Skip to content

Daycry Auth

Authentication & Authorization for CodeIgniter 4 — Session, Access Token, JWT, OAuth, TOTP and WebAuthn / Passkeys, with a full RBAC authorization system. Batteries included, secure by default.

Get started WebAuthn / Passkeys GitHub

Features

  • Multiple authenticators

    Session, Access Token (with scope enforcement), JWT (refresh tokens + one-shot revocation via token_version), and Magic Link (email link or 6-digit code) — all behind one helper.

    Authentication

  • WebAuthn / Passkeys

    Passwordless login (usernameless/discoverable) and passkey 2FA. Phishing-resistant by design, opt-in per user behind a global flag.

    WebAuthn

  • TOTP two-factor

    RFC 6238 TOTP with backup codes, "trust this device" bypass, per-user brute-force lockout, and single-use anti-replay codes.

    TOTP 2FA

  • OAuth 2.0 / Social

    Google, GitHub, Facebook, Microsoft Azure and any OIDC provider. Profile fields, OAuth events, explicit account linking and verified-email merge safety.

    OAuth

  • RBAC authorization

    Groups & permissions with optional cache, uniform wildcard matching (posts.*), and a Gate → RBAC bridge. Plus filters: group, permission, gate, token-scope.

    Authorization

  • Device sessions

    Track active logins per device, optional concurrent-session limit, and real enforced revocation — a revoked session must re-authenticate on its next request.

    Device Sessions

  • Filters & rate limiting

    Per-route rate limits (rates:<limit>,<period>) and sudo mode (password-confirm:<seconds>) that override global windows on your most sensitive routes.

    Filters

  • Audit & compliance

    Granular audit log (22 event types), GDPR export/anonymize helpers, and an admin CLI for tokens, sessions, TOTP, audit and scheduled purges.

    Audit & Compliance

Quick start

composer require daycry/auth
php spark migrate --all
php spark auth:setup

$result = auth()->attempt([
    'email'    => 'user@example.com',
    'password' => 'secret',
]);

if ($result->isOK()) {
    return redirect()->to('/dashboard');
}

// app/Config/Routes.php
$routes->group('admin', ['filter' => 'group:admin'], static function ($routes) {
    $routes->get('dashboard', 'Admin::index');
});

Full quick-start guide

Security, by default

  • Hardened auth

    Per-user atomic lockout, compromised-password recheck (HIBP), suspicious-login & remember-me theft detection, and a secret-safe login log (SHA-256 fingerprints, never raw tokens).

  • Customizable

    Swap or extend any component — authenticators, repositories, views, actions and policies are all resolvable services you can override.

    Configuration

  • Tested

    A large PHPUnit suite (incl. a real in-test WebAuthn authenticator), PHPStan level 5, deptrac and Rector keep the library correct and clean.

    Testing

ResourcesGitHub · Packagist · Issues · CodeIgniter 4