PHPackages matthewslouismarie/auth-abstractor - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. matthewslouismarie/auth-abstractor ActiveLibrary[Authentication & Authorization](/categories/authentication) matthewslouismarie/auth-abstractor ================================== Complete abstraction of credential and U2F authentication v1.1.0(8y ago)24[2 PRs](https://github.com/matthewslouismarie/auth-abstractor/pulls)PHPPHP >=7.1.0 Since Apr 17Pushed 3y ago1 watchersCompare [ Source](https://github.com/matthewslouismarie/auth-abstractor)[ Packagist](https://packagist.org/packages/matthewslouismarie/auth-abstractor)[ Docs](https://github.com/matthewslouismarie/auth-abstractor)[ RSS](/packages/matthewslouismarie-auth-abstractor/feed)WikiDiscussions master Synced yesterday READMEChangelogDependencies (18)Versions (8)Used By (0) auth-abstractor =============== [](#auth-abstractor) [![Build Status](https://camo.githubusercontent.com/fc4570b9b5bbe4df199cbe536428484916e59546fcadc272eb8638e137b5e35a/68747470733a2f2f7472617669732d63692e6f72672f6d617474686577736c6f7569736d617269652f617574682d61627374726163746f722e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/matthewslouismarie/auth-abstractor)[![codecov](https://camo.githubusercontent.com/e4475bb4c3d8a78803690d904bd69f1ea9e034d2fb39069364d8e2d547402bb0/68747470733a2f2f636f6465636f762e696f2f67682f6d617474686577736c6f7569736d617269652f617574682d61627374726163746f722f6272616e63682f6d61737465722f67726170682f62616467652e737667)](https://codecov.io/gh/matthewslouismarie/auth-abstractor)[![Mutation Score](https://camo.githubusercontent.com/1211f31739fd6fd3ba843e65a6cf022d3f2941d22f2471125c0074c03e23d78b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6d75746174696f6e25323073636f72652d25334537302532352d627269676874677265656e2e737667)](https://camo.githubusercontent.com/1211f31739fd6fd3ba843e65a6cf022d3f2941d22f2471125c0074c03e23d78b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6d75746174696f6e25323073636f72652d25334537302532352d627269676874677265656e2e737667)[![Scrutinizer Code Quality](https://camo.githubusercontent.com/33b6f7b159086b77dc91f571232d41fd7bb9c14ae950f65e28943608329fe2e9/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6d617474686577736c6f7569736d617269652f617574682d61627374726163746f722f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/matthewslouismarie/auth-abstractor/?branch=master)[![Code Intelligence Status](https://camo.githubusercontent.com/6e0430bed615954fa0b2385f2c46e080981a10fd346fe660635f5019f0c2c229/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f6d617474686577736c6f7569736d617269652f617574682d61627374726163746f722f6261646765732f636f64652d696e74656c6c6967656e63652e7376673f623d6d6173746572)](https://scrutinizer-ci.com/code-intelligence) ``` composer require matthewslouismarie/auth-abstractor ``` A PHP library which aims to completely abstract the authentication logic from your PHP web application. You won't even have to create the views! It does so by acting as a middleware. Simply pass it the HTTP request and you will get back an HTTP response along with an object of the class AuthenticationProcess. Documentation ------------- [](#documentation) You can browse *auth-abstractor*'s API documentation [here](https://matthewslouismarie.github.io/auth-abstractor/). Features -------- [](#features) - Web-framework-agnostic: *auth-abtractor* can be used with any web-framework, or without any web-framework at all! - Simple to use: *auth-abstractor* requires a minimal amount of code, even for handling entire authentication or registration processes (e.g. creating a registration page, or creating a login page). - Powerful features: *auth-abstractor* almost entirely abstracts the authentication and registration process. Only a few lines of code from your side are sufficient to create a full-fledged registration page, login page, etc. *auth-abstractor* takes care of displaying the views, hashing passwords, and verifying responses. - Customisable: *auth-abstractor* can easily be customised and extended. More ways to authenticate the user can easily be added, and default views can be customised or entirely replaced. How to use it ------------- [](#how-to-use-it) ### Overview [](#overview) To use it, you first need to create an `AuthenticationKernel` object. This object can be shared among your entire web application (and can be registered as a service). Now, when the user arrives on a page, let's say a login page, you need to create a new `AuthenticationProcess` object. You then pass this object, along with the HTTP request, to the `AuthenticationKernel` object you created earlier. The `AuthenticationKernel` returns an HTTP response and a new `AuthenticationProcess`. You store the `AuthenticationProcess` somehow (e.g. in session), and you send back to the user the HTTP response. Note: in *auth-abstractor*, by authentication, I mean authentication and registration. *[security-comparator](https://github.com/matthewslouismarie/security-comparator)* is a web application that makes use of *auth-abstractor* to abstract the entirety of the registration and the authentication process. You can even view [a one page example](https://github.com/matthewslouismarie/security-comparator/blob/master/symfony/src/Controller/TmpController.php) demonstrating the use of *auth-abstractor* with Symfony. ### Creating an `AuthenticationKernel` object [](#creating-an-authenticationkernel-object) You need to construct an `AuthenticationKernel` by passing an implementation of `IApplicationConfiguration` to its constructor. You are not obliged to define your own implementation of `IApplicationConfiguration` however. Instead, you can also simply pass it a `ApplicationConfiguration` object. ``` $kernel = new AuthenticationKernel(new ApplicationConfiguration( 'https://example.org', // HTTPS URL of your app (for U2F) 'https://example.org/assets', // Assets base URL // This function is responsible for fetching members from the database. // It must return null if the member does not exist. function (string $username) use ($repo): ?IMember { return $repo->findOneBy([ 'username' => $username, ]); } )); ``` `IMember` is an interface for members (users with an account) of your application. If you already have a class that represents your members, you can simply make it implements `IMember` as well. Otherwise, you can also use the convenience implementation `Member`. `AuthenticationKernel` is an object that can be common to your entire web applications, so you can register it as a service if your web application supports dependency injection (e.g. Symfony). ### Creating the Authentication Process [](#creating-the-authentication-process) The first time the user arrives on a page, say the login page, the authentication process does not exist. So you have to create it. It is advised to use the [AuthenticationProcessFactory](https://matthewslouismarie.github.io/classes/LM.AuthAbstractor.Factory.AuthenticationProcessFactory.html) to do that: ``` $authProcess = $kernel ->getAuthenticationProcessFactory() ->createProcess([ CredentialChallenge::class, // class that is part of auth-abstractor ] ); ``` You pass to `createProcess` an array of challenge class names. A challenge is a step in the authentication or registration process (e.g. a page asking for a password, or a page asking for the user to plug their U2F device in). These classes need to be implementations of `IChallenge`. You can define your owns of course. *auth-abstractor* comes with the following challenges: - `CredentialChallenge`, for asking the user for their username and password, - `CredentialRegistrationChallenge`, for asking the user to create an account and give a valid username and password, - `EmailChallenge`, for asking the user to enter a code sent to their email address. - `ExistingUsernameChallenge`, for asking the user for a valid, existing username. - `NamedU2fRegistrationChallenge`, same as `U2fChallenge`, but asks for a name, - `PasswordChallenge`, for asking the user for their password, - `PasswordUpdateChallenge`, for asking the user to find a new password, - `U2fChallenge`, for asking the user to confirm their identity with their U2F device. - `U2fRegistrationChallenge`, for asking the user to register a new U2F device. You can combine these (i.e. combine several of these in the array you pass to `AuthenticationProcessFactory`. Sometimes, a certain order is necessary: e.g. the username of the user must be known before `PasswordChallenge` gets processed. One way to do that is to put a `ExistingUsernameChallenge` before. Each challenge relies on a certain numbers of parameters being defined. You are pass the parameters when you create the authentication process using the authentication process factory. `AuthenticationProcessFactory` supports additional, optional parameters, for example, to specify the current user's username. ### Processing the Authentication Process [](#processing-the-authentication-process) You now need to call `processHttpRequest` of the AuthenticationKernel. You pass it: a [PSR-7 representation of the HTTP request](https://www.php-fig.org/psr/psr-7/), the created or retrieved authentication process, and a callback. The callback needs to be an implementation of `IAuthenticationCallback`, but you can simply instantiate a `Callback`. ``` $authResponse = $kernel->processHttpRequest( $httpRequest, $authProcess, // The $authProcess object just created or retrieved from session new Callback( function ($authProcess) { // if the user fails authenticating new Response('You tried too many login attempts!'); }, function ($authProcess) { // if the user succeeds logging in $_SESSION['logged_in'] = true; new Response('You\'re logged in!'); } ) ); ``` [Symfony provides tools for converting the Response and Request to and from PSR-7 objects.](https://symfony.com/doc/current/components/psr7.html) You can then store the new `AuthenticationProcess` somehow (e.g. in session) that you will retrieve later instead of instantiating a new `AuthenticationProcess`object. And of course, you return an HTTP response. ``` // store new auth_process in session $_SESSION['auth_process'] = $response->getAuthenticationProcess(); // display http response to user return $response->getHttpResponse(); ``` [You can see a complete example of the use of *auth-abstractor* here](https://github.com/matthewslouismarie/security-comparator/blob/41e6a420843d7aa6a00638bf98e1babde0aa2dba/symfony/src/Controller/TmpController.php#L38). ### Persisting the changes [](#persisting-the-changes) *auth-abstractor* never changes your application directly. It does not know whether what kind of DBMS you're using, or even if you use a database at all! However, at some point, it needs to be able to tell you of changes you should persist. For example, if you create an authentication process with the `CredentialRegistrationChallenge`, you need to persist somewhere the member who created their account! The way to do that is simply to call getPersistOperation() on the AuthenticationProcess object. From the callback's handleSuccessfulProcess() method: ``` foreach ($authProcess->getPersistOperations() as $operation) { if ($operation->getType()->is(new Operation(Operation::CREATE))) { $member = $operation->getObject(); if (is_a($member, IMember::class)) { // Saves $member in the database } } } ``` ### Assets [](#assets) In order for U2F registration and authentication to work, you will need [google-u2f-api.js](https://www.npmjs.com/package/google-u2f-api.js) and [jquery](https://www.npmjs.com/package/jquery). These files need to be in the folder which path is given by [getAssetUri()](https://github.com/matthewslouismarie/auth-abstractor/blob/a97f0a64d5f0f8760d133f34afcf2a44ab1aa082/src/LM/Authentifier/Configuration/IApplicationConfiguration.php#L11). Of course, you can override the U2F views with your very own views which can use different JavaScript libraries. TODOs ===== [](#todos) - Don't use hard-coded values to access the typed map - Challenges shouldn't reply on an implementation of IAuthenticationProcess - The library should be challenge-agnostic. (No part of the code should directly reference an IChallenge implementation, except classes used exclusively by challenges.) Currently, IApplicationConfiguration and IAuthenticationProcess are coupled with some IChallenge specifications. - Should challenges be able to access the typed map directly and modify it directly? The authentication handler could take care of this. This would mean challenges wouldn't need to worry about the validity of the typed map. But the keys and their associated types would need to be known by the auth handler. - Update Composer packages. ### Health Score 27 — LowBetter than 49% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity6 Limited adoption so far Community7 Small or concentrated contributor base Maturity63 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~12 days Total 2 Last Release 2934d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/d50ec63dc9db1d7c21cee514ab918fe647064aee0aaa767d380b3c9967ce9e36?d=identicon)[matthewslouismarie](/maintainers/matthewslouismarie) --- Top Contributors [![matthewslouismarie](https://avatars.githubusercontent.com/u/17742458?v=4)](https://github.com/matthewslouismarie "matthewslouismarie (209 commits)") --- Tags middlewareAuthenticationpasswordu2f ### Code Quality TestsPHPUnit Code StylePHP CS Fixer ### Embed Badge ![Health badge](/badges/matthewslouismarie-auth-abstractor/health.svg) ``` [![Health](https://phpackages.com/badges/matthewslouismarie-auth-abstractor/health.svg)](https://phpackages.com/packages/matthewslouismarie-auth-abstractor) ``` ### Alternatives [sylius/sylius E-Commerce platform for PHP, based on Symfony framework. 8.4k5.6M651](/packages/sylius-sylius)[contao/core-bundle Contao Open Source CMS 1231.6M2.4k](/packages/contao-core-bundle)[shopware/platform The Shopware e-commerce core 3.3k1.5M3](/packages/shopware-platform)[easycorp/easyadmin-bundle Admin generator for Symfony applications 4.3k16.7M310](/packages/easycorp-easyadmin-bundle)[prestashop/prestashop PrestaShop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. 9.0k15.4k](/packages/prestashop-prestashop)[ec-cube/ec-cube EC-CUBE EC open platform. 78527.0k1](/packages/ec-cube-ec-cube) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)