Skip to content

Phalcon auth

NOTE

All classes are prefixed with Phalcon

Auth\AbstractAuthDispatcherListener

Abstract Source on GitHub

Shared enforcement algorithm for the Cli, Mvc and Micro auth listeners. The subclass provides the action name and context from its event source, the action-kind label used in the access-denied exception, and (Mvc only) a forward handler for Access::redirectTo().

Enforcement is fail-open: when the manager has no active access (Manager::getAccess() === null) every dispatch is allowed. A policy activated via Manager::access() persists across forwards and nested dispatches in the same request until it is replaced.

Uses Phalcon\Auth\Exceptions\AccessDenied · Phalcon\Contracts\Auth\Access\Access · Phalcon\Contracts\Auth\Manager

Method Summary

public __construct( Manager $manager ) protected bool enforce(string $actionName,array $context = [],mixed $forwardHandler = null) Runs the access check for the given action name. Returns true when protected string getActionType() Returns the kind label used by AccessDenied (e.g. 'task', 'action',

Properties

protected Manager $manager

Methods

Public · 1

__construct()

public function __construct( Manager $manager );
Protected · 2

enforce()

protected function enforce(
    string $actionName,
    array $context = [],
    mixed $forwardHandler = null
): bool;

Runs the access check for the given action name. Returns true when the dispatch should proceed, false when a forward was issued, and throws when access is denied without a redirect target.

The guard is fetched only when an access is active, so the no-op path works without a default guard.

getActionType()

abstract protected function getActionType(): string;

Returns the kind label used by AccessDenied (e.g. 'task', 'action', 'route').

Auth\Access\AbstractAccess

Abstract Source on GitHub

Uses Phalcon\Contracts\Auth\Access\Access · Phalcon\Contracts\Auth\Guard\Guard

Method Summary

public array getExceptActions() public array getOnlyActions() public bool isAllowed(Guard $guard,string $actionName,array $context = []) public array|null redirectTo() public void setExceptActions( array $exceptActions = [] ) public void setOnlyActions( array $onlyActions = [] ) protected bool allowedIf( Guard $guard ) Whether the gate's base condition holds for the given identity.

Properties

protected array $exceptActions = []
protected array $onlyActions = []

Methods

Public · 6

getExceptActions()

public function getExceptActions(): array;

getOnlyActions()

public function getOnlyActions(): array;

isAllowed()

public function isAllowed(
    Guard $guard,
    string $actionName,
    array $context = []
): bool;

redirectTo()

public function redirectTo(): array|null;

setExceptActions()

public function setExceptActions( array $exceptActions = [] ): void;

setOnlyActions()

public function setOnlyActions( array $onlyActions = [] ): void;
Protected · 1

allowedIf()

abstract protected function allowedIf( Guard $guard ): bool;

Whether the gate's base condition holds for the given identity.

Auth\Access\AccessLocator

Class Source on GitHub

Service locator for Phalcon\Auth access gates. Utilizes the container to obtain the service. For the Phalcon\Container\Container one can use autowiring. For the Phalcon\Di\Di, one needs to register the gates in it to be used here (the binary gates also resolve unregistered through Di's class builder).

@extends AbstractLocator

Uses Phalcon\Auth\Internal\ContainerResolver · Phalcon\Contracts\Auth\Access\Access · Phalcon\Support\AbstractLocator

Method Summary

public object newInstance( string $name ) Resolve a fresh gate instance from the container. protected string getExceptionClass() protected string getInterfaceClass() protected array getServices()

Methods

Public · 1

newInstance()

public function newInstance( string $name ): object;

Resolve a fresh gate instance from the container.

Gates carry per-activation state (the only/except action filters), so resolution must yield a fresh instance: new() on the Container bypasses the instance cache; on the legacy Di, get() builds unregistered classes and non-shared services fresh (register gates non-shared).

Protected · 3

getExceptionClass()

protected function getExceptionClass(): string;

getInterfaceClass()

protected function getInterfaceClass(): string;

getServices()

protected function getServices(): array;

Auth\Access\Acl

Class Source on GitHub

ACL-backed access gate. Checks the authenticated user's role against a Phalcon\Acl adapter: the ACL component is taken from the 'handler' context key (prefixed with 'module' and the module separator when present) and the ACL access is the action name. The 'params' context key is passed through to the ACL adapter for callable rules.

Filter semantics differ from the binary gates: except = bypass the gate for the listed actions; only = the gate applies to the listed actions exclusively (everything else is allowed).

Role resolution: no user resolves to the configured guest role; a user implementing Phalcon\Acl\RoleAwareInterface supplies its role name; any other user is rejected with an exception.

Uses Phalcon\Acl\Adapter\AdapterInterface · Phalcon\Acl\RoleAwareInterface · Phalcon\Auth\Exception · Phalcon\Contracts\Auth\Access\Access · Phalcon\Contracts\Auth\AuthUser · Phalcon\Contracts\Auth\Guard\Guard

Method Summary

public __construct(AdapterInterface $acl,array $options = []) public bool isAllowed(Guard $guard,string $actionName,array $context = []) protected bool allowedIf( Guard $guard ) Unused: this gate overrides isAllowed() in full. Fail closed to protected string resolveRole( Guard $guard )

Properties

protected AdapterInterface $acl
protected string $guestRole = "guest"
protected string $moduleSeparator = ":"

Methods

Public · 2

__construct()

public function __construct(
    AdapterInterface $acl,
    array $options = []
);

isAllowed()

public function isAllowed(
    Guard $guard,
    string $actionName,
    array $context = []
): bool;
Protected · 2

allowedIf()

protected function allowedIf( Guard $guard ): bool;

Unused: this gate overrides isAllowed() in full. Fail closed to satisfy the abstract.

resolveRole()

protected function resolveRole( Guard $guard ): string;

Auth\Access\Auth

Class Source on GitHub

Uses Phalcon\Contracts\Auth\Guard\Guard

Method Summary

protected bool allowedIf( Guard $guard )

Methods

Protected · 1

allowedIf()

protected function allowedIf( Guard $guard ): bool;

Auth\Access\Guest

Class Source on GitHub

Uses Phalcon\Contracts\Auth\Guard\Guard

Method Summary

protected bool allowedIf( Guard $guard )

Methods

Protected · 1

allowedIf()

protected function allowedIf( Guard $guard ): bool;

Auth\Adapter\AbstractAdapter

Abstract Source on GitHub

@template TConfig of AdapterConfig

Uses Phalcon\Contracts\Auth\Adapter\Adapter · Phalcon\Contracts\Auth\Adapter\AdapterConfig · Phalcon\Contracts\Auth\AuthUser · Phalcon\Contracts\Encryption\Security\Security

Method Summary

public __construct(Security $hasher,AdapterConfig $config) public AdapterConfig getConfig() Returns the adapter configuration object. public string|null getModel() Returns the model class name, if configured. public bool validateCredentials(AuthUser $user,array $credentials) Validates the supplied plaintext password against the user's stored hash.

Properties

protected AdapterConfig $config
protected Security $hasher

Methods

Public · 4

__construct()

public function __construct(
    Security $hasher,
    AdapterConfig $config
);

getConfig()

public function getConfig(): AdapterConfig;

Returns the adapter configuration object.

getModel()

public function getModel(): string|null;

Returns the model class name, if configured.

validateCredentials()

public function validateCredentials(
    AuthUser $user,
    array $credentials
): bool;

Validates the supplied plaintext password against the user's stored hash. Concrete adapters share this implementation; if your data source needs a different verification strategy, override it.

Auth\Adapter\AbstractArrayAdapter

Abstract Source on GitHub

Common base for adapters whose user records come from an in-memory list (Memory and Stream). Subclasses provide the row source via loadUsers(); everything else - credentials matching, hydration, the empty-credentials guard, and a default linear retrieveById - is shared here.

@template TConfig of AdapterConfig @extends AbstractAdapter

Uses Phalcon\Auth\AuthUser · Phalcon\Auth\Exceptions\DoesNotImplement · Phalcon\Contracts\Auth\Adapter\AdapterConfig · Phalcon\Contracts\Auth\AuthUser

Method Summary

public AuthUserContract|null retrieveByCredentials( array $credentials ) Walks the user list and returns the first row whose non-'password' public AuthUserContract|null retrieveById( mixed $id ) Default linear-scan implementation. Memory overrides this for an O(1) protected bool hasIdentifyingField( array $credentials ) Tests whether a credentials payload carries at least one identifying protected AuthUserContract hydrate( array $row ) Hydrates a raw user row into either the configured model class or a protected array loadUsers() Returns the source list of user rows. Concrete subclasses decide protected bool matchesRow(array $row,array $credentials) Strict per-key match of a row against credentials, skipping 'password'.

Methods

Public · 2

retrieveByCredentials()

public function retrieveByCredentials( array $credentials ): AuthUserContract|null;

Walks the user list and returns the first row whose non-'password' keys all match strictly. Returns null when no row matches or when $credentials carries no identifying field at all (only 'password', or empty) - protects callers from the silent "first row wins" footgun.

retrieveById()

public function retrieveById( mixed $id ): AuthUserContract|null;

Default linear-scan implementation. Memory overrides this for an O(1) id-keyed lookup; Stream uses this as-is.

Protected · 4

hasIdentifyingField()

protected function hasIdentifyingField( array $credentials ): bool;

Tests whether a credentials payload carries at least one identifying field (i.e. anything other than 'password'). An empty payload - or a payload that only contains 'password' - is treated as "no lookup".

hydrate()

protected function hydrate( array $row ): AuthUserContract;

Hydrates a raw user row into either the configured model class or a Phalcon\Auth\AuthUser value object.

loadUsers()

abstract protected function loadUsers(): array;

Returns the source list of user rows. Concrete subclasses decide where they come from (config array, JSON file, etc.).

matchesRow()

protected function matchesRow(
    array $row,
    array $credentials
): bool;

Strict per-key match of a row against credentials, skipping 'password'.

Auth\Adapter\AdapterLocator

Class Source on GitHub

Service locator for Phalcon\Auth adapters. Utilizes the container to obtain the service. For the Phalcon\Container\Container one can use autowiring. For the Phalcon\Di\Di, one needs to register the gates in it to be used here.

@extends AbstractLocator

Uses Phalcon\Contracts\Auth\Adapter\Adapter · Phalcon\Support\AbstractLocator

Method Summary

protected string getExceptionClass() protected string getInterfaceClass() protected array getServices()

Methods

Protected · 3

getExceptionClass()

protected function getExceptionClass(): string;

getInterfaceClass()

protected function getInterfaceClass(): string;

getServices()

protected function getServices(): array;

Auth\Adapter\Config\AbstractAdapterConfig

Abstract Source on GitHub

Uses Phalcon\Contracts\Auth\Adapter\AdapterConfig

Method Summary

public __construct( string $model = null ) public string|null getModel()

Properties

protected string|null $model = null

Methods

Public · 2

__construct()

public function __construct( string $model = null );

getModel()

public function getModel(): string|null;

Auth\Adapter\Config\MemoryAdapterConfig

Class Source on GitHub

Method Summary

public __construct(array $users = [],string $model = null) public array getUsers()

Properties

protected array $users = []

Methods

Public · 2

__construct()

public function __construct(
    array $users = [],
    string $model = null
);

getUsers()

public function getUsers(): array;

Auth\Adapter\Config\ModelAdapterConfig

Class Source on GitHub

Uses Phalcon\Auth\Exception · Phalcon\Auth\Exceptions\ConfigRequiresNonEmptyValue

Method Summary

public __construct(string $model,string $idColumn = "id") public string getIdColumn() public string getModel()

Properties

protected string $idColumn = "id"

Methods

Public · 3

__construct()

public function __construct(
    string $model,
    string $idColumn = "id"
);

getIdColumn()

public function getIdColumn(): string;

getModel()

public function getModel(): string;

Auth\Adapter\Config\StreamAdapterConfig

Class Source on GitHub

Uses Phalcon\Auth\Exception · Phalcon\Auth\Exceptions\ConfigRequiresNonEmptyValue

Method Summary

public __construct(string $file,string $model = null) public string getFile()

Properties

protected string $file

Methods

Public · 2

__construct()

public function __construct(
    string $file,
    string $model = null
);

getFile()

public function getFile(): string;

Auth\Adapter\Memory

Class Source on GitHub

In-memory adapter - useful for tests and small read-only user lists.

@extends AbstractArrayAdapter

Uses Phalcon\Auth\Adapter\Config\MemoryAdapterConfig · Phalcon\Auth\Internal\Options · Phalcon\Contracts\Auth\AuthUser · Phalcon\Contracts\Encryption\Security\Security

Method Summary

public __construct(Security $hasher,MemoryAdapterConfig $config) public static fromOptions(Security $hasher,array $options) public AuthUser|null retrieveById( mixed $id ) Overridden for O(1) lookup via the id index built in the constructor. protected array loadUsers()

Methods

Public · 3

__construct()

public function __construct(
    Security $hasher,
    MemoryAdapterConfig $config
);

fromOptions()

public static function fromOptions(
    Security $hasher,
    array $options
): static;

retrieveById()

public function retrieveById( mixed $id ): AuthUser|null;

Overridden for O(1) lookup via the id index built in the constructor.

Protected · 1

loadUsers()

protected function loadUsers(): array;

Auth\Adapter\Model

Class Source on GitHub

Phalcon Model-backed adapter.

@extends AbstractAdapter

Uses Phalcon\Auth\Adapter\Config\ModelAdapterConfig · Phalcon\Auth\Exception · Phalcon\Auth\Exceptions\DoesNotImplement · Phalcon\Auth\Internal\Options · Phalcon\Contracts\Auth\Adapter\RememberAdapter · Phalcon\Contracts\Auth\AuthRemember · Phalcon\Contracts\Auth\AuthUser · Phalcon\Contracts\Auth\RememberToken · Phalcon\Contracts\Encryption\Security\Security · Phalcon\Mvc\ModelInterface

Method Summary

public __construct(Security $hasher,ModelAdapterConfig $config) public RememberToken createRememberToken( AuthUser $user ) Create and persist a new remember token for the user. public static fromOptions(Security $hasher,array $options) public AuthUser|null retrieveByCredentials( array $credentials ) Find a user matching the given credentials (excluding 'password' key). public AuthUser|null retrieveById( mixed $id ) public AuthUser|null retrieveByToken(mixed $id,string $token,string $userAgent = null) Retrieve a user by the remember-me cookie payload.

Methods

Public · 6

__construct()

public function __construct(
    Security $hasher,
    ModelAdapterConfig $config
);

createRememberToken()

public function createRememberToken( AuthUser $user ): RememberToken;

Create and persist a new remember token for the user.

fromOptions()

public static function fromOptions(
    Security $hasher,
    array $options
): static;

retrieveByCredentials()

public function retrieveByCredentials( array $credentials ): AuthUser|null;

Find a user matching the given credentials (excluding 'password' key).

retrieveById()

public function retrieveById( mixed $id ): AuthUser|null;

retrieveByToken()

public function retrieveByToken(
    mixed $id,
    string $token,
    string $userAgent = null
): AuthUser|null;

Retrieve a user by the remember-me cookie payload.

Auth\Adapter\Stream

Class Source on GitHub

JSON file-backed adapter.

The file must contain a JSON array of user records: [{"id":1,"email":"a@b","password":""}, ...]

@extends AbstractArrayAdapter

Uses InvalidArgumentException · Phalcon\Auth\Adapter\Config\StreamAdapterConfig · Phalcon\Auth\Exception · Phalcon\Auth\Exceptions\FileCannotRead · Phalcon\Auth\Exceptions\FileDoesNotContainJson · Phalcon\Auth\Exceptions\FileDoesNotExist · Phalcon\Auth\Exceptions\FileNotValidJson · Phalcon\Auth\Internal\Options · Phalcon\Contracts\Encryption\Security\Security · Phalcon\Support\Helper\Json\Decode

Method Summary

public __construct(Security $hasher,StreamAdapterConfig $config) public static fromOptions(Security $hasher,array $options) protected array loadUsers() Loads and decodes the JSON users file. Re-read on every call - if you protected bool phpFileExists( string $filename ) protected phpFileGetContents( string $filename )

Methods

Public · 2

__construct()

public function __construct(
    Security $hasher,
    StreamAdapterConfig $config
);

fromOptions()

public static function fromOptions(
    Security $hasher,
    array $options
): static;
Protected · 3

loadUsers()

protected function loadUsers(): array;

Loads and decodes the JSON users file. Re-read on every call - if you need caching, wrap it.

phpFileExists()

protected function phpFileExists( string $filename ): bool;

phpFileGetContents()

protected function phpFileGetContents( string $filename );

Auth\AuthUser

Class Source on GitHub

Lightweight value object returned by array-backed adapters (Memory, Stream) when no application model class is configured.

Uses Phalcon\Auth\Exceptions\DataMustContainIdKey · Phalcon\Contracts\Auth\AuthUser

Method Summary

public __construct( array $data ) public int|string getAuthIdentifier() public string getAuthPassword() public array toArray() Returns the underlying data array.

Properties

protected array $data

Methods

Public · 4

__construct()

public function __construct( array $data );

getAuthIdentifier()

public function getAuthIdentifier(): int|string;

getAuthPassword()

public function getAuthPassword(): string;

toArray()

public function toArray(): array;

Returns the underlying data array.

Auth\Cli\AuthDispatcherListener

Class Source on GitHub

Uses Phalcon\Auth\AbstractAuthDispatcherListener · Phalcon\Auth\Exception · Phalcon\Cli\Dispatcher · Phalcon\Events\Event

Method Summary

public bool beforeExecuteRoute(Event $event,Dispatcher $dispatcher) protected string getActionType()

Methods

Public · 1

beforeExecuteRoute()

public function beforeExecuteRoute(
    Event $event,
    Dispatcher $dispatcher
): bool;
Protected · 1

getActionType()

protected function getActionType(): string;

Auth\Exception

Class Source on GitHub

Exceptions thrown in Phalcon\Auth will use this class

Auth\Exceptions\AccessDenied

Class Source on GitHub

Access denied exception

Uses Phalcon\Auth\Exception

Method Summary

public __construct(string $type,string $name)

Methods

Public · 1

__construct()

public function __construct(
    string $type,
    string $name
);

Auth\Exceptions\ConfigRequiresNonEmptyValue

Class Source on GitHub

Config requires non-empty value

Uses Phalcon\Auth\Exception

Method Summary

public __construct(string $configName,string $configKey,string $suffix = "")

Methods

Public · 1

__construct()

public function __construct(
    string $configName,
    string $configKey,
    string $suffix = ""
);

Auth\Exceptions\DataMustContainIdKey

Class Source on GitHub

AuthUser data must contain "id"

Uses Phalcon\Auth\Exception

Method Summary

public __construct()

Methods

Public · 1

__construct()

public function __construct();

Auth\Exceptions\DoesNotImplement

Class Source on GitHub

Does not implement interface

Uses Phalcon\Auth\Exception

Method Summary

public __construct(string $type,string $name)

Methods

Public · 1

__construct()

public function __construct(
    string $type,
    string $name
);

Auth\Exceptions\FileCannotRead

Class Source on GitHub

Cannot read file

Uses Phalcon\Auth\Exception

Method Summary

public __construct( string $path )

Methods

Public · 1

__construct()

public function __construct( string $path );

Auth\Exceptions\FileDoesNotContainJson

Class Source on GitHub

File does not contain a JSON array

Uses Phalcon\Auth\Exception

Method Summary

public __construct( string $path )

Methods

Public · 1

__construct()

public function __construct( string $path );

Auth\Exceptions\FileDoesNotExist

Class Source on GitHub

File does not exist

Uses Phalcon\Auth\Exception

Method Summary

public __construct( string $path )

Methods

Public · 1

__construct()

public function __construct( string $path );

Auth\Exceptions\FileNotValidJson

Class Source on GitHub

Not a valid JSON

Uses Phalcon\Auth\Exception · Throwable

Method Summary

public __construct(string $path,Throwable $ex)

Methods

Public · 1

__construct()

public function __construct(
    string $path,
    Throwable $ex
);

Auth\Guard\AbstractGuard

Abstract Source on GitHub

@template TConfig of GuardConfig

Uses Phalcon\Contracts\Auth\Adapter\Adapter · Phalcon\Contracts\Auth\AuthUser · Phalcon\Contracts\Auth\Guard\Guard · Phalcon\Contracts\Auth\Guard\GuardConfig · Phalcon\Events\AbstractEventsAware

Method Summary

public __construct(Adapter $adapter,GuardConfig $config) public bool check() public Adapter getAdapter() public GuardConfig getConfig() Returns the guard configuration object. public AuthUser|null getLastUserAttempted() public bool guest() public bool hasUser() public int|string|null id() public static setAdapter( Adapter $adapter ) public static setUser( AuthUser $user ) protected bool hasValidCredentials(mixed $user,array $credentials) user should be ?AuthUser

Properties

protected Adapter $adapter
protected GuardConfig $config
protected AuthUser | null $lastUserAttempted = null
protected AuthUser | null $user = null

Methods

Public · 10

__construct()

public function __construct(
    Adapter $adapter,
    GuardConfig $config
);

check()

public function check(): bool;

getAdapter()

public function getAdapter(): Adapter;

getConfig()

public function getConfig(): GuardConfig;

Returns the guard configuration object.

getLastUserAttempted()

public function getLastUserAttempted(): AuthUser|null;

guest()

public function guest(): bool;

hasUser()

public function hasUser(): bool;

id()

public function id(): int|string|null;

setAdapter()

public function setAdapter( Adapter $adapter ): static;

setUser()

public function setUser( AuthUser $user ): static;
Protected · 1

hasValidCredentials()

protected function hasValidCredentials(
    mixed $user,
    array $credentials
): bool;

user should be ?AuthUser

Auth\Guard\Config\AbstractGuardConfig

Abstract Source on GitHub

Uses Phalcon\Contracts\Auth\Guard\GuardConfig

Auth\Guard\Config\SessionGuardConfig

Class Source on GitHub

Configuration for the Session guard. Holds the names under which the session key and remember-me cookie are stored. Defaults to 'auth' and 'remember'; multi-guard apps can pass a $suffix ('web', 'admin', ...) to derive 'auth_web' / 'remember_web' style names, or override either full name explicitly.

Uses Phalcon\Auth\Exception · Phalcon\Auth\Exceptions\ConfigRequiresNonEmptyValue

Method Summary

public __construct(string $suffix = null,string $name = null,string $rememberName = null,mixed $rememberTtl = null) public string getName() public string getRememberName() public int getRememberTtl()

Constants

int DEFAULT_REMEMBER_TTL = 31536000 Default remember-me cookie lifetime, in seconds (365 days).

Methods

Public · 4

__construct()

public function __construct(
    string $suffix = null,
    string $name = null,
    string $rememberName = null,
    mixed $rememberTtl = null
);

getName()

public function getName(): string;

getRememberName()

public function getRememberName(): string;

getRememberTtl()

public function getRememberTtl(): int;

Auth\Guard\Config\TokenGuardConfig

Class Source on GitHub

Uses Phalcon\Auth\Exception · Phalcon\Auth\Exceptions\ConfigRequiresNonEmptyValue

Method Summary

public __construct(string $inputKey,string $storageKey) public string getInputKey() public string getStorageKey()

Properties

protected string $inputKey
protected string $storageKey

Methods

Public · 3

__construct()

public function __construct(
    string $inputKey,
    string $storageKey
);

getInputKey()

public function getInputKey(): string;

getStorageKey()

public function getStorageKey(): string;

Auth\Guard\GuardLocator

Class Source on GitHub

Service locator for Phalcon\Auth guards. Utilizes the container to obtain the service. For Phalcon\Container\Container one can use autowiring; for Phalcon\Di\Di, register the guards in it before resolution.

@extends AbstractLocator

Uses Phalcon\Contracts\Auth\Guard\Guard · Phalcon\Support\AbstractLocator

Method Summary

protected string getExceptionClass() protected string getInterfaceClass() protected array getServices()

Methods

Protected · 3

getExceptionClass()

protected function getExceptionClass(): string;

getInterfaceClass()

protected function getInterfaceClass(): string;

getServices()

protected function getServices(): array;

Auth\Guard\Session

Class Source on GitHub

@extends AbstractGuard

Uses DateTimeImmutable · Phalcon\Auth\Exception · Phalcon\Auth\Exceptions\DoesNotImplement · Phalcon\Auth\Guard\Config\SessionGuardConfig · Phalcon\Auth\Internal\ContainerResolver · Phalcon\Auth\Internal\Options · Phalcon\Contracts\Auth\Adapter\Adapter · Phalcon\Contracts\Auth\Adapter\RememberAdapter · Phalcon\Contracts\Auth\AuthRemember · Phalcon\Contracts\Auth\AuthUser · Phalcon\Contracts\Auth\Guard\BasicAuth · Phalcon\Contracts\Auth\Guard\GuardStateful · Phalcon\Contracts\Auth\RememberToken · Phalcon\Http\RequestInterface · Phalcon\Http\Response\CookiesInterface · Phalcon\Session\ManagerInterface · Phalcon\Support\Helper\Json\Encode · Phalcon\Time\Clock\ClockInterface · Phalcon\Time\Clock\SystemClock

Method Summary

public __construct(Adapter $adapter,RequestInterface $request,CookiesInterface $cookies,SessionManagerInterface $session,SessionGuardConfig $config = null,ClockInterface $clock = null) public bool attempt(array $credentials = [],bool $remember = false) public bool basic(string $field = "email",array $extraConditions = []) public static fromOptions(Adapter $adapter,mixed $container,array $options) public string getName() public string getRememberName() public void login(AuthUser $user,bool $remember = false) public false|AuthUser loginById(mixed $id,bool $remember = false) public void logout() public bool once( array $credentials = [] ) public false|AuthUser onceBasic(string $field = "email",array $extraConditions = []) public AuthUser|null user() public bool validate( array $credentials = [] ) public bool viaRemember() protected bool attemptBasic(string $field,array $extraConditions = []) protected array|null basicCredentials( string $field ) protected RememberToken createRememberToken( AuthUser $user ) protected UserRemember|null recaller() protected void rememberUser( AuthUser $user ) protected AuthUser|null userFromRecaller( UserRemember $recaller )

Properties

protected ClockInterface $clock
protected CookiesInterface $cookies
protected RequestInterface $request
protected SessionManagerInterface $session
protected bool $viaRemember = false

Methods

Public · 14

__construct()

public function __construct(
    Adapter $adapter,
    RequestInterface $request,
    CookiesInterface $cookies,
    SessionManagerInterface $session,
    SessionGuardConfig $config = null,
    ClockInterface $clock = null
);

attempt()

public function attempt(
    array $credentials = [],
    bool $remember = false
): bool;

basic()

public function basic(
    string $field = "email",
    array $extraConditions = []
): bool;

fromOptions()

public static function fromOptions(
    Adapter $adapter,
    mixed $container,
    array $options
): static;

getName()

public function getName(): string;

getRememberName()

public function getRememberName(): string;

login()

public function login(
    AuthUser $user,
    bool $remember = false
): void;

loginById()

public function loginById(
    mixed $id,
    bool $remember = false
): false|AuthUser;

logout()

public function logout(): void;

once()

public function once( array $credentials = [] ): bool;

onceBasic()

public function onceBasic(
    string $field = "email",
    array $extraConditions = []
): false|AuthUser;

user()

public function user(): AuthUser|null;

validate()

public function validate( array $credentials = [] ): bool;

viaRemember()

public function viaRemember(): bool;
Protected · 6

attemptBasic()

protected function attemptBasic(
    string $field,
    array $extraConditions = []
): bool;

basicCredentials()

protected function basicCredentials( string $field ): array|null;

createRememberToken()

protected function createRememberToken( AuthUser $user ): RememberToken;

recaller()

protected function recaller(): UserRemember|null;

rememberUser()

protected function rememberUser( AuthUser $user ): void;

userFromRecaller()

protected function userFromRecaller( UserRemember $recaller ): AuthUser|null;

Auth\Guard\Token

Class Source on GitHub

@extends AbstractGuard

Uses Phalcon\Auth\Guard\Config\TokenGuardConfig · Phalcon\Auth\Internal\ContainerResolver · Phalcon\Auth\Internal\Options · Phalcon\Contracts\Auth\Adapter\Adapter · Phalcon\Contracts\Auth\AuthUser · Phalcon\Http\RequestInterface

Method Summary

public __construct(Adapter $adapter,RequestInterface $request,TokenGuardConfig $config) public static fromOptions(Adapter $adapter,mixed $container,array $options) public string|null getTokenForRequest() public static setRequest( RequestInterface $request ) public AuthUser|null user() public bool validate( array $credentials = [] )

Properties

protected RequestInterface $request

Methods

Public · 6

__construct()

public function __construct(
    Adapter $adapter,
    RequestInterface $request,
    TokenGuardConfig $config
);

fromOptions()

public static function fromOptions(
    Adapter $adapter,
    mixed $container,
    array $options
): static;

getTokenForRequest()

public function getTokenForRequest(): string|null;

setRequest()

public function setRequest( RequestInterface $request ): static;

user()

public function user(): AuthUser|null;

validate()

public function validate( array $credentials = [] ): bool;

Auth\Guard\UserRemember

Final Source on GitHub

Value object representing the contents of a remember-me cookie.

  • Phalcon\Auth\Guard\UserRemember

Uses InvalidArgumentException · Phalcon\Support\Helper\Json\Decode

Method Summary

public __construct( mixed $payload ) Accepts either the raw JSON cookie value (string) or the already public int|string|null getId() public string getToken() public string getUserAgent()

Properties

protected int|string|null $id
protected string $token
protected string $userAgent

Methods

Public · 4

__construct()

public function __construct( mixed $payload );

Accepts either the raw JSON cookie value (string) or the already decoded associative array. Malformed input degrades to an empty payload so callers can read getters without null-guarding.

getId()

public function getId(): int|string|null;

getToken()

public function getToken(): string;

getUserAgent()

public function getUserAgent(): string;

Auth\Internal\ContainerResolver

Final Source on GitHub

Internal single source of truth for resolving services from either the new Phalcon\Container\Container or the legacy Phalcon\Di\Di. Not part of the public API.

Intent is Container-first; the legacy Di is supported "with provisions": definitions must be pre-registered (no autowiring), the one exception being the fresh path, which lets Di build an unregistered but existing class via its class builder.

All legacy-Di failures are normalized to Phalcon\Container\Exceptions so callers and userland catch a single exception family.

  • Phalcon\Auth\Internal\ContainerResolver

Uses Phalcon\Container\Exceptions\Exception · Phalcon\Contracts\Container\Service\Collection · Phalcon\Di\DiInterface · Phalcon\Di\Exception

Method Summary

public void ensureContainer( mixed $container ) Validates that the value is a supported container. public object requireService(mixed $container,array $candidates,string $context) Resolves the first candidate service name that the container can public object resolveFresh(mixed $container,string $name) Resolves a fresh instance: new() on the Container (bypasses the public array serviceCandidates(array $options,string $key,string $fqn,string $shortName) Builds the ordered candidate list for a framework service:

Methods

Public · 4

ensureContainer()

public static function ensureContainer( mixed $container ): void;

Validates that the value is a supported container.

requireService()

public static function requireService(
    mixed $container,
    array $candidates,
    string $context
): object;

Resolves the first candidate service name that the container can provide, as a shared instance. Used for framework services (request, cookies, session) whose container key may vary between application setups.

resolveFresh()

public static function resolveFresh(
    mixed $container,
    string $name
): object;

Resolves a fresh instance: new() on the Container (bypasses the instance cache); get() on the legacy Di (fresh for unregistered or non-shared services). On Di, an unregistered but existing class is still built via the class builder.

serviceCandidates()

public static function serviceCandidates(
    array $options,
    string $key,
    string $fqn,
    string $shortName
): array;

Builds the ordered candidate list for a framework service: an explicit override from options['services'][key] if present, otherwise the interface FQN followed by the conventional short name.

Auth\Internal\Options

Final Source on GitHub

Internal option-parsing helpers shared by adapter / guard fromOptions() implementations. Not part of the public API.

  • Phalcon\Auth\Internal\Options

Uses Phalcon\Auth\Exception

Method Summary

public array arrayOption(array $options,string $key,array $defaultValue) public array requireArray(array $options,string $key,string $context) public string requireString(array $options,string $key,string $context) public string|null stringOrNull(array $options,string $key)

Methods

Public · 4

arrayOption()

public static function arrayOption(
    array $options,
    string $key,
    array $defaultValue
): array;

requireArray()

public static function requireArray(
    array $options,
    string $key,
    string $context
): array;

requireString()

public static function requireString(
    array $options,
    string $key,
    string $context
): string;

stringOrNull()

public static function stringOrNull(
    array $options,
    string $key
): string|null;

Auth\Manager

Class Source on GitHub

Composes guards (authentication) and access gates (authorization) behind a single facade. Guard-specific behavior is reached through Manager::guard(); callers narrow with instanceof against the relevant capability interface (GuardStateful, BasicAuth, etc.).

Uses Phalcon\Auth\Access\AccessLocator · Phalcon\Auth\Exceptions\DoesNotImplement · Phalcon\Contracts\Auth\Access\Access · Phalcon\Contracts\Auth\Adapter\Adapter · Phalcon\Contracts\Auth\AuthUser · Phalcon\Contracts\Auth\Guard\Guard · Phalcon\Contracts\Auth\Guard\GuardStateful · Phalcon\Contracts\Auth\Manager

Method Summary

public __construct( AccessLocator $accessFactory ) public self access( string $accessName ) public self addAccessList( array $accessList ) public self addGuard(string $nameGuard,Guard $guard,bool $isDefault = false) public bool attempt(array $credentials = [],bool $remember = false) public bool check() public self except( string $actions ) public Access|null getAccess() public array getAccessList() public Guard|null getDefaultGuard() public array getGuards() public Guard guard( string $name = null ) public int|string|null id() public void logout() public self only( string $actions ) public self setAccess( Access $access ) public self setDefaultGuard( Guard $guard ) public AuthUser|null user() public bool validate( array $credentials = [] )

Properties

protected AccessLocator $accessFactory
protected Access | null $activeAccess = null
protected Guard | null $defaultGuard = null
protected array<string, Guard> $guards = []

Methods

Public · 19

__construct()

public function __construct( AccessLocator $accessFactory );

access()

public function access( string $accessName ): self;

addAccessList()

public function addAccessList( array $accessList ): self;

addGuard()

public function addGuard(
    string $nameGuard,
    Guard $guard,
    bool $isDefault = false
): self;

attempt()

public function attempt(
    array $credentials = [],
    bool $remember = false
): bool;

check()

public function check(): bool;

except()

public function except( string $actions ): self;

getAccess()

public function getAccess(): Access|null;

getAccessList()

public function getAccessList(): array;

getDefaultGuard()

public function getDefaultGuard(): Guard|null;

getGuards()

public function getGuards(): array;

guard()

public function guard( string $name = null ): Guard;

id()

public function id(): int|string|null;

logout()

public function logout(): void;

only()

public function only( string $actions ): self;

setAccess()

public function setAccess( Access $access ): self;

setDefaultGuard()

public function setDefaultGuard( Guard $guard ): self;

user()

public function user(): AuthUser|null;

validate()

public function validate( array $credentials = [] ): bool;

Auth\ManagerFactory

Class Source on GitHub

Single entry-point factory that builds a fully wired Phalcon\Auth\Manager from a config tree. Framework-shared services (RequestInterface, CookiesInterface, SessionManagerInterface) are resolved from the injected container so the manager wires against the real application singletons, not separately constructed copies.

[ 'guards' => [ 'web' => [ 'type' => 'session', 'default' => true, 'adapter' => [ 'name' => 'model', 'options' => [ 'model' => User::class ], ], 'options' => [], ], 'api' => [ 'type' => 'token', 'adapter' => [ 'name' => 'model', 'options' => [ 'model' => User::class ] ], 'options' => [ 'inputKey' => 'api_token', 'storageKey' => 'api_token' ], ], ], 'access' => [ 'auth' => \Phalcon\Auth\Access\Auth::class, 'guest' => \Phalcon\Auth\Access\Guest::class, ], ]

  • Phalcon\Auth\ManagerFactory

Uses Phalcon\Auth\Access\AccessLocator · Phalcon\Auth\Adapter\AdapterLocator · Phalcon\Auth\Guard\GuardLocator · Phalcon\Auth\Internal\ContainerResolver · Phalcon\Auth\Internal\Options · Phalcon\Config\ConfigInterface · Phalcon\Contracts\Auth\Access\Access · Phalcon\Contracts\Auth\Adapter\Adapter · Phalcon\Contracts\Auth\Guard\Guard · Phalcon\Contracts\Container\Service\Collection · Phalcon\Di\DiInterface · Phalcon\Encryption\Security

Method Summary

public __construct(Security $hasher,mixed $container,AdapterLocator $adapterLocator = null,GuardLocator $guardLocator = null,AccessLocator $accessLocator = null) public Manager load( mixed $config ) protected Adapter buildAdapter(AdapterLocator $locator,array $cfg) protected Guard buildGuard(GuardLocator $locator,string $type,Adapter $adapter,array $options)

Properties

protected AccessLocator $accessLocator
protected AdapterLocator $adapterLocator
protected Collection|DiInterface $container
protected GuardLocator $guardLocator
protected Security $hasher

Methods

Public · 2

__construct()

public function __construct(
    Security $hasher,
    mixed $container,
    AdapterLocator $adapterLocator = null,
    GuardLocator $guardLocator = null,
    AccessLocator $accessLocator = null
);

load()

public function load( mixed $config ): Manager;
Protected · 2

buildAdapter()

protected function buildAdapter(
    AdapterLocator $locator,
    array $cfg
): Adapter;

buildGuard()

protected function buildGuard(
    GuardLocator $locator,
    string $type,
    Adapter $adapter,
    array $options
): Guard;

Auth\Micro\AuthMicroListener

Class Source on GitHub

Listener that enforces the active Phalcon\Auth access gate on each Micro route execution. Attach to the events manager:

$eventsManager->attach('micro', new AuthMicroListener($manager)); $app->setEventsManager($eventsManager);

The action name is the matched route's name, falling back to the route pattern when the route is unnamed. The ACL component is the configured component name (default 'Micro'). redirectTo() is ignored - Micro has no forward mechanism.

No-op when no active access has been set on the manager.

Uses Phalcon\Auth\AbstractAuthDispatcherListener · Phalcon\Auth\Exception · Phalcon\Contracts\Auth\Manager · Phalcon\Events\Event · Phalcon\Mvc\Micro · Phalcon\Mvc\RouterInterface · Phalcon\Mvc\Router\RouteInterface

Method Summary

public __construct(Manager $manager,string $componentName = "Micro") public bool beforeExecuteRoute(Event $event,Micro $application) protected string getActionType()

Properties

protected string $componentName

Methods

Public · 2

__construct()

public function __construct(
    Manager $manager,
    string $componentName = "Micro"
);

beforeExecuteRoute()

public function beforeExecuteRoute(
    Event $event,
    Micro $application
): bool;
Protected · 1

getActionType()

protected function getActionType(): string;

Auth\Mvc\AuthDispatcherListener

Class Source on GitHub

Listener that enforces the active Phalcon\Auth access gate on each MVC dispatch. Attach to the events manager:

$eventsManager->attach('dispatch', new AuthDispatcherListener($manager));

No-op when no active access has been set on the manager.

Uses Phalcon\Auth\AbstractAuthDispatcherListener · Phalcon\Auth\Exception · Phalcon\Events\Event · Phalcon\Mvc\Dispatcher

Method Summary

public bool beforeExecuteRoute(Event $event,Dispatcher $dispatcher) protected string getActionType()

Methods

Public · 1

beforeExecuteRoute()

public function beforeExecuteRoute(
    Event $event,
    Dispatcher $dispatcher
): bool;
Protected · 1

getActionType()

protected function getActionType(): string;