Security Tokens

Installs: 11 173

Dependents: 2

Suggesters: 1

Security: 0

Stars: 12

Watchers: 2

Forks: 11


2.0.0-beta 2020-01-21 03:39 UTC

This package is auto-updated.

Last update: 2023-01-21 16:44:51 UTC


Build Status Coverage Status Total Downloads License

Security tokens for CakePHP 3.


Ever wanted to force users to activate their account upon registration?

Or maybe just a confirmation link when updating their credentials?

Ok, ok - maybe before cancelling a subscription or better, before sending funds out.

Well, now you can. Attach listeners to your models for sending out emails (or any other notification method of your choice), and you're good to go!


Using Composer:

composer require muffin/tokenize

You then need to load the plugin. You can use the shell command:

bin/cake plugin load Muffin/Tokenize --routes

or by manually adding statement shown below to bootstrap.php:

Plugin::load('Muffin/Tokenize', ['routes' => true]);

This will ensure that the route for /verify/:token style URL is configured.

You can also customize the token's length, lifetime and table through Configure as shown below:

Configure::write('Muffin/Tokenize', [
    'lifetime' => '3 days', // Default value
    'length' => 32, // Default value
    'table' => 'tokenize_tokens', // Default value

You will also need to create the required table. A migration file was added to help you with that:

bin/cake migrations migrate --plugin Muffin/Tokenize

How it works

When creating or updating a record, and if the data contains any tokenized field(s), a token will automatically be created along with the value of the field(s) in question.

When this happens the Model.afterTokenize event is fired and passed the operation's related entity and the associated token that was created for it.

The initial (save or update) operation resumes but without the tokenized fields.

The tokenized fields will only be updated upon submission of their associated token.


To tokenize the password column on updates, add this to your UsersTable:

$this->addBehavior('Muffin/Tokenize.Tokenize', [
    'fields' => ['password'],

If instead you wanted to have it create a token both on account creation and credentials update:

$this->addBehavior('Muffin/Tokenize.Tokenize', [
    'fields' => ['password'],
    'implementedEvents' => [
        'Model.beforeSave' => 'beforeSave',
        'Model.afterSave' => 'afterSave',

Finally, if you just wish to create a token on the fly for other custom scenarios (i.e. password-less login), you can manually create a token:


The above operation, will return a Muffin\Tokenize\Model\Entity\Token instance.

To verify a token from a controller's action:

$result = $this->Users->Tokens->verify($token);

Patches & Features

  • Fork
  • Mod, fix
  • Test - this is important, so it's not unintentionally broken
  • Commit - do not mess with license, todo, version, etc. (if you do change any, bump them into commits of their own that I can ignore when I pull)
  • Pull request - bonus point for topic branches

To ensure your PRs are considered for upstream, you MUST follow the CakePHP coding standards.

Bugs & Feedback


Copyright (c) 2015, Use Muffin and licensed under The MIT License.