#li3 > Lithium Documentation > lithium/security/auth/adapter/Form

Extends

The `Form` adapter provides basic authentication facilities for checking credentials submitted
via a web form against a database. To perform an authentication check, the adapter accepts
an instance of a `Request` object which contains the submitted form data in its `$data` property.

When a request is submitted, the adapter will take the form data from the `Request` object,
apply any filters as appropriate (see the `'filters'` configuration setting below), and
query a model class using using the filtered data. The data is then checked against any
validators configured, which can programmatically check submitted values against database values.

By default, the adapter uses a model called `Users`, and lookup fields called `'username'` and
`'password'`. These can be customized by setting the `'model'` and `'fields'` configuration keys,
respectively. The `'model'` key accepts either a model name (i.e. `Customers`), or a
fully-namespaced model class name (i.e. `my_app\models\Customers`). The `'fields'` setting
accepts an array of field names to use when looking up a user. An example configuration,
including a custom model class and lookup fields might look like the following:

{{{
Auth::config(array(
	'customer' => array(
		'adapter' => 'Form',
		'model' => 'Customers',
		'fields' => array('email', 'password')
	)
));
}}}

If the field names present in the form match the fields used in the database lookup, the above
will suffice. If, however, the form fields must be matched to different database field names,
you can specify an array which matches up the form field names to their corresponding database
field names. Suppose, for example, user authentication information in a MongoDB database is
nested within a sub-object called `login`. The adapter could be configured as follows:

{{{
Auth::config(array(
	'customer' => array(
		'adapter' => 'Form',
		'model' => 'Customers',
		'fields' => array('username' => 'login.username', 'password' => 'login.password'),
		'scope' => array('active' => true)
	)
));
}}}

Note that any additional fields may be specified which should be included in the query. For
example, if a user must select a group when logging in, you may override the `'fields'` key with
that value as well (i.e. `'fields' => array('username', 'password', 'group')`). If a field is
specified which is not present in the request data, the value in the authentication query will be
`null`). Note that this will only submit data that is specified in the incoming request. If you
would like to further limit the query using fixed conditions, use the `'scope'` key, as shown in
the example above.

## Pre-Query Filtering

As mentioned, prior to any queries being executed, the request data is modified by any filters
configured. Filters are callbacks which accept the value of a submitted form field as input, and
return a modified version of the value as output. Filters can be any PHP callable, i.e. a closure
or `array('ClassName', 'method')`.

For example, if you're doing simple password hashing against a legacy application, you can
configure the adapter as follows:

{{{
Auth::config(array(
	'default' => array(
		'adapter' => 'Form',
		'filters' => array('password' => array('lithium\util\String', 'hash')),
		'validators' => array('password' => false)
	)
));
}}}

This applies the default system hash (SHA 512) against the password prior to using it in the
query, and overrides `'validators'` to disable the default crypto-based query validation that
would occur after the query.

Note that if you are specifying the `'fields'` configuration using key / value pairs, the key
used to specify the filter must match the key side of the `'fields'` assignment. Additionally,
specifying a filter with no key allows the entire data array to be filtered, as in the following:

{{{
Auth::config(array(
	'default' => array(
		'adapter' => 'Form',
		'filters' => array(function ($data) {
			// Make any modifications to $data, including adding/removing keys
			return $data;
		})
	)
));
}}}

For more information, see the `_filters()` method or the `$_filters` property.

## Post-Query Validation

In addition to filtering data, you can also apply validators to do check submitted form data
against database values programmatically. For example, the default adapter uses a cryptographic
hash function which operates in constant time to validate passwords. Configuring this validator
manually would work as follows:

{{{
use lithium\security\Password;

Auth::config(array(
	'default' => array(
		'adapter' => 'Form',
		'validators' => array(
			'password' => function($form, $data) {
				return Password::check($form, $data);
			}
		)
	)
));
}}}

As with filters, each validator can be defined as any PHP callable, and must be keyed using the
name of the form field submitted (if form and database field names do not match). If a validator
is specified with no key, it will apply to all data submitted. See the `$_validators` property
and the `_validate()` method for more information.

Extends

Related