{"id":31287904,"url":"https://github.com/thavarshan/orthrus","last_synced_at":"2026-04-02T03:11:36.817Z","repository":{"id":315757708,"uuid":"1060732214","full_name":"Thavarshan/orthrus","owner":"Thavarshan","description":"⛨ A production-ready, multi-tenant JWT authentication service built with Symfony 7.3 and PHP 8.2+.","archived":false,"fork":false,"pushed_at":"2025-09-20T13:44:04.000Z","size":113,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-20T15:36:50.879Z","etag":null,"topics":["cicd","client-credentials","docker","iam","jwks","jwt","m2m","multi-tenant","oauth2","openapi","php","phpunit","psr-12","rest-api","rfc7807","rs256","scope-based-authorization","symfony"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Thavarshan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":["Thavarshan"]}},"created_at":"2025-09-20T13:34:23.000Z","updated_at":"2025-09-20T13:44:07.000Z","dependencies_parsed_at":"2025-09-20T15:52:07.436Z","dependency_job_id":null,"html_url":"https://github.com/Thavarshan/orthrus","commit_stats":null,"previous_names":["thavarshan/orthrus"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Thavarshan/orthrus","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Thavarshan%2Forthrus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Thavarshan%2Forthrus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Thavarshan%2Forthrus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Thavarshan%2Forthrus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Thavarshan","download_url":"https://codeload.github.com/Thavarshan/orthrus/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Thavarshan%2Forthrus/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276738923,"owners_count":25696024,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-24T02:00:09.776Z","response_time":97,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cicd","client-credentials","docker","iam","jwks","jwt","m2m","multi-tenant","oauth2","openapi","php","phpunit","psr-12","rest-api","rfc7807","rs256","scope-based-authorization","symfony"],"created_at":"2025-09-24T11:31:34.869Z","updated_at":"2025-09-24T11:32:28.061Z","avatar_url":"https://github.com/Thavarshan.png","language":"PHP","funding_links":["https://github.com/sponsors/Thavarshan"],"categories":[],"sub_categories":[],"readme":"# Orthrus\n\nA production-ready, multi-tenant JWT authentication service built with Symfony 7.3 and PHP 8.2+. Provides secure RS256 JWT access tokens, refresh token rotation with reuse detection, OAuth 2.0 client credentials flow, and scope-based authorization.\n\n## Table of Contents\n\n- [Features](#features)\n- [Requirements](#requirements)\n- [Quick Start](#quick-start)\n- [Architecture](#architecture)\n- [API Reference](#api-reference)\n- [Authentication](#authentication)\n- [Security](#security)\n- [Development](#development)\n- [Testing](#testing)\n- [Configuration](#configuration)\n- [Contributing](#contributing)\n- [License](#license)\n\n## Features\n\n- **Multi-tenant Architecture**: Complete organization isolation with tenant-scoped operations\n- **JWT Access Tokens**: RS256-signed tokens with 10-minute TTL (configurable) and RS256 signature\n- **Refresh Token Rotation**: Automatic rotation with reuse detection for enhanced security\n- **OAuth 2.0 Client Credentials**: Machine-to-machine authentication flow\n- **Scope-based Authorization**: Fine-grained access control with scope validation\n- **Rate Limiting**: Built-in protection against brute force attacks\n- **JWKS Support**: Public key discovery endpoint for token verification\n- **Reuse Detection**: Automatic refresh token family invalidation on suspicious activity\n\n## Requirements\n\n- PHP 8.2 or higher\n- Composer\n- Symfony CLI\n- Docker (for PostgreSQL)\n- OpenSSL (for key generation)\n\n## Quick Start\n\n1. **Install dependencies**\n\n   ```bash\n   composer install\n   ```\n\n2. **Generate RSA key pair and JWT key ID**\n\n   ```bash\n   make keygen\n   ```\n\n3. **Configure database**\n   - Default: local MySQL (edit `DATABASE_URL` in `.env` or `.env.local`)\n   - Optional: start PostgreSQL via Docker: `make up`\n\n5. **Run database migrations**\n\n   ```bash\n   make migrate\n   ```\n\n6. **Seed demo data**\n\n   ```bash\n   make seed\n   ```\n\n7. **Start development server**\n\n   ```bash\n   symfony server:start -d\n   ```\n\nThe API will be available at `http://localhost:8000`\n\n## Architecture\n\n### Core Entities\n\n- **User**: Application users with email/password authentication\n- **Organization**: Multi-tenant boundary for complete data isolation\n- **Membership**: User-organization relationships with role-based access\n- **OAuthClient**: OAuth 2.0 clients for machine-to-machine authentication\n- **RefreshToken**: Opaque tokens with automatic rotation and family tracking\n- **RevokedJti**: Blacklist for revoked JWT token identifiers\n\n### Authentication Flow\n\n1. **User Authentication**: Email/password login with organization context\n2. **Token Issuance**: Access token (JWT) + refresh token (opaque) pair\n3. **Token Refresh**: Automatic rotation of refresh tokens with reuse detection\n4. **Client Credentials**: Direct client authentication for service-to-service communication\n\n### Security Model\n\n- **JWT Tokens**: RS256 signature, short-lived (10 minutes), stateless verification\n- **Refresh Tokens**: Long-lived, server-side validation, automatic rotation\n- **Multi-tenancy**: Organization-scoped access with header validation\n- **Scope Authorization**: Granular permissions using OAuth 2.0 scopes\n- **Rate Limiting**: IP-based throttling on authentication endpoints\n\n## API Reference\n\n### Authentication Endpoints\n\n#### POST /login\n\nUser authentication with email and password.\n\n**Request:**\n\n```json\n{\n  \"email\": \"user@example.com\",\n  \"password\": \"password\",\n  \"org\": \"organization-uuid\",\n  \"scope\": [\"profile.read\", \"data.write\"]\n}\n```\n\n**Response:**\n\n```json\n{\n  \"access_token\": \"eyJhbGciOiJSUzI1NiIs...\",\n  \"expires_in\": 600,\n  \"refresh_token\": \"uuid.secret\",\n  \"token_type\": \"Bearer\"\n}\n```\n\n**Error Responses:**\n\n- `400 Bad Request`: Invalid request body or validation errors\n- `401 Unauthorized`: Invalid credentials or user not in organization\n- `429 Too Many Requests`: Rate limit exceeded\n\n#### POST /token/refresh\n\nRefresh an expired access token using a refresh token.\n\n**Request:**\n\n```json\n{\n  \"refresh_token\": \"uuid.secret\",\n  \"org\": \"organization-uuid\"\n}\n```\n\n**Response:**\n\n```json\n{\n  \"access_token\": \"eyJhbGciOiJSUzI1NiIs...\",\n  \"expires_in\": 600,\n  \"refresh_token\": \"new-uuid.new-secret\",\n  \"token_type\": \"Bearer\"\n}\n```\n\n**Error Responses:**\n\n- `400 Bad Request`: Invalid request body\n- `401 Unauthorized`: Invalid or expired refresh token\n\n#### POST /logout\n\nRevoke a refresh token (logout).\n\n**Request:**\n\n```json\n{\n  \"refresh_token\": \"uuid.secret\"\n}\n```\n\n**Response:**\n\n- `204 No Content`: Token successfully revoked\n\n#### POST /token\n\nOAuth 2.0 client credentials flow for machine-to-machine authentication.\n\n**Request (Basic Auth):**\n\n```bash\ncurl -X POST http://localhost:8000/token \\\n  -u \"client-id:client-secret\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"org\": \"organization-uuid\", \"scope\": [\"api.read\"]}'\n```\n\n**Request (JSON Body):**\n\n```json\n{\n  \"client_id\": \"demo-client\",\n  \"client_secret\": \"secret\",\n  \"org\": \"organization-uuid\",\n  \"scope\": [\"api.read\", \"api.write\"]\n}\n```\n\n**Response:**\n\n```json\n{\n  \"access_token\": \"eyJhbGciOiJSUzI1NiIs...\",\n  \"expires_in\": 600,\n  \"token_type\": \"Bearer\"\n}\n```\n\n**Error Responses:**\n\n- `400 Bad Request`: Missing organization or invalid request\n- `401 Unauthorized`: Invalid client credentials or unauthorized scope/organization\n- `429 Too Many Requests`: Rate limit exceeded\n\n### Protected Endpoints\n\n#### GET /me\n\nGet current user/client information. Requires valid access token and organization header.\n\n**Headers:**\n\n```\nAuthorization: Bearer eyJhbGciOiJSUzI1NiIs...\nX-Org-Id: organization-uuid\n```\n\n**Response:**\n\n```json\n{\n  \"sub\": \"user:user-uuid\" | \"client:client-uuid\",\n  \"org\": \"organization-uuid\",\n  \"scopes\": [\"profile.read\"],\n  \"client\": false | true\n}\n```\n\n**Error Responses:**\n\n- `401 Unauthorized`: Invalid or expired token\n- `403 Forbidden`: Missing or mismatched X-Org-Id header, or missing required scope `profile.read`\n\n### Discovery Endpoints\n\n#### GET /.well-known/jwks.json\n\nJSON Web Key Set (JWKS) for token verification.\n\n**Response:**\n\n```json\n{\n  \"keys\": [\n    {\n      \"kty\": \"RSA\",\n      \"use\": \"sig\",\n      \"kid\": \"key-id-uuid\",\n      \"n\": \"base64-encoded-modulus\",\n      \"e\": \"AQAB\"\n    }\n  ]\n}\n```\n\n**Cache Headers:**\n\n- `Cache-Control: public, max-age=300`\n\n## Authentication\n\n### JWT Access Tokens\n\nAccess tokens are RS256-signed JWTs with the following structure:\n\n**Header:**\n\n```json\n{\n  \"alg\": \"RS256\",\n  \"typ\": \"JWT\",\n  \"kid\": \"key-id-uuid\"\n}\n```\n\n**Payload (example):**\n\n```json\n{\n  \"iss\": \"http://localhost:8000\",\n  \"aud\": \"symfony-token-service\",\n  \"sub\": \"user:uuid\" | \"client:uuid\",\n  \"iat\": 1234567890,\n  \"nbf\": 1234567890,\n  \"exp\": 1234567890,\n  \"jti\": \"token-uuid\",\n  \"org\": \"organization-uuid\",\n  \"scope\": \"profile.read data.write\"\n}\n```\n\n### Refresh Tokens\n\nRefresh tokens use the format `\u003cid\u003e.\u003csecret\u003e` where:\n\n- `id`: UUID identifying the token record\n- `secret`: Cryptographically random string\n- Storage: Argon2id hash of the secret in the database\n- Rotation: New token issued on each refresh, old token invalidated\n- Reuse Detection: Entire token family invalidated if reuse detected\n\n### Multi-tenant Access\n\nAll protected endpoints require the `X-Org-Id` header to match the organization claim in the JWT token. This ensures complete tenant isolation.\n\n### Scope Authorization\n\nUse the `#[IsGranted('scope:profile.read')]` attribute on controller methods to enforce scope-based authorization.\n\n## Security\n\n### Rate Limiting\n\n- **Login endpoint**: Limited by client IP address\n- **Token endpoint**: Limited by client IP address\n- **Configuration**: Uses Symfony Rate Limiter component\n\n### Key Management\n\n- **Location**: RSA key pairs stored in `var/keys/` (gitignored)\n- **Generation**: 4096-bit RSA keys with `make keygen`\n- **Rotation**: Current key ID stored in `config/jwt.yaml`\n- **JWKS**: Public keys published at `/.well-known/jwks.json`\n\n### Token Security\n\n- **Access Token TTL**: 10 minutes (configurable)\n- **Clock Skew**: Configurable tolerance for time differences\n- **Signature**: RS256 algorithm with proper key validation\n- **Revocation**: JTI-based blacklisting for compromised tokens\n\n## Development\n\n### Make Commands\n\n```bash\nmake up          # Start PostgreSQL with Docker\nmake down        # Stop Docker containers\nmake keygen      # Generate RSA keys and JWT key ID\nmake migrate     # Create database and run migrations\nmake seed        # Seed demo data\nmake test        # Run PHPUnit tests\nmake lint        # Check code style (dry-run)\nmake lint-fix    # Fix code style issues\nmake phpstan     # Run static analysis\nmake check       # Run all quality checks (lint + phpstan + test)\nmake ci          # Alias for check (CI pipeline)\n```\n\n### Demo Data\n\nThe `make seed` command creates:\n\n- **Organization**: Demo Org\n- **User**: \u003cuser@example.com\u003e / password\n- **Client**: demo-client / secret\n- **Scopes**: profile.read\n\n### Environment Configuration\n\nKey environment variables in `.env` or `.env.local`:\n\n```bash\nAPP_URL=http://localhost:8000\nDATABASE_URL=\"mysql://root@127.0.0.1:3306/symfony?serverVersion=8.0\u0026charset=utf8mb4\"\n# JWT kid used in token headers and JWKS (generated via `make keygen`)\nJWT_KID=change-me\n```\n\n## Testing\n\n### Running Tests\n\n```bash\n# All tests\nmake test\n\n# Specific test suite\n./vendor/bin/phpunit tests/Unit\n./vendor/bin/phpunit tests/Functional\n\n# Single test class\n./vendor/bin/phpunit tests/Unit/TokenServiceTest.php\n```\n\n### Code Quality\n\n#### PHPStan\nStatic analysis at level 8 for type safety and code quality:\n- Type checking and inference\n- Dead code detection\n- Missing return types\n\n```bash\n# Run static analysis\nmake phpstan\n\n# Generate baseline for existing issues\nmake phpstan-baseline\n```\n\n#### Quality Pipeline\n```bash\n# Run all quality checks\nmake check  # phpstan + test\n\n# CI pipeline command\nmake ci     # alias for check\n```\n\n### Test Environment\n\n- **Database**: SQLite in-memory for isolation\n- **Configuration**: `phpunit.xml.dist`\n- **Environment**: `APP_ENV=test`\n\n## Configuration\n\n### JWT Configuration\n\nFile: `config/jwt.yaml`\n\n```yaml\nparameters:\n  jwt:\n    issuer: '%env(JWT_ISSUER)%'\n    audience: '%env(JWT_AUDIENCE)%'\n    access_ttl: '%env(int:JWT_ACCESS_TTL)%'\n    skew: '%env(int:JWT_SKEW)%'\n    keys:\n      current:\n        kid: 'current-key-uuid'\n        private_path: '%kernel.project_dir%/var/keys/private.pem'\n        public_path: '%kernel.project_dir%/var/keys/public.pem'\n```\n\n### Security Configuration\n\nFile: `config/packages/security.yaml`\n\n- JWT authenticator configuration\n- Scope-based access control\n- Firewall rules for API endpoints\n\n### Database Configuration\n\nFile: `config/packages/doctrine.yaml`\n\n- PostgreSQL connection for production\n- SQLite for testing\n- Entity mappings and migrations\n\n## Contributing\n\nWe welcome contributions to Orthrus! Please read our [Contributing Guidelines](CONTRIBUTING.md) for details on:\n\n- Development setup and workflow\n- Code standards and quality checks\n- Testing requirements\n- Pull request process\n\nFor security vulnerabilities, please follow our [Security Policy](SECURITY.md) for responsible disclosure.\n\n## License\n\nThis project is proprietary. See composer.json for license details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthavarshan%2Forthrus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthavarshan%2Forthrus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthavarshan%2Forthrus/lists"}