PHPackages hawksama/module-oauth-security-plus - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. hawksama/module-oauth-security-plus ActiveMagento2-module[Security](/categories/security) hawksama/module-oauth-security-plus =================================== A lnot so ightweight Magento 2 module that restricts Admin API token creation to whitelisted IP addresses, enhancing store security. 1.0.0(1y ago)522OSL-3.0PHP Since Jan 31Pushed 1y ago1 watchersCompare [ Source](https://github.com/Hawksama/module-oauth-security-plus)[ Packagist](https://packagist.org/packages/hawksama/module-oauth-security-plus)[ RSS](/packages/hawksama-module-oauth-security-plus/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (1)Dependencies (3)Versions (2)Used By (0) OAuth Security Plus for Magento 2 ================================= [](#oauth-security-plus-for-magento-2) [![Magento 2.4.x](https://camo.githubusercontent.com/246da12ad88ba96fa04700e5e4dc85edfb9862bcedee9cb03e50e67208836d1c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4d6167656e746f2d322e342e782d627269676874677265656e)](https://camo.githubusercontent.com/246da12ad88ba96fa04700e5e4dc85edfb9862bcedee9cb03e50e67208836d1c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4d6167656e746f2d322e342e782d627269676874677265656e)[![License](https://camo.githubusercontent.com/448c4dd30591c22fc7a06b4220ccf26894486451767ef7d101cd8940ab8e0d71/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d6f7a696c6c612532305075626c69632532304c6963656e7365253230322e302d626c7565)](https://camo.githubusercontent.com/448c4dd30591c22fc7a06b4220ccf26894486451767ef7d101cd8940ab8e0d71/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d6f7a696c6c612532305075626c69632532304c6963656e7365253230322e302d626c7565) A powerful module that **whitelists IP addresses** for Magento 2 REST and SOAP Admin API token generation. Helps prevent unauthorized API access by ensuring only requests from trusted IPs can create admin tokens. --- ๐Ÿšซ Why Attackers Try to Steal the Admin Token (OAuth Access Token) ----------------------------------------------------------------- [](#-why-attackers-try-to-steal-the-admin-token-oauth-access-token) A stolen Admin OAuth Token gives attackers full control over your store, posing serious security risks: 1. **Order and Customer Data Theft** - Attackers can extract orders and customer data (emails, phone numbers, addresses). - Exposing personal data can lead to GDPR, CCPA, or other compliance violations. 2. **Fraudulent Order Manipulation** - Malicious actors may modify product prices or create fake discount rules. - They can also manipulate stock levels to disrupt product availability. 3. **Malicious Code Injection** - Attackers can use API access to inject malware or redirect customers to malicious sites. - This can jeopardize website integrity and user trust. 4. **Data Deletion or Ransomware** - They might delete all products, orders, or customer accounts. - Potentially demand ransom payments to restore lost data. 5. **DDoS or API Abuse** - Repeated API requests can slow down or crash your server, leading to downtime and lost revenue. **In short, securing your API tokens is essential to protecting both your customers and your business.** --- ๐ŸŒŸ Overview ---------- [](#-overview) This module intercepts OAuth Token creation requests and checks if the requesting IP is on a **whitelist**. If not, the request is blocked and logged. Key highlights: - **Simple Whitelist Management** using CLI commands. - **Logging** of unauthorized attempts and IP addresses. - **Caching** for fast IP lookups. --- ๐Ÿš€ Key Features -------------- [](#-key-features) FeatureDescription**OAuth IP Whitelisting**Intercepts admin token requests and checks if the source IP is allowed.**CLI Management**Quickly add or remove IPs from the whitelist using `bin/magento` commands.**Logging & Auditing**Logs both allowed and blocked attempts, storing username & IP for reference.**Caching for Performance**Minimizes repeated config lookups for quick IP checks.**Enabled/Disabled**Easily turn the module on or off using config.--- ๐Ÿ›  Installation -------------- [](#-installation) ### **Install via Composer** [](#install-via-composer) The recommended way to install this module is via **Composer**. ``` composer require hawksama/module-oauth-security-plus ``` --- โš™๏ธ CLI Usage ------------ [](#๏ธ-cli-usage) ``` Usage: hawksama:api-whitelist:add [ip1] [ip2] [ip3] ... hawksama:api-whitelist:remove [ip1] [ip2] [ip3] ... hawksama:api-whitelist:list Arguments: ip1-ipN One or more IPv4 or IPv6 addresses to be added or removed ``` Example commands: ``` # 1) Add 203.0.113.10 and 198.51.100.25 to the whitelist bin/magento hawksama:api-whitelist:add 203.0.113.10 198.51.100.25 # 2) Remove 203.0.113.10 and 198.51.100.25 from the whitelist bin/magento hawksama:api-whitelist:remove 203.0.113.10 198.51.100.25 # 3) Remove IPs from the whitelist bin/magento hawksama:api-whitelist:remove 1.1.1.1 # 4) List all IPs stored in database bin/magento hawksama:api-whitelist:list ``` --- ๐Ÿ›  Use Cases ----------- [](#-use-cases) ### ๐Ÿ”’ Production Security [](#-production-security) - **Restrict OAuth (API) Token Generation**: Only whitelisted IPs can generate admin tokens. ### ๐Ÿ—๏ธ Development & Staging [](#๏ธ-development--staging) - **Block Public Access**: Keep staging credentials safe from the public internet. ### ๐Ÿ•ต๏ธ Auditing & Analytics [](#๏ธ-auditing--analytics) - **Track Attempts**: Log whoโ€™s creating tokens, from where, and how often. --- โ“ FAQ ----- [](#-faq) 1. **Does it block the entire Admin login?** - No, only blocks admin OAuth (API) token creation. The web-based Admin UI remains unaffected. 2. **How do I add IPv6 addresses?** - IPv6 is supported as long as you pass the proper string format. For advanced subnet rules, consider extending the plugin. 3. **Where is the log file stored?** - By default, unauthorized attempts are logged in `var/log/api_security_plus.log`. --- ๐Ÿงฐ Technical Details ------------------- [](#-technical-details) - **Compatibility**: Magento 2.4.x - **Code Quality**: โœ… PHPStan (Level 8) โœ… PHPMD โœ… PHP\_CodeSniffer (Magento Coding Standard) โœ… PHP Magic Number Detector [![Code Analysis](media/code-analysis.png)](media/code-analysis.png) - **Caching**: IP addresses are cached for faster lookups, cleared when new IPs are added or removed. - **Technology**: Uses a plugin on `AdminTokenServiceInterface::createAdminAccessToken` - **Extendable**: You can augment or replace the plugin logic if you need more complex checks. --- ๐Ÿ“ฎ Support & Contribution ---------------------------- [](#-support--contribution) - **Issues**: [GitHub Issues](https://github.com/Hawksama/OauthSecurityPlus/issues) (if available) - **Email**: - **Contributions**: Pull requests welcome! Please follow Magento & PSR standards. --- > **Protect your Magento 2 store by limiting OAuth Admin Token generation to trusted IPsโ€”simple, fast, and secure.** ### Health Score 26 โ€” LowBetter than 43% of packages Maintenance42 Moderate activity, may be stable Popularity8 Limited adoption so far Community9 Small or concentrated contributor base Maturity38 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits โ€” single point of failure How is this calculated?**Maintenance (25%)** โ€” Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** โ€” Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** โ€” Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** โ€” Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 472d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/b5d9b3bcbbbebb62b1f53afd772f4a81d02a77e969b0acc23e565a28f64445c8?d=identicon)[hawksama](/maintainers/hawksama) --- Top Contributors [![Hawksama](https://avatars.githubusercontent.com/u/46504593?v=4)](https://github.com/Hawksama "Hawksama (2 commits)") ### Embed Badge ![Health badge](/badges/hawksama-module-oauth-security-plus/health.svg) ``` [![Health](https://phpackages.com/badges/hawksama-module-oauth-security-plus/health.svg)](https://phpackages.com/packages/hawksama-module-oauth-security-plus) ``` ### Alternatives [veriteworks/cookiefix Magento2 extension for Cookie SameSite attribute. 65455.3k1](/packages/veriteworks-cookiefix)[imi/magento2-friendly-captcha Friendly Captcha integration for Magento2 18116.2k](/packages/imi-magento2-friendly-captcha)[basecom/magento2-csp-split-header Magento 2 module to split oversized CSP headers into multiple headers. 5256.6k](/packages/basecom-magento2-csp-split-header)[pixelopen/magento-cloudflare-turnstile Protect your store from spam messages and spam user accounts with Cloudflare Turnstile 5325.4k1](/packages/pixelopen-magento-cloudflare-turnstile)[yireo/magento2-csp-whitelist-inline-js Magento module to automatically add inline JS script to CSP whitelist 2974.7k](/packages/yireo-magento2-csp-whitelist-inline-js)[sansec/magento2-module-shield 14111.8k](/packages/sansec-magento2-module-shield) PHPackages ยฉ 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)