CodeIgniter 4 – Security Module (JWT, Rolebased Permissions, etc)

CodeIgniter 4 – Security Module (JWT, Rolebased Permissions, etc)

CodeIgniter was my go to framework long time ago but then I started using Laravel PHP framework and went on using other technologies for backend such as Java Spring boot, node js based Nest JS etc. Now I am back to use CodeIgniter, this time I am going to upgrade my PHP CodeIgniter website generator at to generate CI 4 based code instead of CI 3. Also the generator itself was built on CodeIgniter 3 in 2011. So the goal is first upgrade the generator to use CI4 framework then make changes to the generator also to generate CodeIgniter 4 websites. As part of the implementation I have implemented a Security module which is very light weight and supports role based permissions. As I couldn’t find any modules publicly available built specific to CodeIgniter I thought to share with others who needs a similar module. The source code for the project is available for download at or by visiting the repository at

You can follow the read me of how to use and what functionalities are available in it. Here is the detail documentation if you want to know more about the design and implementation details.

Data model design

First I came up with the data model considering that the admin should be able to configure the access for users without touching the code. Also it should be possible for users to have more than one role.

The data model for storing user, roles and permissions data


The following features are supported by the modules. The current version is built for using by the API so uses JWT based authentication and the same can be easily extended to support cookie / session based authentication.

User Management

Users can register, login, verify email address and see the profile data about themselves. The following routes are available related to user management.

User registration

End point: /api/register


User registration request

User login

End point: /api/login


Login request

User Profile

End point: /api/me


Endpoint to get logged in user details

Notice in the above scenario the jwt token return in the logged in API call has been passed as bearer token.


There are two filters provided by the module. One is for throttling and the other one is for securing end points.

Throttling filter is used to protect the login end point from hacking by limiting number of login attempt possible within given time frame. Currently it is limited to 3 per minute and can be changed easily as per your requirement.

The “authFilter” can be used to protect routes/endpoint from unlogged in users. Below is an example setup where the authFilter is used.

Using authFilter to protect routes


Helper functions are provided to further fine tune the access. Functions are available for checking whether logged in user has got given role or permission. It is useful to implement permission based functionalities within the controllers. The following helper functions are available.

  • hasRole($role_name) – Checks whether the user got given role
  • hasPermission($permission_name) – Checks whether the user got given permission
  • isLoggedIn() – Return true/false based on whether user is logged in
  • getUsername() – Returns the Name of the logged in User.
  • getUserid() – Returns the id of the logged in user
  • getUser() – Returns the user instance of the logged in user with all attributes
  • loginUser(User $user) – Logs in the user. Used by the AuthFilter to set the User id to the request object after validating the JWT

For using this function first needs to load the helper then can call any of the function as shown below.


    if (!hasPermission('manage_user')) {
        return $this->respond([
            'status' => 'fail',
            'message' => 'You don\'t have permission to access the data'
        ], 403);

Further changes

I am working on a Admin dashboard which provide portal for admins to manage users, configure roles, permissions and associate roles and permissions. Below are some screenshots from the portal. The portal is compatible with the above user auth module but not part of the open source project but you can contact me if you want to buy it for price of two coffee ($9).

A full stack developer learning a developing web applications since my university time for more than 20 years now and Pega Certified Lead System Architect (since 2013) with nearly 16 years experience in Pega.

8 thoughts on “CodeIgniter 4 – Security Module (JWT, Rolebased Permissions, etc)

  1. Thank you for sharing your file.
    We checked the data you shared well.
    We would like to purchase the manager screen from you.
    Please be sure to contact us.
    Thank you again for sharing your data.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top