{"id":18285504,"url":"https://github.com/bemit/auth-middleware","last_synced_at":"2025-09-06T17:41:09.302Z","repository":{"id":62492959,"uuid":"376316667","full_name":"bemit/auth-middleware","owner":"bemit","description":"Custom PSR Middleware for multi project auth \u0026 auth with Auth0.","archived":false,"fork":false,"pushed_at":"2021-12-18T11:13:52.000Z","size":31,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-11T05:04:44.926Z","etag":null,"topics":["auth0","php","psr-middleware"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bemit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-06-12T14:56:11.000Z","updated_at":"2021-12-18T11:13:47.000Z","dependencies_parsed_at":"2022-11-02T09:30:55.383Z","dependency_job_id":null,"html_url":"https://github.com/bemit/auth-middleware","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/bemit/auth-middleware","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bemit%2Fauth-middleware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bemit%2Fauth-middleware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bemit%2Fauth-middleware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bemit%2Fauth-middleware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bemit","download_url":"https://codeload.github.com/bemit/auth-middleware/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bemit%2Fauth-middleware/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273939380,"owners_count":25194925,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-06T02:00:13.247Z","response_time":2576,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth0","php","psr-middleware"],"created_at":"2024-11-05T13:16:53.009Z","updated_at":"2025-09-06T17:41:09.253Z","avatar_url":"https://github.com/bemit.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Auth0 Service and Middleware\n\n[![Latest Stable Version](http://poser.pugx.org/bemit/auth-middleware/v)](https://packagist.org/packages/bemit/auth-middleware) [![License](http://poser.pugx.org/bemit/auth-middleware/license)](https://packagist.org/packages/bemit/auth-middleware)\n\nSome custom auth middleware to support multi tenants (a tenant is a `project` then) and multiple \"providing services\" against which a user in a project is identified and maybe authorized. Build with / around [auth0](https://auth0.com) and some (not published) custom identity provider.\n\nRequires `psr/http-client`, `psr/http-factory` and `psr/log` implementations.\n\nMade for stateless PHP APIs, not for PHP session auth. Uses one Auth0 SPA Application which produces/verifies the access token, and an optional Auth0 Server Application which is used to auth against the Auth0 Management API.\n\n```shell\ncomposer require bemit/auth-middleware\n```\n\n## `Bemit\\AuthMiddleware\\Auth0Service`\n\nProvides the Auth0 management API client, if not used, doesn't need to be configured.\n\n- for constructor check [example dependencies definition](#dependencies)\n- `management(): Management`\n\n## `Bemit\\AuthMiddleware\\AuthService`\n\nProvides the verifier for client access tokens.\n\n- for constructor check [example dependencies definition](#dependencies)\n- `validate(string $token, ?string $audience = null): ?ValidateResult` to verify a token\n    - the token must be pure, e.g. without `Bearer `\n    - if `audience` is specified, this audience is used to verify the token, it must be in `allowed_audiences`\n- `isAudienceAllowed(string $audience): bool`\n\n## `Bemit\\AuthMiddleware\\AuthMiddleware`\n\nA PSR Middleware that extracts the access token and maybe an audience from headers, verifies it and adds the validation result to the request attributes.\n\nIf e.g. the audience is not allowed, returns `401` with a JSON response containing the reason. **No special handling** when the token is invalid, check inside your request handler and throw/response accordingly. **Catches throws** of `NotAuthorizedException` and responds with `401`, with `{error: string, reason: string}`, where `reason` is the optional exception message.\n\n- `__construct(AuthService $auth, Psr\\Http\\Message\\ResponseFactoryInterface $response, Psr\\Http\\Message\\StreamFactoryInterface $stream)`\n- `process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface`\n\nUses headers:\n\n- `AUDIENCE` to optionally specify a custom audience id\n- `AUTHORIZATION` the access token in `Bearer THE_TOKEN_A1234` format\n\nAdding attributes when authenticated:\n\n- `auth_token_data` as [`Bemit\\AuthMiddleware\\TokenData`](https://github.com/bemit/auth-middleware/blob/master/src/ValidateResult/TokenData.php)\n- `auth_user_data` as [`Bemit\\AuthMiddleware\\UserData`](https://github.com/bemit/auth-middleware/blob/master/src/ValidateResult/UserData.php)\n- `auth_project` as [`Bemit\\AuthMiddleware\\ProjectData`](https://github.com/bemit/auth-middleware/blob/master/src/ValidateResult/ProjectsData.php)\n- `auth_id` as `string` with the `sub` (user-id)\n\n## `Bemit\\AuthMiddleware\\RequestHandlerAuthorizeChecker`\n\n`trait` for PSR request handler to easily validate if access should be granted, throws `Bemit\\AuthMiddleware\\NotAuthorizedException` when some authorize check fails.\n\n- `requireRole(ServerRequestInterface $request, string $service, string $role): void`\n    - fails when role is not granted for the service\n- `requireRoleOneOf(ServerRequestInterface $request, string $service, array $possible_roles): void`\n    - `possible_roles` as `string[]`, only one of the specified roles must match\n- `requireProjectAccess(ServerRequestInterface $request, string $project_id): void`\n    - does not check for any roles, only that the specified access token is valid against the given `project`\n\n## `Bemit\\AuthMiddleware\\RequestAuthorizeContext`\n\nConvenience functions to get the typed data out of the server request attributes.\n\n- `static getTokenData(ServerRequestInterface $request): ?TokenData`\n- `static getUserData(ServerRequestInterface $request): ?UserData`\n- `static getProject(ServerRequestInterface $request): ?ProjectData`\n- `static getId(ServerRequestInterface $request): ?string`\n\n## `Bemit\\AuthMiddleware\\NotAuthorizedException`\n\nException to be used when needs authorization, but doesn't have them.\n\n## Dependencies\n\nDependency definition example, with PHP\\DI:\n\n```php\n\u003c?php\n\nuse function DI\\autowire;\nuse function DI\\get;\n\n$dependencies = [\n    // the middleware uses `AuthService and psr/http-factory implementation for responses\n    Bemit\\AuthMiddleware\\AuthMiddleware::class =\u003e autowire(),\n    Bemit\\AuthMiddleware\\AuthService::class =\u003e autowire()\n        -\u003econstructorParameter('issuer', $_ENV['AUTH_CLIENT_ISSUER'])\n        -\u003econstructorParameter('audience', $_ENV['AUTH_CLIENT_AUDIENCE'])\n        // use either frontend client id for e.g. APIs or otherwise same as for Auth0Service\n        -\u003econstructorParameter('client_id', $_ENV['AUTH0_CLIENT_ID_FRONTEND'])\n        -\u003econstructorParameter('namespace_user_data', 'https://userdata')\n        -\u003econstructorParameter('namespace_projects', 'https://id.namespace')\n        -\u003econstructorParameter('allowed_audiences', [\n            $_ENV['AUTH_CLIENT_AUDIENCE'],\n        ])\n        // optional, for jwks caching:\n        -\u003econstructorParameter('cache', get(Psr\\Cache\\CacheItemPoolInterface::class))\n        -\u003econstructorParameter('cache_ttl', 360),\n    Bemit\\AuthMiddleware\\Auth0Service::class =\u003e autowire()\n        -\u003econstructorParameter('issuer', $_ENV['AUTH_CLIENT_ISSUER'])\n        -\u003econstructorParameter('client_id', $_ENV['AUTH0_CLIENT_ID'])\n        -\u003econstructorParameter('client_secret', $_ENV['AUTH0_CLIENT_SECRET'])\n        -\u003econstructorParameter('http_client', get(Psr\\Http\\Client\\ClientInterface::class))\n        -\u003econstructorParameter('logger', get(Psr\\Log\\LoggerInterface::class)),\n];\n```\n\n## License\n\nThis project is free software distributed under the [**MIT License**](LICENSE).\n\n### Contributors\n\nBy committing your code to the code repository you agree to release the code under the MIT License attached to the repository.\n\n***\n\nMaintained by [Michael Becker](https://mlbr.xyz)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbemit%2Fauth-middleware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbemit%2Fauth-middleware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbemit%2Fauth-middleware/lists"}