This package is not installable via Composer 1.x, please make sure you upgrade to Composer 2+. Read more about our Composer 1.x deprecation policy.

Password-less authentication for CakePHP 3

Installs: 23

Dependents: 0

Suggesters: 0

Security: 0

Stars: 10

Watchers: 5

Forks: 1


dev-master / 1.0.x-dev 2016-03-25 20:52 UTC

This package is auto-updated.

Last update: 2021-11-27 19:32:33 UTC


Build Status Coverage Total Downloads License

Password-less authentication for CakePHP 3.

Send a login hyperlink upon user's email submission on login page.

  1. User submits email
  2. System sends link after validating email
  3. User clicks link
  4. System authenticates user after validating token


Using Composer:

composer require muffin/hyperlinkauth:1.0.x-dev

You then need to load the plugin. You can use the shell command:

bin/cake plugin load Muffin/HyperlinkAuth

or by manually adding statement shown below to your app's config/bootstrap.php:



// src/Controller/AppController.php
public function initialize()
    $this->loadComponent('Auth', ['authenticate' => ['Muffin/HyperlinkAuth.Hyperlink']]);

And then create your login action:

// src/Controller/UsersController.php
public function login()
    if (!$this->request->is('post') && !$this->request->is('token')) {

    $user = $this->Auth->identify();

    if ($user === true) {
        $this->Flash->success(__('A one-time login URL has been emailed to you'));

    if ($user) {
        return $this->redirect($this->Auth->redirectUrl());

    $this->Flash->error(__('Email is incorrect'), [
        'key' => 'auth'

If you noticed, this is very similar to the default way of doing things, with the difference that it checks for a token type of request and handling $user === true (returned when email is sent).

For sending the email, there are different approaches you can take. The simplest one (demonstrated here), uses the UsersController as the object listening to the Auth.afterIdentify event. A mailer would be another way of handling that.

The code:

// src/Controller/UsersController.php
public function implementedEvents()
    return parent::implementedEvents() + [
        'Auth.afterIdentify' => 'afterIdentify',

public function afterIdentify(Event $event, $result, HyperlinkAuthenticate $auth)
    if (!$this->request->is('post')) {

    $token = $auth->token($result);

    $url = Router::url($this->Auth->config('loginAction') + ['?' => compact('token')], true);
    Email::deliver($result['email'], 'Login link', $url, ['from' => 'no-reply@' . env('HTTP_HOST')]);

    return true;

Patches & Features

  • Fork
  • Mod, fix
  • Test - this is important, so it's not unintentionally broken
  • Commit - do not mess with license, todo, version, etc. (if you do change any, bump them into commits of their own that I can ignore when I pull)
  • Pull request - bonus point for topic branches

To ensure your PRs are considered for upstream, you MUST follow the CakePHP coding standards.

Bugs & Feedback


Copyright (c) 2016, Use Muffin and licensed under The MIT License.