PHPackages                             ados-labs/enterprise-admin-panel - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Admin Panels](/categories/admin)
4. /
5. ados-labs/enterprise-admin-panel

ActiveLibrary[Admin Panels](/categories/admin)

ados-labs/enterprise-admin-panel
================================

Enterprise Lightning Framework Package 0: Admin panel with cryptographic dynamic URLs, multi-channel 2FA, and modular architecture

v1.0.0(5mo ago)00MITPHPPHP ^8.1

Since Feb 1Pushed 5mo agoCompare

[ Source](https://github.com/adoslabsproject-gif/enterprise-admin-panel)[ Packagist](https://packagist.org/packages/ados-labs/enterprise-admin-panel)[ Docs](https://github.com/adoslabsproject-gif/enterprise-admin-panel)[ RSS](/packages/ados-labs-enterprise-admin-panel/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (8)Versions (2)Used By (0)

Enterprise Admin Panel
======================

[](#enterprise-admin-panel)

> **Author:** Nicola Cucurachi **Enterprise Lightning Framework - Package 0**

Admin panel with cryptographic dynamic URLs. No predictable `/admin` endpoints.

---

What This Does
--------------

[](#what-this-does)

Traditional admin panels use `/admin`. Attackers know this. They scan for it. They brute-force it.

This panel generates URLs like:

```
/x-d4e8f2a9c6b1d5f3e7a2b8c4d9f1e6a3/login

```

- 128-bit entropy per URL
- 2FA enabled by default
- Emergency access token (bypasses login + 2FA)
- `/admin` returns 404

---

Features Overview
-----------------

[](#features-overview)

FeatureDescription**Cryptographic URLs**128-bit entropy, impossible to guess**Two-Factor Auth**Email, Telegram, Discord, Slack, TOTP**Session Management**Database-backed, 256-bit session IDs**CSRF Protection**Per-session tokens, constant-time comparison**Database Pool**Connection pooling with circuit breaker**Audit Logging**All actions logged with IP, user agent**Emergency Access**Recovery tokens for lockout scenarios**Multi-Channel Notifications**URL rotation alerts, security alerts---

Requirements
------------

[](#requirements)

- PHP 8.2+
- PostgreSQL 14+ or MySQL 8.0+
- Redis 7+ (optional, for distributed circuit breaker)
- Docker/OrbStack (for local development)

---

Installation
------------

[](#installation)

### Step 1: Create Project

[](#step-1-create-project)

```
mkdir myproject && cd myproject
```

### Step 2: Create composer.json

[](#step-2-create-composerjson)

```
cat > composer.json  docker-compose.yml  .env get(TwoFactorService::class);

// Generate secret and QR code
$setup = $twoFactorService->setupTOTP($userId);
// Returns: ['secret' => 'BASE32...', 'qr_uri' => 'otpauth://totp/...', 'recovery_codes' => [...]]

// Enable after user verifies code
$twoFactorService->enable($userId, 'totp', $verificationCode);
```

### Telegram 2FA

[](#telegram-2fa)

1. Create a Telegram bot via [@BotFather](https://t.me/botfather)
2. Get the bot token
3. User sends `/start` to your bot
4. Get user's chat ID from the message

```
# .env
TELEGRAM_BOT_TOKEN=123456789:ABC-DEF1234ghIkl-zyx57W2v1u123ew11
```

```
// Configure user's Telegram
$notificationService->configureUserChannel($userId, 'telegram', $chatId);
```

### Discord 2FA

[](#discord-2fa)

1. Create a Discord webhook in your server settings
2. Add webhook URL to `.env`
3. Configure user's Discord ID

```
# .env
DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/123456789/abcdef...
```

```
// Configure user's Discord
$notificationService->configureUserChannel($userId, 'discord', $discordUserId);
```

### Slack 2FA

[](#slack-2fa)

1. Create Slack Incoming Webhook in your workspace
2. Add webhook URL to `.env`
3. Configure user's Slack ID

```
# .env
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/YOUR/WEBHOOK/URL
```

```
// Configure user's Slack
$notificationService->configureUserChannel($userId, 'slack', $slackUserId);
```

### Enable Notification Channels in Database

[](#enable-notification-channels-in-database)

Enable channels via admin config:

```
-- Enable Telegram notifications
INSERT INTO admin_config (key, value) VALUES ('notification_telegram_enabled', 'true');

-- Enable Discord notifications
INSERT INTO admin_config (key, value) VALUES ('notification_discord_enabled', 'true');

-- Enable Slack notifications
INSERT INTO admin_config (key, value) VALUES ('notification_slack_enabled', 'true');
```

### Recovery Codes

[](#recovery-codes)

When TOTP is enabled, 8 recovery codes are generated:

- Format: `XXXX-XXXX` (hex)
- One-time use
- Stored as bcrypt hashes
- Can be regenerated from profile

---

Session Management
------------------

[](#session-management)

### Features

[](#features)

- **256-bit session IDs** - Cryptographically secure
- **Database-backed** - No filesystem dependency
- **60-minute lifetime** - With activity-based extension
- **Multi-device tracking** - View/revoke sessions

### Session Lifecycle

[](#session-lifecycle)

1. Login → 60-minute session created
2. Activity within last 5 minutes before expiry → Extended by 60 minutes
3. No activity → Session expires
4. Explicit logout → Session destroyed

### Configuration

[](#configuration)

```
// Default configuration
const SESSION_ID_BYTES = 32;            // 256-bit
const SESSION_MAX_LIFETIME_MINUTES = 60;
const SESSION_EXTENSION_WINDOW_MINUTES = 5;
const SESSION_EXTENSION_AMOUNT_MINUTES = 60;
const CSRF_TOKEN_BYTES = 32;
```

### API

[](#api)

```
$sessionService = $container->get(SessionService::class);

// Create session after login
$sessionId = $sessionService->create($userId, $clientIp, $userAgent);

// Validate session
$session = $sessionService->validate($sessionId);

// Get all user sessions
$sessions = $sessionService->getUserSessions($userId);

// Destroy all sessions except current
$sessionService->destroyAllExcept($userId, $currentSessionId);

// Flash messages
$sessionService->flash($sessionId, 'success', 'Password changed');
$message = $sessionService->getFlash($sessionId, 'success');

// CSRF token
$token = $sessionService->getCsrfToken($sessionId);
$valid = $sessionService->verifyCsrfToken($sessionId, $submittedToken);
```

---

CLI Commands
------------

[](#cli-commands)

All commands are in `vendor/ados-labs/enterprise-admin-panel/elf/`.

**All commands require triple authentication:**

- `--token=` Master CLI token
- `--email=` Admin email
- `--password=` Admin password

### Available Commands

[](#available-commands)

CommandDescription`install.php`First-time installation`url-get.php`Retrieve current admin URL`url-rotate.php`Rotate admin URL (security)`password-change.php`Change admin password`token-master-regenerate.php`Regenerate master CLI token`token-emergency-create.php`Create emergency access token`token-emergency-use.php`Use emergency token for access`cache-clear.php`Clear application cache`opcache-setup.php`Setup OPcache configuration### Get Admin URL

[](#get-admin-url)

```
php vendor/ados-labs/enterprise-admin-panel/elf/url-get.php \
  --token=MASTER_TOKEN \
  --email=admin@example.com \
  --password=YOUR_PASSWORD
```

### Change Password

[](#change-password)

```
php vendor/ados-labs/enterprise-admin-panel/elf/password-change.php \
  --token=MASTER_TOKEN \
  --email=admin@example.com \
  --password=CURRENT \
  --new-password=NEW
```

**Password Requirements:**

- Minimum 12 characters
- At least 1 number
- At least 1 special character (!@#$%^&amp;\*-\_=+)

### Rotate Admin URL

[](#rotate-admin-url)

```
php vendor/ados-labs/enterprise-admin-panel/elf/url-rotate.php \
  --token=MASTER_TOKEN \
  --email=admin@example.com \
  --password=YOUR_PASSWORD \
  --reason="Scheduled rotation"
```

**Effects:**

- New 128-bit URL generated
- Old URL returns 404
- All admins notified via their preferred channel

### Create Emergency Access Token

[](#create-emergency-access-token)

```
php vendor/ados-labs/enterprise-admin-panel/elf/token-emergency-create.php \
  --token=MASTER_TOKEN \
  --email=admin@example.com \
  --password=PASSWORD \
  --name="Safe deposit box" \
  --expires=365
```

**Security:**

- ONE-TIME USE
- Bypasses password AND 2FA
- Store offline (print and secure)

### Use Emergency Token

[](#use-emergency-token)

```
php vendor/ados-labs/enterprise-admin-panel/elf/token-emergency-use.php \
  --token=EMERGENCY_TOKEN
```

Or via browser:

```
http://localhost:8080/emergency-login?token=YOUR_EMERGENCY_TOKEN

```

---

Notification System
-------------------

[](#notification-system)

### Channels

[](#channels)

ChannelConfigurationUse Cases**Email**SMTP settings2FA codes, URL rotation, alerts**Telegram**Bot token2FA codes, security alerts**Discord**Webhook URL2FA codes, team notifications**Slack**Webhook URL2FA codes, team notifications### Notification Types

[](#notification-types)

- **2FA Verification Codes** - 6-digit OTP, 5-minute expiry
- **URL Rotation** - New URL, reason, timestamp
- **Security Alerts** - Failed logins, suspicious activity
- **Recovery Tokens** - Emergency access instructions

### API

[](#api-1)

```
$notificationService = $container->get(NotificationService::class);

// Send 2FA code
$result = $notificationService->send2FACode($userId, $code, 'telegram');

// Send security alert
$notificationService->sendSecurityAlert($userId, 'Failed Login', [
    'ip' => $clientIp,
    'attempts' => 5,
]);

// Test channel connectivity
$result = $notificationService->testChannel('telegram', $chatId);

// Configure user channel
$notificationService->configureUserChannel($userId, 'discord', $discordUserId);
```

---

Security Features
-----------------

[](#security-features)

### URL Security

[](#url-security)

FeatureTraditionalThis PanelURL Pattern`/admin``/x-{random 32 hex}`Entropy0 bits128 bitsBrute ForceEasy2^128 combinations### CSRF Protection

[](#csrf-protection)

- Per-session CSRF tokens (256-bit)
- Constant-time comparison (`hash_equals`)
- Auto-regeneration available

```
// In views

// Validation (automatic in middleware)
$valid = $sessionService->verifyCsrfToken($sessionId, $_POST['_csrf']);
```

### Audit Logging

[](#audit-logging)

All actions are logged:

```
$auditService->log('login_success', $userId, [
    'ip' => $clientIp,
    'method' => '2fa_totp',
]);
```

Logged events:

- `login_success`, `login_failed`
- `2fa_enabled`, `2fa_disabled`
- `password_changed`
- `session_created`, `session_destroyed`
- `url_rotated`
- `emergency_token_created`, `emergency_token_used`

### Database Pool

[](#database-pool)

- Connection pooling with LIFO reuse
- Circuit breaker (trips on failures, auto-recovers)
- Distributed state via Redis
- Metrics and monitoring

```
$pool = $container->get(DatabasePool::class);

// Execute query with automatic connection management
$users = $pool->query('SELECT * FROM admin_users WHERE id = ?', [$id]);

// Pool stats
$stats = $pool->getStats();
// ['active' => 2, 'idle' => 8, 'total' => 10, 'circuit' => 'CLOSED']
```

---

Dashboard Features
------------------

[](#dashboard-features)

The admin dashboard includes real-time metrics:

- **Database Pool** - Connections, queries, circuit breaker state
- **Redis** - Workers, memory, commands
- **Audit Log** - Recent activity
- **System Info** - PHP version, memory usage

---

Project Structure
-----------------

[](#project-structure)

After installation:

```
myproject/
├── .env                 ← Configuration (APP_KEY, database, SMTP)
├── .gitignore           ← Ignores .env, vendor, etc.
├── composer.json
├── docker-compose.yml   ← (if you created it)
├── public/              ← Web root
│   ├── index.php        ← Entry point
│   ├── css/             ← Stylesheets
│   ├── js/              ← JavaScript
│   └── favicon.ico
└── vendor/              ← Dependencies

```

---

Services
--------

[](#services)

ServiceURLPurposePostgreSQLlocalhost:5432DatabaseRedislocalhost:6379Circuit breakerMailpitView 2FA emailsAdmin Panel(secret URL)Your admin panel---

Documentation
-------------

[](#documentation)

See the [`docs/`](docs/) folder:

- [Quick Start](docs/QUICK_START.md) - Get running fast
- [CLI Commands](docs/CLI-COMMANDS.md) - All CLI commands in detail
- [Performance](docs/PERFORMANCE.md) - OPcache, Redis, caching
- [Database](docs/DATABASE.md) - Database access and configuration
- [Architecture](docs/ARCHITECTURE.md) - System design

---

Development Setup (Package Maintainers)
---------------------------------------

[](#development-setup-package-maintainers)

If you're developing the package itself (not using it as a dependency), follow these steps:

### Prerequisites

[](#prerequisites)

Your test project must have **both** packages installed:

```
{
    "require": {
        "ados-labs/enterprise-admin-panel": "*",
        "ados-labs/enterprise-psr3-logger": "*"
    },
    "repositories": [
        {"type": "path", "url": "/path/to/enterprise-admin-panel", "options": {"symlink": true}},
        {"type": "path", "url": "/path/to/enterprise-psr3-logger", "options": {"symlink": true}}
    ]
}
```

### Get Admin URL (Development)

[](#get-admin-url-development)

**IMPORTANT:** Run the command from your **test project directory**, not from the package directory!

```
# CORRECT - from test project directory
cd /path/to/myproject
php /path/to/enterprise-admin-panel/elf/url-get.php \
  --token='master-xxxxx' \
  --email='admin@example.com' \
  --password='your_password'

# WRONG - this will fail with "Class not found"
cd /path/to/enterprise-admin-panel
php elf/url-get.php --token=... --email=... --password=...
```

**Why?** The CLI scripts need access to both `enterprise-admin-panel` AND `enterprise-psr3-logger` classes. Your test project's `vendor/autoload.php` has both, while the package's own `vendor/` only has its direct dependencies.

### After Modifying composer.json in the Package

[](#after-modifying-composerjson-in-the-package)

If you change `composer.json` in `enterprise-psr3-logger` or `enterprise-admin-panel` (e.g., removing/adding autoload files), you **must** reinstall in your test project:

```
cd /path/to/myproject
rm -rf vendor composer.lock
composer install
```

This refreshes the autoloader with the new configuration.

---

Troubleshooting
---------------

[](#troubleshooting)

### "DB\_PASSWORD is required"

[](#db_password-is-required)

Create `.env` with `DB_PASSWORD` before running the installer.

### "404 Not Found" on /admin

[](#404-not-found-on-admin)

Expected. Use the secret URL from installation.

### Lost the admin URL?

[](#lost-the-admin-url)

**If using as dependency:**

```
php vendor/ados-labs/enterprise-admin-panel/elf/url-get.php \
  --token=MASTER_TOKEN --email=EMAIL --password=PASSWORD
```

**If developing the package:**

```
cd /path/to/myproject  # Your test project with both packages
php /path/to/enterprise-admin-panel/elf/url-get.php \
  --token=MASTER_TOKEN --email=EMAIL --password=PASSWORD
```

### 2FA codes not arriving

[](#2fa-codes-not-arriving)

**Email:** Check Mailpit:

**Telegram:**

1. Verify bot token: `curl https://api.telegram.org/bot/getMe`
2. Verify chat ID: User must have sent `/start` to your bot

**Discord/Slack:** Test webhook manually with curl

### "Class not found" errors in CLI commands

[](#class-not-found-errors-in-cli-commands)

**Error:** `Class "AdosLabs\AdminPanel\Bootstrap" not found` or `Class "AdosLabs\EnterprisePSR3Logger\LoggerFacade" not found`

**Cause:** You're running the command from the wrong directory. The package's own `vendor/` doesn't include all required dependencies.

**Solution:** Run from your test project directory:

```
cd /path/to/myproject  # Has both packages installed
php /path/to/enterprise-admin-panel/elf/url-get.php --token=... --email=... --password=...
```

### "Failed to open stream: should\_log\_stub.php"

[](#failed-to-open-stream-should_log_stubphp)

**Error:** `require(...should_log_stub.php): Failed to open stream: No such file or directory`

**Cause:** The `composer.lock` file has stale autoload configuration after the package was updated.

**Solution:** Reinstall dependencies:

```
cd /path/to/myproject
rm -rf vendor composer.lock
composer install
```

### Connection refused

[](#connection-refused)

Make sure Docker services are running:

```
docker-compose up -d
docker-compose ps
```

---

License
-------

[](#license)

MIT License - see [LICENSE](LICENSE)

###  Health Score

32

—

LowBetter than 69% of packages

Maintenance73

Regular maintenance activity

Popularity0

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity43

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

154d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/257125909?v=4)[ados\_labs](/maintainers/adoslabsproject-gif)[@adoslabsproject-gif](https://github.com/adoslabsproject-gif)

---

Top Contributors

[![adoslabsproject-gif](https://avatars.githubusercontent.com/u/257125909?v=4)](https://github.com/adoslabsproject-gif "adoslabsproject-gif (63 commits)")

---

Tags

adminadmin-dashboardenterpriseframeworkmodularphppsr12psr3security2fadashboardenterpriseadminmodularhmacpanelelfcryptographic

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Type Coverage Yes

### Embed Badge

![Health badge](/badges/ados-labs-enterprise-admin-panel/health.svg)

```
[![Health](https://phpackages.com/badges/ados-labs-enterprise-admin-panel/health.svg)](https://phpackages.com/packages/ados-labs-enterprise-admin-panel)
```

###  Alternatives

[cakephp/cakephp

The CakePHP framework

8.9k19.5M1.8k](/packages/cakephp-cakephp)[typo3/cms

TYPO3 CMS is a free open source Content Management Framework initially created by Kasper Skaarhoj and licensed under GNU/GPL.

1.2k1.9M122](/packages/typo3-cms)[typo3/cms-core

TYPO3 CMS Core

3713.2M5.1k](/packages/typo3-cms-core)[tempest/framework

The PHP framework that gets out of your way.

2.2k34.4k15](/packages/tempest-framework)[eliashaeussler/typo3-warming

Warming - Warms up Frontend caches based on an XML sitemap. Cache warmup can be triggered via TYPO3 backend or using a console command. Supports multiple languages and custom crawler implementations.

22260.2k](/packages/eliashaeussler-typo3-warming)[typo3/cms-adminpanel

TYPO3 CMS Admin Panel - The Admin Panel displays information about your site in the frontend and contains a range of metrics including debug and caching information.

115.7M66](/packages/typo3-cms-adminpanel)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
