{"id":20275523,"url":"https://github.com/workofstan/seablast-auth","last_synced_at":"2026-03-10T03:34:11.330Z","repository":{"id":239644079,"uuid":"799904847","full_name":"WorkOfStan/seablast-auth","owner":"WorkOfStan","description":"Seablast-Auth is a no-password authentication and authorization extension for Seablast for PHP apps. It facilitates secure user verification and access control. Optionally integrates with Google and Facebook for social media sign-ins. Integrable via Composer, it activates as needed, equipping your app with essential security features effortlessly.","archived":false,"fork":false,"pushed_at":"2026-03-01T21:56:43.000Z","size":102,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-02T01:24:32.683Z","etag":null,"topics":["facebook-login","google-login","role-based-access-control","secure-login-php","social-login","social-login-google"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WorkOfStan.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-05-13T10:28:21.000Z","updated_at":"2025-12-27T18:57:19.000Z","dependencies_parsed_at":"2024-05-13T20:26:15.276Z","dependency_job_id":"b7a43151-d7c2-4d10-9999-c60213d53be4","html_url":"https://github.com/WorkOfStan/seablast-auth","commit_stats":null,"previous_names":["workofstan/seablast-auth"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/WorkOfStan/seablast-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WorkOfStan%2Fseablast-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WorkOfStan%2Fseablast-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WorkOfStan%2Fseablast-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WorkOfStan%2Fseablast-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WorkOfStan","download_url":"https://codeload.github.com/WorkOfStan/seablast-auth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WorkOfStan%2Fseablast-auth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30323222,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T01:36:58.598Z","status":"online","status_checked_at":"2026-03-10T02:00:06.579Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["facebook-login","google-login","role-based-access-control","secure-login-php","social-login","social-login-google"],"created_at":"2024-11-14T13:09:43.299Z","updated_at":"2026-03-10T03:34:11.253Z","avatar_url":"https://github.com/WorkOfStan.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# `Seablast\\Auth`\n\nA no-password authentication and authorization extension for [Seablast for PHP](https://github.com/WorkOfStan/seablast) apps.\nThis extension facilitates secure user verification and efficient access control.\n\nOptionally, `Seablast\\Auth` has a ligthweight integration with Google and Facebook to support social authentication, allowing seamless sign-in through various social media platforms.\nIntegrable via Composer, it activates only when required, equipping your app with essential security features effortlessly.\nIf your Seablast-based application necessitates user authentication or resource authorization, incorporating `Seablast\\Auth` will equip it with these capabilities instantly.\n(For applications that do not require these features, `Seablast\\Auth` can simple be not included to maintain a lighter application footprint.)\n\n## User management\n\n- RBAC (Role-Based Access Control) supported\n- user MUST have one role (admin, editor, ordinary user)\n- user MAY belong to various groups (based on subscription tariff, a promotion, etc.)\n\n## Usage\n\nWhen just getting the identity of a logged-in user is needed:\n\n```php\n    // Instantiate the IdentityManager class with `\\mysqli`\n    $identity = new IdentityManager($this-\u003econfiguration-\u003emysqli());\n    // If prefix is used, inject it\n    $identity-\u003esetTablePrefix($this-\u003econfiguration-\u003edbmsTablePrefix());\n    // To make Remember me Cookies predictable = avoid conflicts, inject a cookie path\n    $identity-\u003esetCookiePath($this-\u003econfiguration-\u003egetString(SeablastConstant::SB_SESSION_SET_COOKIE_PARAMS_PATH));\n```\n\nTo create the expected database table structure, just add the seablast/auth migration path to your phinx.php configuration, e.g.\n\n```php\n    'paths' =\u003e [\n        'migrations' =\u003e [\n            '%%PHINX_CONFIG_DIR%%/db/migrations',\n            '%%PHINX_CONFIG_DIR%%/../vendor/seablast/auth/conf/db/migrations',\n        ],\n        'seeds' =\u003e '%%PHINX_CONFIG_DIR%%/db/seeds'\n    ],\n```\n\nFollowing tables will be created (prefixed as set in your app), so avoid conflict with the naming of tables by your app:\n\n- email_token (user)\n- group (user_groups)\n- group_activation_tokens (user_groups)\n- roles (user)\n- session_user (user)\n- users (user)\n- user_group (user_groups)\n\n### Cookies\n\nIdentityManager expects cookie scope being set already by:\n\n```php\nsession_set_cookie_params(\n    int $lifetime_or_options,\n    ?string $path = null,\n    ?string $domain = null,\n    ?bool $secure = null,\n    ?bool $httponly = null\n): bool\n```\n\nNote: sbRememberMe cookie created/read only if the web is accessed over HTTPS and if allowed by `AuthApp:FLAG_REMEMBER_ME_COOKIE` (allowed by default).\n(todo check whether if not allowed, it is really not created or just not read)\n\n### Routing\n\n`/user` is the default route (which can be changed by `AuthConstant::USER_ROUTE`) to the user log-in/log-out page,\nbut if you want to customize it, configure path to your own template within your app's `conf/app.conf.php` like this:\n\n```php\n        //-\u003esetString(AuthConstant::USER_ROUTE, '/user') // can be changed\n        -\u003esetArrayArrayString(\n            SeablastConstant::APP_MAPPING,\n            '/user',\n            [\n                'template' =\u003e 'user', // your latte template including login-form.latte\n                'model' =\u003e '\\Seablast\\Auth\\UserModel',\n            ]\n        )\n```\n\nThe successful login behaviour is reload the current page or go to a social login success page:\n\n```php\n        -\u003esetString(AuthConstant::SOCIAL_LOGIN_SUCCESS_URL, '') // empty OR not set =\u003e just reload; otherwise go to the fully qualified URL of a social login success page\n```\n\nNote 1: already Seablast::v0.2.5 is using the default settings in the [conf/app.conf.php](conf/app.conf.php), so Seablast/Auth configuration is used with v0.2.5 forward.\n\n`send-auth-token.js` (since Seablast::v0.2.10) expects the route `/api/social-login` as configured in [app.conf.php](conf/app.conf.php) and provider either `facebook` or `google`.\n\nThese arguments `window.sendAuthToken(token, apiRoute, errorLogger);` are processed since Seablast::v0.2.13.\n\nNote 2: `const API_BASE = ''; const flags = [];` MUST be defined in JavaScript as the default `/user` expects these two variables.\n\n### View\n\n`\\Seablast\\Auth\\UserModel` returns arguments ($configuration, $csrfToken, $message, $showLogin, $showLogout) for the user.latte template:\n\n```latte\n{include '../vendor/seablast/auth/views/user-control.latte'}\n```\n\nNote 1: user.latte uses inherite.latte for all the latte parts, so either you may use it or include user-control.latte or create app version of any of the latte parts.\n\nNote 2: vendor/seablast is accessible for Seablast apps, so the web browser assets (such as `send-auth-token.js`) used by plugins MUST be put into assets folder of the Seablast library.\n\n### Social login\n\nExistence of configuration strings 'FACEBOOK_APP_ID' or 'GOOGLE_CLIENT_ID' imply option to login by these platforms respectively.\n\nNote 1: social login can be deactivated in an app by `-\u003edeactivate(AuthConstant::FLAG_USE_SOCIAL_LOGIN)` in the configuration.\n\nNote 2: send-auth-token.js is expected in seablast directory, which needs at least Seablast v0.2.10. (These arguments `window.sendAuthToken(token, apiRoute, errorLogger);` are processed since Seablast::v0.2.13.)\n\nNote 3: The new Google Identity Services no longer opens a traditional pop‑up account chooser; instead, it displays the One Tap UI.\n\n### MailOut::send() method is a generic mail sender built on top of Symfony Mailer\n\nSending of emails to users MUST be activated, so that `$this-\u003econfiguration-\u003eflag-\u003estatus(SeablastConstant::USER_MAIL_ENABLED)` is true.\n\n```php\n  // Usage:\n  use Seablast\\Auth\\MailOut;\n  $sendMail = new MailOut('smtp://smtp.example.com:587', 'noreply@example.com');\n  $sendMail-\u003esend(\n    to: 'user@example.com',\n    subject: 'Login link',\n    textBody: \"Open this URL: https://app.example.com/?token=XYZ\",\n    options: [\n      'cc'   =\u003e ['cc1@example.com', 'cc2@example.com'], // optional\n      'bcc'  =\u003e 'audit@example.com',                    // optional, can be string or array\n      'html' =\u003e '\u003cp\u003eOpen this URL: \u003ca href=\"https://app.example.com/?token=XYZ\"\u003eLogin\u003c/a\u003e\u003c/p\u003e', // optional\n      // 'replyTo' =\u003e 'support@example.com',           // optional\n      // 'from'    =\u003e 'custom-from@example.com',       // optional override of defaultFrom\n      // 'priority'=\u003e Email::PRIORITY_HIGH,            // optional (1..5), default normal\n    ]\n  );\n```\n\n## Testing\n\nRun [./test.sh](./test.sh) for essential PHPUnit tests:\n\n- create token and use it,\n- check its disapperance as it's valid only once,\n- invalid emails is not accepted,\n- SQL injection attempts is not accepted.\n\n## TODO\n\n- 251227, success email token login/logout page\n- 251227, define also (social login) logout page\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworkofstan%2Fseablast-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fworkofstan%2Fseablast-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworkofstan%2Fseablast-auth/lists"}