PHPackages susheelhbti/laravel-user-admin - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. susheelhbti/laravel-user-admin ActiveLibrary[Authentication & Authorization](/categories/authentication) susheelhbti/laravel-user-admin ============================== A Laravel package for OTP-based authentication with full user management admin API. 00PHP Since May 12Pushed 4w agoCompare [ Source](https://github.com/susheelhbti/laravel-user-admin)[ Packagist](https://packagist.org/packages/susheelhbti/laravel-user-admin)[ RSS](/packages/susheelhbti-laravel-user-admin/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependenciesVersions (1)Used By (0) 🔐 laravel-user-admin ==================== [](#-laravel-user-admin) **OTP-based authentication + full admin user-management REST API for Laravel** [![Packagist](https://camo.githubusercontent.com/481a442ff2fc7bc4eb702e13e58797d71c9861af7cdda83f4972a60a6a3278eb/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7375736865656c686274692f6c61726176656c2d757365722d61646d696e2e737667)](https://packagist.org/packages/susheelhbti/laravel-user-admin)[![License: MIT](https://camo.githubusercontent.com/fdf2982b9f5d7489dcf44570e714e3a15fce6253e0cc6b5aa61a075aac2ff71b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d79656c6c6f772e737667)](LICENSE)[![PHP](https://camo.githubusercontent.com/0e453ac103a792731f3ece9ec10b3119ecc4e74b4ab84ae491bf91f0cdd0ff6f/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7068702d253345253344382e312d627269676874677265656e)](https://php.net)[![Laravel](https://camo.githubusercontent.com/eb63e0ada4a0b339ddd531a44590d209b504e9f4961e3f5ef99c2e169c4e4381/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c61726176656c2d313025323025374325323031312d726564)](https://laravel.com) --- **Author: Susheel Kumar** — available for **freelance & full-time** roles. 📧 ✨ Features ---------- [](#-features) - 📧 Email OTP login with auto user registration - 🔐 Sanctum access token + **refresh token rotation** with reuse detection - 👥 Role & permission system (RBAC) - 🔒 **TOTP two-factor authentication** + backup codes - 📱 **Trusted device management** — skip 2FA on trusted devices - 🛡️ Admin API — suspend, ban, impersonate, bulk actions - 📊 Login history & admin audit logs with **Request IDs** - 📤 CSV user export + 📥 **Bulk CSV/JSON import** - 🗑️ **Account deletion with grace period** - 🎉 **30+ named events** for Slack, webhooks, Datadog - ❤️ **Health check** endpoint - ⚙️ Fully configurable --- Requirements ------------ [](#requirements) - PHP 8.1+, Laravel 10 or 11, Laravel Sanctum 3+ - *(Optional)* `pragmarx/google2fa` for TOTP 2FA --- Installation ------------ [](#installation) ``` composer require susheelhbti/laravel-user-admin ``` Add trait to your User model: ``` use Susheelhbti\LaravelUserAdmin\Traits\HasUserAdmin; class User extends Authenticatable { use HasUserAdmin; protected $casts = [ 'suspended_until' => 'datetime', 'last_login_at' => 'datetime', 'two_factor_enabled' => 'boolean', 'deletion_requested_at' => 'datetime', 'deletion_scheduled_at' => 'datetime', ]; } ``` Run migrations: ``` php artisan vendor:publish --tag=laravel-user-admin-migrations php artisan migrate ``` Seed roles and permissions: ``` php artisan db:seed --class="Susheelhbti\\LaravelUserAdmin\\Database\\Seeders\\LaravelUserAdminSeeder" ``` Schedule commands (Laravel 11 `routes/console.php`): ``` Schedule::command('user-admin:clean-otps')->everyFifteenMinutes(); Schedule::command('user-admin:purge-accounts')->daily(); ``` --- API Endpoints ------------- [](#api-endpoints) ### General [](#general) | GET | `/api/health` | DB status + version | ### Auth [](#auth) | POST | `/api/auth/otp/send` | Send OTP | | POST | `/api/auth/otp/verify` | Verify OTP → access + refresh tokens | | POST | `/api/auth/logout` | Revoke all tokens | | GET | `/api/auth/me` | Current user | | POST | `/api/auth/token/refresh` | Rotate tokens | ### 2FA [](#2fa) | GET | `/api/auth/2fa/setup` | Generate TOTP secret + QR | | POST | `/api/auth/2fa/confirm` | Enable 2FA | | POST | `/api/auth/2fa/disable` | Disable 2FA | | POST | `/api/auth/2fa/backup-codes/regenerate` | New backup codes | **2FA login flow** — on first verify when 2FA is enabled: ``` { "requires_2fa": true, "otp_id": 42, "message": "Two-factor authentication required." } ``` Re-submit with `totp_token` OR `backup_code` — no separate endpoint needed. ### Trusted Devices [](#trusted-devices) | GET | `/api/auth/devices` | List | | POST | `/api/auth/devices/trust` | Mark trusted | | DELETE | `/api/auth/devices/{id}` | Revoke one | | DELETE | `/api/auth/devices` | Revoke all | ### Account Deletion [](#account-deletion) | POST | `/api/auth/account/request-deletion` | Schedule deletion | | POST | `/api/auth/account/cancel-deletion` | Cancel | ### Admin — Users [](#admin--users) | GET | `/api/admin/users` | List (filter: status, role, search) | | POST | `/api/admin/users` | Create | | GET | `/api/admin/users/{id}` | Detail | | PUT | `/api/admin/users/{id}` | Update | | DELETE | `/api/admin/users/{id}` | Hard delete | | DELETE | `/api/admin/users/{id}/soft` | Soft delete | | GET | `/api/admin/users/export` | CSV download | | POST | `/api/admin/users/import` | Bulk CSV/JSON import | ### Admin — Actions [](#admin--actions) | POST | `/api/admin/users/{id}/suspend` | Suspend | | POST | `/api/admin/users/{id}/unsuspend` | Unsuspend | | POST | `/api/admin/users/{id}/temporary-ban` | Temp ban | | POST | `/api/admin/users/{id}/force-password-reset` | Force reset | | POST | `/api/admin/users/{id}/remove-2fa` | Remove 2FA | | POST | `/api/admin/users/{id}/terminate-sessions` | Kill sessions | | GET | `/api/admin/users/{id}/login-history` | Login log | | POST | `/api/admin/users/{id}/impersonate` | Impersonate | | POST | `/api/admin/users/stop-impersonation` | Stop | ### Admin — Bulk [](#admin--bulk) | POST | `/api/admin/users/bulk/suspend` | Bulk suspend | | POST | `/api/admin/users/bulk/unsuspend` | Bulk unsuspend | | POST | `/api/admin/users/bulk/assign-role` | Bulk role | | POST | `/api/admin/users/bulk/delete` | Bulk delete | ### Admin — Stats [](#admin--stats) | GET | `/api/admin/statistics` | Counts by status/role | | GET | `/api/admin/admin-logs` | Audit log | --- 🎉 Event System -------------- [](#-event-system) ``` use Susheelhbti\LaravelUserAdmin\Events\UserAdminEvents; use Illuminate\Support\Facades\Event; Event::listen(UserAdminEvents::LOGIN_SUCCESS, function (string $e, array $data) { logger("Login: {$data['email']} from {$data['ip']}"); }); Event::listen(UserAdminEvents::TOKEN_REUSE_DETECTED, function (string $e, array $data) { SlackAlert::send("Token reuse attack for user #{$data['user_id']}!"); }); Event::listen(UserAdminEvents::USER_CREATED, function (string $e, array $data) { CrmService::createContact($data['email']); }); ``` Every payload contains `event`, `fired_at`, `request_id`. **All events:** `OTP_SENT`, `OTP_VERIFIED`, `OTP_FAILED`, `LOGIN_SUCCESS`, `LOGIN_FAILED`, `LOGOUT`, `TOKEN_REFRESHED`, `TOKEN_REUSE_DETECTED`, `TFA_ENABLED`, `TFA_DISABLED`, `TFA_FAILED`, `DEVICE_TRUSTED`, `DEVICE_REVOKED`, `SESSIONS_TERMINATED`, `USER_CREATED`, `USER_UPDATED`, `USER_DELETED`, `USER_SUSPENDED`, `USER_UNSUSPENDED`, `ACCOUNT_DELETION_REQUESTED`, `ACCOUNT_DELETION_COMPLETED`, `ACCOUNT_DELETION_CANCELLED`, `ADMIN_ACTION`, `IMPERSONATION_STARTED`, `IMPERSONATION_STOPPED`, `BULK_USERS_IMPORTED`, `BULK_USERS_SUSPENDED`, `BULK_USERS_DELETED`, `BULK_ROLE_ASSIGNED`, `EMAIL_SENT`, `EMAIL_FAILED` --- Middleware ---------- [](#middleware) ``` Route::get('/dashboard', fn() => ...)->middleware(['auth:sanctum', 'user-admin.admin']); Route::get('/mod-panel', fn() => ...)->middleware(['auth:sanctum', 'user-admin.role:moderator']); ``` --- Optional TOTP 2FA ----------------- [](#optional-totp-2fa) ``` composer require pragmarx/google2fa ``` No extra configuration — auto-enabled once installed. --- Artisan Commands ---------------- [](#artisan-commands) CommandSchedule`user-admin:clean-otps`Every 15 min`user-admin:purge-accounts`Daily--- License ------- [](#license) MIT © [Susheel Kumar](mailto:susheelhbti@gmail.com) ### Health Score 20 — LowBetter than 13% of packages Maintenance62 Regular maintenance activity Popularity0 Limited adoption so far Community6 Small or concentrated contributor base Maturity11 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/d1526758095ab08d95266bdd365dcf42735bf80c4a6eb1056f1b084c39a10dcb?d=identicon)[saksh-sky](/maintainers/saksh-sky) --- Top Contributors [![susheelhbti](https://avatars.githubusercontent.com/u/9462770?v=4)](https://github.com/susheelhbti "susheelhbti (2 commits)") ### Embed Badge ![Health badge](/badges/susheelhbti-laravel-user-admin/health.svg) ``` [![Health](https://phpackages.com/badges/susheelhbti-laravel-user-admin/health.svg)](https://phpackages.com/packages/susheelhbti-laravel-user-admin) ``` ### Alternatives [kartik-v/yii2-password Useful password strength validation utilities for Yii Framework 2.0 761.2M17](/packages/kartik-v-yii2-password) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)