{"id":18750694,"url":"https://github.com/webiny/login","last_synced_at":"2025-11-26T21:30:17.188Z","repository":{"id":62547882,"uuid":"41688320","full_name":"webiny/Login","owner":"webiny","description":"[NOT MAINTAINED] RESTful login application.","archived":false,"fork":false,"pushed_at":"2017-10-29T17:52:35.000Z","size":32,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-12-28T22:54:18.053Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/webiny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-08-31T16:51:51.000Z","updated_at":"2023-05-21T17:38:21.000Z","dependencies_parsed_at":"2022-11-02T22:16:18.541Z","dependency_job_id":null,"html_url":"https://github.com/webiny/Login","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webiny%2FLogin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webiny%2FLogin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webiny%2FLogin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webiny%2FLogin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/webiny","download_url":"https://codeload.github.com/webiny/Login/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239636243,"owners_count":19672314,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T17:12:49.863Z","updated_at":"2025-11-26T21:30:17.116Z","avatar_url":"https://github.com/webiny.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"Webiny Login\n================\n\nThis is an application that provides additional control layer to the [Webiny Framework Security](https://github.com/Webiny/Security) component.\nThe application standardizes the login process and user stateless token storage, making it ideal for RESTful and mobile applications.\n\nSome of the built-in features:\n- sessions are stored in database and can be revoked at any point\n- authorized devices are also stored in database and can be revoked at any point\n- login whitelist and blacklist based on client IP\n- rate limit control\n- stateless login validation for RESTful application\n- only whitelisted devices can log-in (optional)\n\n## Sample config\n\n```yaml\nLogin:\n    SecurityFirewall: Admin\n    ValidateDevice: true\n    BlockThreshold: 6\n    BlockTimelimit: 10\n    DeviceTtl: 90\n    RateLimitBlacklist:\n        - 123.123.123.123\n    RateLimitWhitelist:\n        - 127.0.0.1\n        - 192.168.1.1\n        - 10.0.2.2\n```\n\n- **SecurityFirewall**: defines which `Security.Firewall` to use for user authentication\n- **ValidateDevice**: does the device need to be whitelisted before user can login\n- **BlockThreshold**: after how many bad login attempts should the client be blocked from submitting any new login requests (client is identified as username+ip combination)\n- **BlockTimelimit**: for how many minutes should the client be blocked from submitting any additional login attempts\n- **DeviceTtl**: how long should the device session be valid (used only if ValidateDevice is turned on)\n- **RateLimitBlacklist**: list of IPs that are permanently blocked from submitting login requests\n- **RateLimitWhitelist**: list of IPs that are excluded from the rate limit control\n\n## Setup\n\nThe Login app requires following Webiny Framework components:\n- [Entity](https://github.com/Webiny/Entit)\n- [Http](https://github.com/Webiny/Http)\n- [Mongo](https://github.com/Webiny/Mongo)\n- [Security](https://github.com/Webiny/Security)\n- [Rest](https://github.com/Webiny/Rest) (optional - only if login RESTful service is used)\n\n## Mongo Indexes\n\nCreate the following indexes on your Mongo Database:\n\n```json\ndb.getCollection('LoginMeta').createIndex({username: 1});\ndb.getCollection('LoginRateControl').createIndex({ip: 1});\n```\n\n#### Example setup:\n\n```php\n\\Webiny\\Component\\Security\\Security::setConfig('./securityConfig.yaml');\n\\Webiny\\Component\\Mongo\\Mongo::setConfig('./mongoConfig.yaml');\n\\Webiny\\Component\\Entity\\Entity::setConfig('./entityConfig.yaml');\n\n$security = \\Webiny\\Component\\Security\\Security::getInstance();\n$loginConfig = \\Webiny\\Component\\Config\\Config::getInstance()-\u003eyaml('./loginConfig.yaml');\n\n$login = new \\Webiny\\Login\\Login($security, $loginConfig);\n```\n\nOnce you have the login instance, you can access the methods inside the class directly:\n\n```php\n// check if we have the auth cookie and device cookie\n$authCookie = \\Webiny\\Component\\Http\\Cookie::getInstance()-\u003eget('auth-token');\n$deviceToken = \\Webiny\\Component\\Http\\Cookie::getInstance()-\u003eget('device-token');\n\nif ($authCookie \u0026\u0026 $deviceToken) {\n    try {\n        $user = $login-\u003egetUser($authCookie, $deviceToken);\n    } catch (\\Webiny\\Login\\LoginException $le) {\n        \n    } catch (\\Exception $e) {\n        \n    }\n}else{\n    // process login\n    try {\n        $login-\u003eprocessLogin($username, $deviceToken, $authProvider);\n    \n        // if login is successful, return device and auth tokens\n        $authToken = $login-\u003egetAuthToken();\n        return [\n            'authToken'   =\u003e $authToken,\n            'deviceToken' =\u003e $deviceToken\n        ];\n    } catch (LoginException $le) {\n        $errorMsg = $le-\u003egetMessage();\n    } catch (\\Exception $e) {\n        return $e;\n    }\n}\n```\n\n#### Security setup\n\nNote that the Security component needs to implement `Stateless` token storage:\n\n```yaml\nSecurity:\n    Tokens:\n        Stateless:\n            StorageDriver: \\Webiny\\Component\\Security\\Token\\Storage\\Stateless # storage driver needs to be set to stateless\n            SecurityKey: SecretKey\n    Firewall:\n        Admin:\n            Token: Stateless\n```\n\n## Login services\n\nYou can use the Login app as a RESTful service by extending the `\\Webiny\\Login\\LoginServices` abstract class and implementing \nit into `Webiny Framework Rest` component. (view the `app/services.php` folder for sample implementation)\n\n### POST `processLogin`\n\nThis method processes the login request and returns either a login error, or in case of a success, `authToken` and `deviceToken`.\n\nThe method takes the following parameters via POST:\n- username\n- password\n- authProvider (optional - defines the name of auth provider inside `Security.Firewall` that should be used to process the request)\n- deviceToken (optional - required only if ValidateDevice is turned on)\n\nLogin error codes:\n\n- 1. Rate limit reached.\n- 2. User account is blocked.\n- 3. Invalid credentials.\n- 4. User hasn't confirmed his account.\n- 5. The current device is not on the allowed list.\n- 99. Either username or password is missing.\n\n\n### POST `getDeviceValidationToken`\n\nFor the provided username, returns `deviceValidationToken`.\n\nThe device validation token is something that can be emailed or sent to the user via SMS or some other form of communication.\n\nThe method takes the following parameters via POST:\n- username\n\n\n### POST `validateDeviceValidationToken`\n\nValidates the provided `deviceValidationToken` for the given username. If the token matches, `deviceToken` is returned.\nThis device token needs to be provided to the `processLogin` method in order to pass the ValidateDevice.\n\nThe method takes the following parameters via POST:\n- username\n- deviceValidationToken\n\n\n### POST `getAccountActivationToken`\n\nIn case users account is not activated, you need to request an activation token.\nUsually this token is then emailed to the user via an activation link.\n\nThe method takes the following parameters via POST:\n- username\n\n\n### POST `validateAccountActivationToken`\n\nMethod that validates the provided activation token and either returns a success message, or an error that the token in not valid.\n\nThe method takes the following parameters via POST:\n- username\n- accountActivationToken\n\n\n### POST `logout`\n\nInvalidates the provided auth token for the given user.\n\nThe method takes the following parameters via POST:\n- username\n- authToken (the auth token returned by processLogin)\n\n\n### POST `generateForgotPasswordResetToken`\n\nGenerates a forgot password link for the given username.\n\nThe method takes the following parameters via POST:\n- username\n\n\n## What doesn't it do\n\nThe Login app doesn't: \n- store any cookies or sessions, so all `remember me` features need to be done on your end\n- it doesn't need to know about your users passwords, this is done via the `Security` class\n- doesn't email any links like forgot password, activate account, 2FA tokens - login only generates the tokens, the delivery is up to you\n- doesn't do any authorization, only authentication\n- doesn't provide any visuals, only a class and a RESTful service","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwebiny%2Flogin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwebiny%2Flogin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwebiny%2Flogin/lists"}