Authentication, authorization and access control for PHP

Features

• Multiple authorization strategies, like groups (for acl) and levels.
• Authorization context (eg. “is the user an admin of this team”).
• PSR-14 events for login and logout.
• PSR-15 middleware for access control.
• Session invalidation, explicit or implicit (eg. after password change).
• Multi-factor authentication support.
• JWT and Bearer authentication support.
• Confirmation tokens for sign up confirmation and forgot-password.
• PSR-3 logging of interesting events.
• Customizable to meet the requirements of your application.

---

Installation

Install using composer

composer require jasny/auth

Usage

Auth is a composition class. It takes an authz, storage, and optionally a confirmation service.

use Jasny\Auth\Auth;
use Jasny\Auth\Authz\Levels;

$levels = new Levels(['user' => 1, 'moderator' => 10, 'admin' => 100]);
$storage = new AuthStorage(); // See `setup` docs for this class
$auth = new Auth($levels, $storage);

session_start();
$auth->initialize();

// Later...
if (!$auth->is('admin')) {
    http_response_code(403);
    echo "Access denied";
    exit();
}

The Auth service isn’t usable until it’s initialized. This should be done after the session is started.

session_start();
$auth->initialize();

Context

It’s possible authorize in context of a team or organization. Rather than checking if a user is an manager in the application, you’d verify is the user is a manager of the team.

$team = $storage->fetchContext($teamId);

if (!$auth->inContextOf($team)->is('manager')) {
    http_response_code(403);
    echo "Access denied";
    exit();
}