PHPackages                             webiny/login - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. webiny/login

ActiveApp[Authentication &amp; Authorization](/categories/authentication)

webiny/login
============

Login application that uses Webiny Framework Security component.

v1.0.1(8y ago)17572MITPHPPHP &gt;=7.0

Since Sep 4Pushed 8y ago9 watchersCompare

[ Source](https://github.com/Webiny/Login)[ Packagist](https://packagist.org/packages/webiny/login)[ Docs](http://www.webiny.com/)[ RSS](/packages/webiny-login/feed)WikiDiscussions master Synced 2d ago

READMEChangelog (3)Dependencies (3)Versions (7)Used By (2)

Webiny Login
============

[](#webiny-login)

This is an application that provides additional control layer to the [Webiny Framework Security](https://github.com/Webiny/Security) component. The application standardizes the login process and user stateless token storage, making it ideal for RESTful and mobile applications.

Some of the built-in features:

- sessions are stored in database and can be revoked at any point
- authorized devices are also stored in database and can be revoked at any point
- login whitelist and blacklist based on client IP
- rate limit control
- stateless login validation for RESTful application
- only whitelisted devices can log-in (optional)

Sample config
-------------

[](#sample-config)

```
Login:
    SecurityFirewall: Admin
    ValidateDevice: true
    BlockThreshold: 6
    BlockTimelimit: 10
    DeviceTtl: 90
    RateLimitBlacklist:
        - 123.123.123.123
    RateLimitWhitelist:
        - 127.0.0.1
        - 192.168.1.1
        - 10.0.2.2
```

- **SecurityFirewall**: defines which `Security.Firewall` to use for user authentication
- **ValidateDevice**: does the device need to be whitelisted before user can login
- **BlockThreshold**: after how many bad login attempts should the client be blocked from submitting any new login requests (client is identified as username+ip combination)
- **BlockTimelimit**: for how many minutes should the client be blocked from submitting any additional login attempts
- **DeviceTtl**: how long should the device session be valid (used only if ValidateDevice is turned on)
- **RateLimitBlacklist**: list of IPs that are permanently blocked from submitting login requests
- **RateLimitWhitelist**: list of IPs that are excluded from the rate limit control

Setup
-----

[](#setup)

The Login app requires following Webiny Framework components:

- [Entity](https://github.com/Webiny/Entit)
- [Http](https://github.com/Webiny/Http)
- [Mongo](https://github.com/Webiny/Mongo)
- [Security](https://github.com/Webiny/Security)
- [Rest](https://github.com/Webiny/Rest) (optional - only if login RESTful service is used)

Mongo Indexes
-------------

[](#mongo-indexes)

Create the following indexes on your Mongo Database:

```
db.getCollection('LoginMeta').createIndex({username: 1});
db.getCollection('LoginRateControl').createIndex({ip: 1});
```

#### Example setup:

[](#example-setup)

```
\Webiny\Component\Security\Security::setConfig('./securityConfig.yaml');
\Webiny\Component\Mongo\Mongo::setConfig('./mongoConfig.yaml');
\Webiny\Component\Entity\Entity::setConfig('./entityConfig.yaml');

$security = \Webiny\Component\Security\Security::getInstance();
$loginConfig = \Webiny\Component\Config\Config::getInstance()->yaml('./loginConfig.yaml');

$login = new \Webiny\Login\Login($security, $loginConfig);
```

Once you have the login instance, you can access the methods inside the class directly:

```
// check if we have the auth cookie and device cookie
$authCookie = \Webiny\Component\Http\Cookie::getInstance()->get('auth-token');
$deviceToken = \Webiny\Component\Http\Cookie::getInstance()->get('device-token');

if ($authCookie && $deviceToken) {
    try {
        $user = $login->getUser($authCookie, $deviceToken);
    } catch (\Webiny\Login\LoginException $le) {

    } catch (\Exception $e) {

    }
}else{
    // process login
    try {
        $login->processLogin($username, $deviceToken, $authProvider);

        // if login is successful, return device and auth tokens
        $authToken = $login->getAuthToken();
        return [
            'authToken'   => $authToken,
            'deviceToken' => $deviceToken
        ];
    } catch (LoginException $le) {
        $errorMsg = $le->getMessage();
    } catch (\Exception $e) {
        return $e;
    }
}
```

#### Security setup

[](#security-setup)

Note that the Security component needs to implement `Stateless` token storage:

```
Security:
    Tokens:
        Stateless:
            StorageDriver: \Webiny\Component\Security\Token\Storage\Stateless # storage driver needs to be set to stateless
            SecurityKey: SecretKey
    Firewall:
        Admin:
            Token: Stateless
```

Login services
--------------

[](#login-services)

You can use the Login app as a RESTful service by extending the `\Webiny\Login\LoginServices` abstract class and implementing it into `Webiny Framework Rest` component. (view the `app/services.php` folder for sample implementation)

### POST `processLogin`

[](#post-processlogin)

This method processes the login request and returns either a login error, or in case of a success, `authToken` and `deviceToken`.

The method takes the following parameters via POST:

- username
- password
- authProvider (optional - defines the name of auth provider inside `Security.Firewall` that should be used to process the request)
- deviceToken (optional - required only if ValidateDevice is turned on)

Login error codes:

- 1. Rate limit reached.
- 2. User account is blocked.
- 3. Invalid credentials.
- 4. User hasn't confirmed his account.
- 5. The current device is not on the allowed list.
- 99. Either username or password is missing.

### POST `getDeviceValidationToken`

[](#post-getdevicevalidationtoken)

For the provided username, returns `deviceValidationToken`.

The device validation token is something that can be emailed or sent to the user via SMS or some other form of communication.

The method takes the following parameters via POST:

- username

### POST `validateDeviceValidationToken`

[](#post-validatedevicevalidationtoken)

Validates the provided `deviceValidationToken` for the given username. If the token matches, `deviceToken` is returned. This device token needs to be provided to the `processLogin` method in order to pass the ValidateDevice.

The method takes the following parameters via POST:

- username
- deviceValidationToken

### POST `getAccountActivationToken`

[](#post-getaccountactivationtoken)

In case users account is not activated, you need to request an activation token. Usually this token is then emailed to the user via an activation link.

The method takes the following parameters via POST:

- username

### POST `validateAccountActivationToken`

[](#post-validateaccountactivationtoken)

Method that validates the provided activation token and either returns a success message, or an error that the token in not valid.

The method takes the following parameters via POST:

- username
- accountActivationToken

### POST `logout`

[](#post-logout)

Invalidates the provided auth token for the given user.

The method takes the following parameters via POST:

- username
- authToken (the auth token returned by processLogin)

### POST `generateForgotPasswordResetToken`

[](#post-generateforgotpasswordresettoken)

Generates a forgot password link for the given username.

The method takes the following parameters via POST:

- username

What doesn't it do
------------------

[](#what-doesnt-it-do)

The Login app doesn't:

- store any cookies or sessions, so all `remember me` features need to be done on your end
- it doesn't need to know about your users passwords, this is done via the `Security` class
- doesn't email any links like forgot password, activate account, 2FA tokens - login only generates the tokens, the delivery is up to you
- doesn't do any authorization, only authentication
- doesn't provide any visuals, only a class and a RESTful service

###  Health Score

31

—

LowBetter than 66% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity15

Limited adoption so far

Community17

Small or concentrated contributor base

Maturity62

Established project with proven stability

 Bus Factor1

Top contributor holds 50% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~157 days

Recently: every ~196 days

Total

6

Last Release

3169d ago

Major Versions

0.2.x-dev → v1.0.02017-09-29

PHP version history (2 changes)0.1.x-devPHP &gt;=5.5.9

v1.0.0PHP &gt;=7.0

### Community

Maintainers

![](https://www.gravatar.com/avatar/4440afa738ed146b05c06073a90345e0464c4f4d042b039532d881ca24859d77?d=identicon)[SvenAlHamad](/maintainers/SvenAlHamad)

---

Top Contributors

[![SvenAlHamad](https://avatars.githubusercontent.com/u/3808420?v=4)](https://github.com/SvenAlHamad "SvenAlHamad (8 commits)")[![Pavel910](https://avatars.githubusercontent.com/u/3920893?v=4)](https://github.com/Pavel910 "Pavel910 (6 commits)")[![adrians5j](https://avatars.githubusercontent.com/u/5121148?v=4)](https://github.com/adrians5j "adrians5j (2 commits)")

---

Tags

Authenticationauthorizationlogin

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/webiny-login/health.svg)

```
[![Health](https://phpackages.com/badges/webiny-login/health.svg)](https://phpackages.com/packages/webiny-login)
```

###  Alternatives

[league/oauth2-server

A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.

6.7k147.0M288](/packages/league-oauth2-server)[league/oauth2-client

OAuth 2.0 Client Library

3.8k128.7M1.3k](/packages/league-oauth2-client)[auth0/auth0-php

PHP SDK for Auth0 Authentication and Management APIs.

41021.9M91](/packages/auth0-auth0-php)[league/oauth1-client

OAuth 1.0 Client Library

996110.3M120](/packages/league-oauth1-client)[auth0/login

Auth0 Laravel SDK. Straight-forward and tested methods for implementing authentication, and accessing Auth0's Management API endpoints.

2795.3M3](/packages/auth0-login)[league/oauth2-google

Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client

42223.4M176](/packages/league-oauth2-google)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
