biurad/php-security is a simple security authentication and authorization system for PHP 7.4+, developed using Symfony's Security Core and Biurad's Http Galaxy with optional support for Symfony's Security CSRF.
The goal of this project is to provide the same level of security Symfony's Security Http provides, but with great performance.
This project requires PHP 7.4 or higher. The recommended way to install, is via Composer. Simply run:
$ composer require biurad/security 1.*
Here is a simple example of how to use this library in your project:
use Biurad\Security\Authenticator;
use Biurad\Security\Authenticator\FormLoginAuthenticator;
use Biurad\Security\Token\CacheableTokenStorage;
use Biurad\Security\Token\PdoTokenProvider;
use Psr\Http\Message\ResponseInterface;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactory;
use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
use Symfony\Component\Security\Core\Authorization\Voter\RoleVoter;
use Symfony\Component\Security\Core\Authorization\Voter\RoleHierarchyVoter;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Role\RoleHierarchy;
use Symfony\Component\Security\Core\User\InMemoryUser;
use Symfony\Component\Security\Core\User\InMemoryUserProvider;
require_once __DIR__ . '/vendor/autoload.php';
$accessDecisionManager = new AccessDecisionManager([
new AuthenticatedVoter(new AuthenticationTrustResolver()),
new RoleVoter(),
new RoleHierarchyVoter(new RoleHierarchy(['ROLE_ADMIN' => ['ROLE_USER']]))
]);
$userProvider = new InMemoryUserProvider([
'divine' => [
'password' => 'foo',
'enabled' => true,
'roles' => ['ROLE_USER'],
],
]);
$hasherFactory = new PasswordHasherFactory([
InMemoryUser::class => ['algorithm' => 'plaintext'],
// Can more than one algorithm be used?
]);
$tokenStorage = new CacheableTokenStorage($session = new Session());
$rememberMeHandler = new RememberMeHandler('cookie-secret', new PdoTokenProvider('mysql://root:password@localhost:3306/test'));
$authenticators = [
// You can add the csrf authenticator
new FormLoginAuthenticator($userProvider, $hasherFactory, $rememberMeHandler),
new RememberMeAuthenticator($rememberMeHandler, $userProvider, true),
];
$request = \Biurad\Http\Factory\Psr17Factory::fromGlobalRequest();
$authenticator = new Authenticator($authenticators, $tokenStorage, $accessDecisionManager);
if (null !== $authenticator->getToken()) {
// Token is already set, so we're already authenticated, we can skip the authentication process.
}
try {
// The parameters which should be fetched from request ...
$credentials = ['_identifier', '_password', '_remember_me'];
$response = $authenticator->authenticate($request, $credentials);
// This means an error was caught by transformed into response
if ($response instanceof ResponseInterface) {
// ... You can emit response to the browser.
}
} catch (AuthenticationException $e) {
// You choose how you want to handle exception
}
if (null !== $token = $authenticator->getToken()) {
// ... You can use the token to access the user data.
if ($fromToken->hasAttribute($cookieId = RememberMeHandler::REMEMBER_ME)) {
$tokenCookies = $fromToken->getAttribute($cookieId);
if (!\is_array($tokenCookies)) {
$tokenCookies = [$tokenCookies];
}
// ... You can set the cookies to the browser.
}
}
For in-depth documentation before using this library. Full documentation on advanced usage, configuration, and customization can be found at docs.biurad.com.
Information on how to upgrade to newer versions of this library can be found in the UPGRADE.
SemVer is followed closely. Minor and patch releases should not introduce breaking changes to the codebase; See CHANGELOG for more information on what has changed recently.
Any classes or methods marked @internal
are not intended for use outside of this library and are subject to breaking changes at any time, so please avoid using them.
(This policy may change in the future and exceptions may be made on a case-by-case basis.)
- A new patch version released (e.g.
1.0.10
,1.1.6
) comes out roughly every month. It only contains bug fixes, so you can safely upgrade your applications. - A new minor version released (e.g.
1.1
,1.2
) comes out every six months: one in June and one in December. It contains bug fixes and new features, but it doesnβt include any breaking change, so you can safely upgrade your applications; - A new major version released (e.g.
1.0
,2.0
,3.0
) comes out every two years. It can contain breaking changes, so you may need to do some changes in your applications before upgrading.
When a major version is released, the number of minor versions is limited to five per branch (X.0, X.1, X.2, X.3 and X.4). The last minor version of a branch (e.g. 1.4, 2.4) is considered a long-term support (LTS) version with lasts for more that 2 years and the other ones cam last up to 8 months:
Get a professional support from Biurad Lap after the active maintenance of a released version has ended.
$ ./vendor/bin/phpunit
This will tests biurad/php-security will run against PHP 7.4 version or higher.
This project is primarily maintained by Divine Niiquaye Ibok. Contributions are welcome π·ββοΈ! To contribute, please familiarize yourself with our CONTRIBUTING guidelines.
To report a security vulnerability, please use the Biurad Security. We will coordinate the fix and eventually commit the solution in this project.
Are you interested in sponsoring development of this project? Reach out and support us on Patreon or see https://biurad.com/sponsor for a list of ways to contribute.
The biurad/php-security library is copyright Β© Divine Niiquaye Ibok and licensed for use under the .