Authentication
The framework provides cookie-based authentication backed by SQL repositories. The feature is opt-in and can be enabled or disabled via the CLI.
Enable with the CLI
From the app root (where index.php and mvc.config.json live):
vendor/bin/mvc auth:enable [--path=<app-dir>] [--skip-migrations]
Without --skip-migrations, the CLI creates a timestamped migration folder under your migrations/ directory. The forward script creates the default auth tables (users, user_roles, sign-up/reset-password challenge tables, and session tables). The rollback script drops them.
Prerequisite: the migrations module must already be enabled:
vendor/bin/mvc migrations:enable --path=<app-dir>
Disable
vendor/bin/mvc auth:disable [--path=<app-dir>] [--skip-migrations]
Without --skip-migrations, a new migration is created whose forward script drops the auth tables (rollback recreates them). Run mvc migrations:run when you want the teardown applied.
Entrypoint wiring
After enabling in mvc.config.json, load the config at runtime and call useAuthentication() / useAuthorization():
use PhpMvc\Config\MvcConfig;
$config = MvcConfig::load($basePath);
if ($config->isAuthenticationEnabled()) {
$app->useAuthentication();
$app->useAuthorization();
}
$app->run();
You can also call these unconditionally if you don't need the config flag:
$app->useAuthentication();
$app->useAuthorization();
$app->run();
Wiring the dependencies
After enabling the feature, register the security dependencies in your composition root:
use PhpMvc\Security\Dependencies;
Dependencies::configure($container);
This wires all the authentication services. The database schema must match the migrations generated by mvc auth:enable.
Use cases
The security module ships these application use cases under PhpMvc\Security\Application\:
| Use case | Description |
|---|---|
SignUp |
Register a new user; triggers a sign-up challenge. |
SignIn |
Authenticate with credentials; sets the auth cookie. |
SignOut |
Invalidate the session and clear the auth cookie. |
RefreshSignInSession |
Extend the session TTL on active requests. |
RequestResetPassword |
Initiate a password-reset flow; triggers a challenge. |
ModifyUserIdentityPassword |
Change password given the current password. |
ActivateUserIdentity |
Activate a newly registered user after challenge verification. |
GetIdentity |
Retrieve the current identity from context. |
Wire them through the container and expose them via controllers.
Related documentation
- Authorization — role-based route protection.
- Identity Manager — custom
IdentityManagerandChallengeNotificator. - Database Migrations — prerequisite for default SQL storage.