website. It can be either a string or an array. You do not need to specify each URL. Instead think of path setting as a folder. In the example below everything starting with /api will be authenticated. If you do not define path all routes will be protected.

Ignore

With optional ignore parameter you can make exceptions to path parameter. In the example below everything starting with /api and /admin will be authenticated with the exception of /api/token and /admin/ping which will not be authenticated.

Header

By default middleware tries to find the token from Authorization header. You can change header name using the header parameter.

Regexp

By default the middleware assumes the value of the header is in Bearer <token> format. You can change this behaviour with regexp parameter. For example if you have custom header such as X-Token: <token> you should pass both header and regexp parameters.

Cookie

If token is not found from neither environment or header, the middleware tries to find it from cookie named token. You can change cookie name using cookie parameter.

Algorithm

You can set supported algorithms via algorithm parameter. This can be either string or array of strings. Default value is ["HS256", "HS512", "HS384"]. Supported algorithms are HS256, HS384, HS512 and RS256. Note that enabling both HS256 and RS256 is a security risk.

Attribute

When the token is decoded successfully and authentication succeeds the contents of the decoded token is saved as token attribute to the $request object. You can change this with. attribute parameter. Set to null or false to disable this behavour

Logger

The optional logger parameter allows you to pass in a PSR-3 compatible logger to help with debugging or other application logging needs.

Before

Before function is called only when authentication succeeds but before the next incoming middleware is called. You can use this to alter the request before passing it to the next incoming middleware in the stack. If it returns anything else than Psr\Http\Message\ServerRequestInterface the return value will be ignored.

After

After function is called only when authentication succeeds and after the incoming middleware stack has been called. You can use this to alter the response before passing it next outgoing middleware in the stack. If it returns anything else than Psr\Http\Message\ResponseInterface the return value will be ignored.

Note that both the after and before callback functions receive the raw token string as well as the decoded claims through the $arguments argument.

Error

Error is called when authentication fails. It receives last error message in arguments. You can use this for example to return JSON formatted error responses.

Rules

The optional rules parameter allows you to pass in rules which define whether the request should be authenticated or not. A rule is a callable which receives the request as parameter. If any of the rules returns boolean false the request will not be authenticated.

By default middleware configuration looks like this. All paths are authenticated with all request methods except OPTIONS.

RequestPathRule contains both a path parameter and a ignore parameter. Latter contains paths which should not be authenticated. RequestMethodRule contains ignore parameter of request methods which also should not be authenticated. Think of ignore as a whitelist.

99% of the cases you do not need to use the rules parameter. It is only provided for special cases when defaults do not suffice.

Security

JSON Web Tokens are essentially passwords. You should treat them as such and you should always use HTTPS. If the middleware detects insecure usage over HTTP it will throw a RuntimeException. By default this rule is relaxed for requests to server running on localhost. To allow insecure usage you must enable it manually by setting secure to false.

Alternatively you could list multiple development servers to have relaxed security. With below settings both localhost and dev.example.com allow incoming unencrypted requests.

Authorization

By default middleware only authenticates. This is not very interesting. Beauty of JWT is you can pass extra data in the token. This data can include for example scope which can be used for authorization.

It is up to you to implement how token data is stored or possible authorization implemented.

Let assume you have token which includes data for scope. By default middleware saves the contents of the token to token attribute of the request.

Testing

You can run tests either manually or automatically on every code change. Automatic tests require entr to work.

Contributing

Please see CONTRIBUTING for details.

Security

If you discover any security related issues, please email [email protected] instead of using the issue tracker.

License

The MIT License (MIT). Please see License File for more information.

All versions of slim-jwt-auth with dependencies

PHP Build Version
Package Version
Requires php Version ^7.4|^8.0
psr/log Version ^1.0|^2.0|^3.0
firebase/php-jwt Version ^3.0|^4.0|^5.0
psr/http-message Version ^1.0|^2.0
tuupola/http-factory Version ^1.3
tuupola/callable-handler Version ^1.0
psr/http-server-middleware Version ^1.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package tuupola/slim-jwt-auth contains the following files

Loading the files please wait ....