Security tokens for CakePHP 3.
Ever wanted to force users to activate their account upon registration?
Or maybe just a confirmation link when updating their credentials?
Ok, ok - maybe before cancelling a subscription or better, before sending funds out.
Well, now you can. Attach listeners to your models for sending out emails (or any other notification method of your choice), and you're good to go!
composer require muffin/tokenize
You then need to load the plugin. You can use the shell command:
bin/cake plugin load Muffin/Tokenize --routes
or by manually adding statement shown below to
Plugin::load('Muffin/Tokenize', ['routes' => true]);
This will ensure that the route for
/verify/:token style URL is configured.
You can also customize the token's length, lifetime and table through
Configure::write('Muffin/Tokenize', [ 'lifetime' => '3 days', // Default value 'length' => 32, // Default value 'table' => 'tokenize_tokens', // Default value ]);
You will also need to create the required table. A migration file was added to help you with that:
bin/cake migrations migrate --plugin Muffin/Tokenize
When creating or updating a record, and if the data contains any tokenized field(s), a token will automatically be created along with the value of the field(s) in question.
When this happens the
Model.afterTokenize event is fired and passed the operation's related
entity and the associated token that was created for it.
The initial (save or update) operation resumes but without the tokenized fields.
The tokenized fields will only be updated upon submission of their associated token.
To tokenize the
password column on updates, add this to your
$this->addBehavior('Muffin/Tokenize.Tokenize', [ 'fields' => ['password'], ]);
If instead you wanted to have it create a token both on account creation and credentials update:
$this->addBehavior('Muffin/Tokenize.Tokenize', [ 'fields' => ['password'], 'implementedEvents' => [ 'Model.beforeSave' => 'beforeSave', 'Model.afterSave' => 'afterSave', ], ]);
Finally, if you just wish to create a token on the fly for other custom scenarios (i.e. password-less login), you can manually create a token:
The above operation, will return a
To verify a token from a controller's action:
$result = $this->Users->Tokens->verify($token);
- Mod, fix
- Test - this is important, so it's not unintentionally broken
- Commit - do not mess with license, todo, version, etc. (if you do change any, bump them into commits of their own that I can ignore when I pull)
- Pull request - bonus point for topic branches
To ensure your PRs are considered for upstream, you MUST follow the CakePHP coding standards.