Adapter
Adapter
Abstract authentication adapter.
class Adapter implements \Hazaar\Auth\AuthenticationAdapter , \ArrayAccessThis class is the base class for all of the supplied authentication adapters. This class takes care of the password hash generation and session management, including the autologin function.
Available options are:
encryption.hash - default: sha256
The hash algorithm to use to encrypt passwords. This can be a a single algorith, such as sha256, sha1 or any other algorithm supported by the PHP hash() function. You can use the hash_algos() function to get a list of available algorithms. Any unsupported algorithms are silently ignored.
This option can also be an array of algorithms. In which case each one will be applied in the order specified. During each iteration the hash will be appended with the original password (this helps prevent hash collisions) along with any salt value (see below) before being hashed with the next algorithm.
The default is sha256 for security. Please note that this breaks backwards compatibility with the 1.0 version of this module.
Runtime responsibilities include adapter instance lifecycle management, identity/credential verification, backend session state handling, and token transport persistence on outgoing responses.
Configuration Directives
encryption.count - default: 1
For extra obfuscation, it's possible to "hash the hash" this many times. This is the old method we used to add extra security to the hash, except we now also append the original password to the hash before hashing it. (too much hash?). In the case where the encryption.hash is a list of algorithms, each one of these will be applied as above for each count. So for example, if you have a list of 3 algorithms and the count is 3, your password will be hashed 9 times.
encryption.salt - default: null
For more security a salt value can be set which will be appended to each password when being hashed. If the password is being hashed multiple times then the salt is appended to the hash + password.
This is now more often used as a cache timeout value because on logon, certain data is obtained for a user and stored in cache. Sometimes obtaining this data can be processor intensive so we don't want to do it on every page load. Instead we do it, cache it, and then only do it again once this time passes.
Example Config (app.php)
return [
'development' => [
'encryption' => [
'hash' => ['md5', 'sha1', 'sha256'],
'salt' => 'mysupersecretsalt',
],
'autologin' => [
'period' => 365,
'hash' => 'sha1',
],
'timeout' => 28800,
],
];Properties
backend
Session backend implementation used for auth state storage.
public SessionBackend $backendtransport
Session transport implementation responsible for token persistence.
public SessionTransport $transportoptions
The configuration options.
protected array $optionsidentity
public string $identitycredential
public string $credentialnoCredentialHashing
Controls whether credential hashing is bypassed during verification.
private bool $noCredentialHashinginstances
Instances of adapters.
private array $instancescommitChanges
private bool $commitChangesMethods
__construct
Construct the adapter.
public __construct(array $config): voidParameters
| Parameter | Type | Description |
|---|---|---|
$config | array | The configuration options |
getInstance
Returns an instance of the specified authentication adapter.
public getInstance(?array $config): AdapterIf no configuration array is provided, it loads the configuration from the default source. Throws an InvalidArgumentException if the adapter is not specified or the class does not exist. Caches adapter instances for reuse.
Parameters
| Parameter | Type | Description |
|---|---|---|
$config | array |
setIdentity
Sets the identity for the authentication adapter.
public setIdentity(string $identity): voidParameters
| Parameter | Type | Description |
|---|---|---|
$identity | string | the identity to be set |
getCredentialHash
Get the encrypted hash of a credential/password.
public getCredentialHash(?string $credential): ?stringThis method uses the "encryption" options from the application configuration to generate a password hash based on the supplied password. If no password is supplied then the currently set credential is used.
NOTE: Keep in mind that if no credential is set, or it's null, or an empty string, this will still return a valid hash of that empty value using the defined encryption hash chain.
Parameters
| Parameter | Type | Description |
|---|---|---|
$credential | string |
authenticate
Attempts to authenticate a user using the provided identity and credential.
public authenticate(?string $identity, ?string $credential): ResultThis method performs the following steps:
- Trims and validates the provided identity and credential.
- Queries the authentication source for user data using the identity.
- Verifies that the returned data contains both 'identity' and 'credential' fields.
- Compares the provided identity and hashed credential with the stored values using a timing-safe comparison.
- On success, creates a session for the user and calls authenticationSuccess().
- On failure, clears any existing session and calls authenticationFailure().
Parameters
| Parameter | Type | Description |
|---|---|---|
$identity | string | The identity of the user (e.g., username, email). If null, defaults to an empty string. |
$credential | string | The credential of the user (e.g., password). If null, defaults to an empty string. |
refresh
public refresh(?string $token): ResultParameters
| Parameter | Type | Description |
|---|---|---|
$token | string |
authenticated
Checks if the user is authenticated.
public authenticated(): boolThis method verifies if the storage is not empty and contains an 'identity' key. If the storage is empty or does not have the 'identity' key, it clears the storage and returns false. Otherwise, it returns true indicating the user is authenticated.
getToken
Retrieves the authentication token from the backend.
public getToken(): ?ExpiringTokengetRefreshToken
Retrieves the refresh token from the backend.
public getRefreshToken(): ?ExpiringTokencheck
Check that the supplied password is correct for the current identity.
public check(string $identity, string $credential): boolThis is useful for checking an account password before allowing something important to be updated. This does the same steps as authenticate() but doesn't actually do the authentication.
Parameters
| Parameter | Type | Description |
|---|---|---|
$identity | string | |
$credential | string |
persistenceMode
Returns the persistence mode of the configured transport.
public persistenceMode(): TransportPersistenceControllers can use this to decide whether to include token data in the response body (ClientManaged) or rely on automatic cookie handling (ServerManaged).
if ($auth->persistenceMode() === TransportPersistence::ClientManaged) {
return new JSON($result->token);
}
return new Response('text/html', 200);clear
Clears the current authentication session from the backend.
public clear(): boolInstructs the backend to destroy all session state for the current identity and schedules a transport commit so that any persisted tokens (e.g. cookies or advisory headers) are cleared from the client on the next response.
unauthorised
Helper method that sets the basic auth header and throws an unauthorised exception.
public unauthorised(): voiddisableCredentialHashing
Toggles on/off the internal credential hashing algorithm.
public disableCredentialHashing(bool $value = true): voidThis is useful is you want to authenticate with an already hashed credential.
WARNING: This should NOT normally be used. And if it IS used, it should only be used to authenticate credentials supplied internally by the application itself, and not provided by a user/client/etc. Disabling password hash essentially turns this all into clear text credentials.
Parameters
| Parameter | Type | Description |
|---|---|---|
$value | bool |
toArray
Converts the authentication adapter data to an array.
public toArray(): voidThis method retrieves and returns the data from the backend as an array.
get
Retrieves a value from the storage based on the provided key.
public get(string $key): mixedParameters
| Parameter | Type | Description |
|---|---|---|
$key | string | the key used to retrieve the value from the storage |
set
Sets a value in the storage with the specified key.
public set(string $key, mixed $value): voidParameters
| Parameter | Type | Description |
|---|---|---|
$key | string | the key under which the value will be stored |
$value | mixed | the value to be stored |
has
Checks if a given key exists in the storage.
public has(string $key): boolParameters
| Parameter | Type | Description |
|---|---|---|
$key | string | the key to check for existence in the storage |
public (string $key): voidParameters
| Parameter | Type | Description |
|---|---|---|
$key | string |
offsetExists
public offsetExists(mixed $offset): boolParameters
| Parameter | Type | Description |
|---|---|---|
$offset | mixed |
offsetGet
public offsetGet(mixed $offset): mixedParameters
| Parameter | Type | Description |
|---|---|---|
$offset | mixed |
offsetSet
public offsetSet(mixed $offset, mixed $value): voidParameters
| Parameter | Type | Description |
|---|---|---|
$offset | mixed | |
$value | mixed |
offsetUnset
public offsetUnset(mixed $offset): voidParameters
| Parameter | Type | Description |
|---|---|---|
$offset | mixed |
getSessionData
Retrieves session data from the backend storage.
public getSessionData(): voidsetSessionBackend
Sets the storage adapter for authentication.
public setSessionBackend(string $backend, array $options): boolParameters
| Parameter | Type | Description |
|---|---|---|
$backend | string | the fully qualified class name of the storage backend |
$options | array | optional configuration options for the storage adapter |
setSessionTransport
Sets the session transport mechanism for authentication.
public setSessionTransport(string $transport, array $options): boolParameters
| Parameter | Type | Description |
|---|---|---|
$transport | string | the fully qualified class name of the session transport backend |
$options | array | optional configuration options to pass to the transport backend |
commit
Commits the authentication token to the response if available.
public commit(Response $response): voidRetrieves the authentication token from the backend. If a token exists, it persists the token using the transport mechanism into the provided response.
Parameters
| Parameter | Type | Description |
|---|---|---|
$response | Response | the response object to which the token should be persisted |
getIdentifier
Generates a hashed identifier for the given identity string.
protected getIdentifier(string $identity): ?stringThis method takes an identity string and returns its SHA-1 hash. If the identity string is empty or null, the method returns null.
Parameters
| Parameter | Type | Description |
|---|---|---|
$identity | string | the identity string to be hashed |
authenticationSuccess
Overload function called when a user is successfully authenticated.
protected authenticationSuccess(string $identity, array $data): voidThis can occur when calling authenticate() or authenticated() where a session has been saved. This default method does nothing but can be overridden.
Parameters
| Parameter | Type | Description |
|---|---|---|
$identity | string | The identity that was successfully authenticated |
$data | array | The data returned from the authentication query |
authenticationFailure
Overload function called when a user fails authentication.
protected authenticationFailure(string $identity, array $data): voidThis can occur when calling authenticate() or authenticated() where a session has been saved. This default method does nothing but can be overridden.
Parameters
| Parameter | Type | Description |
|---|---|---|
$identity | string | the identity that failed authentication |
$data | array | the data returned from the authentication query |
Generated by Hazaar API Doc Generator on Tue, 21 Apr 2026 04:00:24 +0000