PHP auth example
In this example, we add authentication and access control to a PHP application.
To demonstrate both authentication and access control, our application will have several routes:
|Home page (index.php)||(opens new window)|
|User dashboard, for logged in users only||(opens new window)|
|Admin dashboard, for admins only||(opens new window)|
|Login page||(opens new window)|
|Password reset page||(opens new window)|
We cover each route below, along with an interactive sample at the end.
At a high level, PHP authentication is structured in 2 parts:
Send an initial request to Userfront to get the JWT access token and save it as a cookie. This is what the signup and login forms do.
Send the JWT access token as a cookie to your server with each subsequent request. To verify the JWT access token, we will use the PHP-JWT library(opens new window)
Logged in vs. logged out
When someone new visits the Home page, they should see a signup form.
When a user is logged in and visits the Home page, they should see navigation to visit the dashboard, as well as a button to logout.
In the event that the user does not have access to a page, we want to redirect them:
|If the user visits||Redirect to|
With Userfront, a logged in user will have a JWT access token saved in their cookies as
In this example, we use
For showing and hiding simple things that are not sensitive, we can check whether the user has a JWT access token.
If the user does have a token present, we can display items as though they are logged in, and if not, we can display items as though they are logged out.
For this site, we show a link to the dashboard if logged in, and we show the signup form if logged out.
For any sensitive information, we want to protect our routes as described next.
Logged in home page:
Logged out home page:
To protect a route in PHP, we need to verify that the JWT access token is valid and has not expired.
To verify our JWT access token, we can use the account's JWT public key.
We will use the open source PHP-JWT(opens new window) library to verify our JWT access tokens. We can install this library with composer:
You can find your JWT public key in the
Settings section of your dashboard.
Be sure to use your test mode key when in test mode, and your live mode key when in live mode.
If the JWT access token is not present or is invalid, we redirect to
/login.php. Otherwise, we display the dashboard page.
There are 2 forms of authentication here:
- If the JWT access token is not present in the cookies, redirect to
- If the JWT access token is not valid for any reason, remove all Userfront cookies and redirect to
Logged in dashboard page:
If you haven't already, install the JWT-PHP(opens new window) library:
The admin route is similar to the protected route, except in addition to verifying the JWT access token, we also check that the JWT access token has an admin role.
Logged in admin page:
Here is the an additional check to make sure the JWT access token has the admin role:
JWT access token payload
The JWT access token has an
authorization object that contains the user's roles:
The above routes are combined into a working sample below, where you can navigate a website running the live code.