PHPackages mwstake/mediawiki-component-token-authenticator - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. mwstake/mediawiki-component-token-authenticator ActiveLibrary[Authentication & Authorization](/categories/authentication) mwstake/mediawiki-component-token-authenticator =============================================== Real time messaging 1.2.1(2mo ago)0979—6.7%[1 issues](https://github.com/hallowelt/mwstake-mediawiki-component-token-authenticator/issues)1GPL-3.0-onlyPHPCI passing Since Aug 14Pushed 2mo agoCompare [ Source](https://github.com/hallowelt/mwstake-mediawiki-component-token-authenticator)[ Packagist](https://packagist.org/packages/mwstake/mediawiki-component-token-authenticator)[ RSS](/packages/mwstake-mediawiki-component-token-authenticator/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (3)Dependencies (17)Versions (17)Used By (1) Purpose in life =============== [](#purpose-in-life) This component provides everything needed to generate random tokens for users that can be later exchanged for user information. Usage - User token ================== [](#usage---user-token) Generate token -------------- [](#generate-token) REST API endpoint `/mws/v1/user-token/generate` can be used to generate a token for the user. Client-side: `mws.tokenAuthenticator.generateToken( withIssuer )`. Params: `withIssuer` - boolean - default: false. If `true`, will include info about the wiki (url) that issued the token. To be used when verifying token, as a target for verification. If used, [salt](#salt) must be used. Verify token ------------ [](#verify-token) Call REST API endpoint `/mws/v1/user-token/verify/{token}` to verify the token. If valid, you will receive info on the user that the token was issued for, including user ID, username, and other info. ### Verification when using salt [](#verification-when-using-salt) If token was salted, you will need to decode it using the salt, and then b64 decode it. Pass only the `token` from the decoded token object at verification time. Salt ---- [](#salt) Configure `$GLOBALS['mwsgTokenAuthenticatorSalt'] = '';` in your `LocalSettings.php` file, to salt the tokens issued by this service. This is recommended for security reasons. Note that token will only be salted if so required, not by default. When salted, token structure is changed, instead of just a plain string token, token is a b64-encoded JSON that looks like this ``` [ 'verifyCallback' => $callbackUrl, 'token' => $token, 'sig' => $signature, ] ``` Where: - `verifyCallback` is the URL to call to verify the token, wiki that generated it. - `token` is the actual token - `sig` is the signature of the token to verify its issuer is trustworthy. Signature is a HMAC value generated by hasing `verifyCallback . token` with the salt. Static token for service authentication ======================================= [](#static-token-for-service-authentication) For service-to-service authentication, you can use a static token. Configure token `$GLOBALS['mwsgTokenAuthenticatorServiceToken'] = 'api_test_8f42d1a6e0b34b78a2f1c3de9b123abc';` Additionally, you can limit access to specific CIDR ranges by configuring `$GLOBALS['mwsgTokenAuthenticatorServiceCIDR'] = '127.0.0.1/32';` This authentication only works for REST and Action API calls. Include header `Authorization: ApiKey {my_token}` when making calls. Normally, just doing this does not allow you access to any APIs, you need to whitelist them explicitly: Action API: ``` $GLOBALS['mwsgTokenAuthenticatorServiceAllowedAPIModules'] = [ ApiOpenSearch::class ]; ``` REST API: ``` $GLOBALS['mwsgTokenAuthenticatorServiceAllowedRestPaths'] = [ '/mws/v1/user-token/verify', ]; ``` Configuring user that the service token represents: `$GLOBALS['mwsgTokenAuthenticatorServiceUser'] = 'ChatBot service user';` This is the default user and it will be create and configured automatically. If you want to use a different user, create it manually and set this variable to the username. Due to user token limitations, only "actual" (non-system) users can be used here. Dynamic token for service authentication ======================================== [](#dynamic-token-for-service-authentication) As static token limits the amount of APIs you can access, in order to access full range of APIs, use dynamic token. This token is similar to a user token, but instead of being issued for a user, it's issued for a service, and can be used to authenticate the service on the behalf of the "Service user". This tokens are always encrypted and salted, so you will need to decode it first using the salt value, to get the actual token, and callbackUrl Generate using `/mws/v1/app-token/generate`. When making requests provide header: `Authorization AppToken {decoded token}`. This will provide you with a full-access session. Note that this will authenticate as user `mwsgTokenAuthenticatorServiceUser`. It will give this user `sysop` group, to ensure it can execute all APIs. If another user is assigned to this, make sure it is ok that this user gets sysop group. ### Health Score 42 — FairBetter than 90% of packages Maintenance86 Actively maintained with recent releases Popularity19 Limited adoption so far Community11 Small or concentrated contributor base Maturity44 Maturing project, gaining track record Bus Factor1 Top contributor holds 61.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~16 days Recently: every ~34 days Total 14 Last Release 71d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/161c38b5448b71865cf0652b6974ed489dd3683b5d6e1814973cea6cb66c8f1d?d=identicon)[dsavuljesku](/maintainers/dsavuljesku) --- Top Contributors [![it-spiderman](https://avatars.githubusercontent.com/u/13665198?v=4)](https://github.com/it-spiderman "it-spiderman (11 commits)")[![HamishSlater](https://avatars.githubusercontent.com/u/26261210?v=4)](https://github.com/HamishSlater "HamishSlater (5 commits)")[![osnard](https://avatars.githubusercontent.com/u/1201528?v=4)](https://github.com/osnard "osnard (2 commits)") ### Embed Badge ![Health badge](/badges/mwstake-mediawiki-component-token-authenticator/health.svg) ``` [![Health](https://phpackages.com/badges/mwstake-mediawiki-component-token-authenticator/health.svg)](https://phpackages.com/packages/mwstake-mediawiki-component-token-authenticator) ``` ### Alternatives [bezhansalleh/filament-shield Filament support for `spatie/laravel-permission`. 2.8k2.9M88](/packages/bezhansalleh-filament-shield)[gesdinet/jwt-refresh-token-bundle Implements a refresh token system over Json Web Tokens in Symfony 70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[illuminate/auth The Illuminate Auth package. 9327.3M1.0k](/packages/illuminate-auth)[beatswitch/lock A flexible, driver based Acl package for PHP 5.4+ 870304.7k2](/packages/beatswitch-lock)[amocrm/amocrm-api-library amoCRM API Client 182728.5k6](/packages/amocrm-amocrm-api-library)[vonage/jwt A standalone package for creating JWTs for Vonage APIs 424.1M4](/packages/vonage-jwt) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)