The popphp/pop-auth component is an authentication component that provides different adapters to authenticate a user’s identity. It is not to be confused with the ACL component, as that deals with user roles and access to certain resources and not authenticating user identity.


Install it directly into your project:

composer require popphp/pop-auth

Or, include it in your composer.json file:

    "require": {
        "popphp/pop-auth": "2.1.*",

Basic Use

You can authenticate using a file, a database, over HTTP or over LDAP.


For this example, we use a file called .htmyauth containing a colon-delimited list of usernames and encrypted passwords:

admin:$...some hash...
editor:$...some hash...
reader:$...some hash...
use Pop\Auth\Auth;
use Pop\Auth\Adapter\File;

$auth = new Auth(new File('/path/to/.htmyauth', Auth::ENCRYPT_CRYPT));
$auth->authenticate('admin', '12admin34');

if ($auth->isValid()) { } // Returns true


For this example, there is a table in a database called ‘users’ and a correlating table class called MyApp\\Users that extends Pop\\Db\\Record.

For simplicity, the table has a column called username and a column called password. The value of the password column is encrypted using bcrypt. These are all options that can be set to whatever the user decides them to be. But, by default, the table adapter will look for a username column and a password column unless otherwise specified.

use Pop\Auth\Auth;
use Pop\Auth\Adapter\Table;

$auth = new Auth(new Table('MyApp\Users'), Auth::ENCRYPT_BCRYPT);

// Attempt #1
$auth->authenticate('admin', 'bad-password');

// Returns false because the value of the hashed attempted
// password does not match the hash in the database
if ($auth->isValid()) { }

// Attempt #2
$auth->authenticate('admin', '12admin34');

// Returns true because the value of the hashed attempted
// password matches the hash in the database
if ($auth->isValid()) { }


In this example, the user can simply authenticate using a remote server over HTTP. Based on the headers received from the initial request, the Http adapter will auto-detect most things, like the the auth type (Basic or Digest), content encoding, etc.

use Pop\Auth\Auth;
use Pop\Auth\Adapter\Http;

$auth = new Auth(new Http('https://www.domain.com/auth', 'post'));
$auth->authenticate('admin', '12admin34');

if ($auth->isValid()) { } // Returns true


Again, in this example, the user can simply authenticate using a remote server, but this time, using LDAP. The user can set the port and other various options that may be necessary to communicate with the LDAP server.

use Pop\Auth\Auth;
use Pop\Auth\Adapter\Ldap;

$auth = new Auth(new Ldap('ldap.domain', 389, [LDAP_OPT_PROTOCOL_VERSION => 3]));
$auth->authenticate('admin', '12admin34');

if ($auth->isValid()) { } // Returns true