CakePHP TinyAuth backend

A database driven backend for CakePHP TinyAuth plugin. This replaces the native INI file approach.

This branch is for use with CakePHP 5.1+. For details see version map.

Installation

Install the plugin with composer from your CakePHP project's ROOT directory (where composer.json file is located)

composer require dereuromark/cakephp-tinyauth-backend

It will auto-require dereuromark/cakephp-tinyauth dependency.

Admin Access Requirement

The plugin mounts its admin UI under /admin/auth.

As of the current master, admin access is fail-closed outside debug mode:

• debug = true: the admin UI is accessible by default for local setup and demos
• debug = false: the admin UI returns 403 unless your app explicitly configures TinyAuthBackend.editorCheck

Production apps should always set TinyAuthBackend.editorCheck to a callable that decides who may edit TinyAuth rules:

use Cake\Core\Configure;
use Psr\Http\Message\ServerRequestInterface;

Configure::write(
    'TinyAuthBackend.editorCheck',
    function (mixed $identity, ServerRequestInterface $request): bool {
        if ($identity === null) {
            return false;
        }

        $roleId = is_object($identity) && method_exists($identity, 'get')
            ? $identity->get('role_id')
            : ($identity['role_id'] ?? null);

        return (int)$roleId === 3;
    },
);

Strict Content-Security-Policy (optional)

The plugin's admin UI is built to run under a strict Content-Security-Policy header — no script-src 'unsafe-eval', no style-src 'unsafe-inline'. Inline <script> blocks in the layout carry a per-request nonce read from $this->getRequest()->getAttribute('cspNonce'), so any host-app middleware that sets that attribute and emits a matching Content-Security-Policy header will Just Work.

Two host-app concerns to be aware of:

1. CSP middleware — the plugin does not ship its own. Add a small middleware to your app that generates a per-request nonce, exposes it as the cspNonce request attribute, and emits a Content-Security-Policy header with 'nonce-…' in script-src. The companion cakephp-tinyauth-demo shows a ~50-line implementation in src/Middleware/StrictCspMiddleware.php.

2. FormHelper hiddenBlock template — out of the box, CakePHP wraps every CSRF token in <div style="display:none;">…</div>, which violates strict style-src. Override the template once in your AppView::initialize():

   public function initialize(): void
   {
       $this->loadHelper('Form', [
           'templates' => [
               'hiddenBlock' => '<div hidden>{{content}}</div>',
           ],
       ]);
   }

   This swaps the inline style for the HTML5 hidden attribute, which needs no CSS. A single override eliminates one CSP violation per Form->postLink() / Form->postButton() on every page.

The included tests/TestCase/CspComplianceTest.php (template-source scan) and tests/TestCase/Controller/Admin/RenderedCspComplianceTest.php (rendered-HTML check) guard against regressions.

Usage

See Docs.