flametrench/identity
Composer 安装命令:
composer require flametrench/identity
包简介
Identity primitives for Flametrench: users, credentials (Argon2id-pinned passwords, passkeys, OIDC), and user-bound sessions with rotation on refresh.
README 文档
README
Identity primitives for Flametrench: users, credentials (Argon2id-pinned password + passkey + OIDC), user-bound sessions with rotation on refresh, and v0.2 multi-factor authentication (ADR 0008, ADR 0010) — TOTP (RFC 6238), recovery codes, and WebAuthn assertion verification across ES256 / RS256 / EdDSA.
The PHP counterpart of @flametrench/identity. Same shapes, same lifecycle, same Argon2id parameter floor, same opaque-bearer-token-vs-session-id distinction.
Status: v0.2.0 (stable). PHP 8.3+, ext-sodium required (for token base64url encoding). Includes the production-ready PostgresIdentityStore alongside the in-memory reference store. Per ADR 0014 the User entity carries an optional display_name with a partial-update updateUser operation; per ADR 0015 listUsers provides cursor-paginated user enumeration with a credential-identifier substring filter; per ADR 0013 the Postgres adapter cooperates with adopter-side outer transactions via savepoints when nested.
Install
composer require flametrench/identity
Quick start
use Flametrench\Identity\InMemoryIdentityStore; $store = new InMemoryIdentityStore(); // Create a user + a password credential. $user = $store->createUser(); $cred = $store->createPasswordCredential($user->id, 'alice@example.com', 'correcthorsebatterystaple'); // Verify and open a session. $verified = $store->verifyPassword('alice@example.com', 'correcthorsebatterystaple'); $sw = $store->createSession($verified->usrId, $verified->credId, ttlSeconds: 3600); // Later, verify an incoming bearer token. $session = $store->verifySessionToken($sw->token);
Argon2id is pinned
Password credentials use PHP's native PASSWORD_ARGON2ID at the spec floor (m=19456, t=2, p=1). These match the OWASP Password Storage Cheat Sheet floor and are the same parameters used by @flametrench/identity. Implementations MUST NOT use bcrypt, scrypt, PBKDF2, or any other algorithm — the spec is opinionated on this point because inconsistency causes breaches.
Sessions: tokens vs. ids
The session id is an identifier (appears in logs, audit, admin). The bearer token is separate — 32 random bytes, base64url-encoded — and only the SHA-256 hash is persisted. The plaintext token is returned exactly once from createSession / refreshSession and never leaves the caller's control via this SDK. Same separation as the spec defines.
refreshSession rotates: new session id, new token, old session revoked. In-place refresh is not spec-conformant.
Credential type discrimination
PHP doesn't have discriminated unions, so credentials are three concrete classes implementing the Credential interface:
$cred = $store->getCredential($credId); match (true) { $cred instanceof PasswordCredential => /* ... */, $cred instanceof PasskeyCredential => /* ... */, $cred instanceof OidcCredential => /* ... */, };
Sensitive material (password hash, passkey public key bytes) is stored internally and never exposed on the public Credential shape — verification uses verifyPassword() and never returns hash material to callers.
Errors
| Class | Code |
|---|---|
NotFoundException |
not_found |
DuplicateCredentialException |
conflict.duplicate_credential |
InvalidCredentialException |
unauthorized.invalid_credential |
CredentialNotActiveException |
conflict.credential_not_active |
CredentialTypeMismatchException |
conflict.credential_type_mismatch |
SessionExpiredException |
unauthorized.session_expired |
InvalidTokenException |
unauthorized.invalid_token |
AlreadyTerminalException |
conflict.already_terminal |
PreconditionException |
precondition.<specifics> |
Cascade semantics (spec-required)
- Revoking a user revokes every active credential AND terminates every active session.
- Suspending a user terminates every active session but leaves credentials alone (the user can be reinstated and their creds still work).
- Rotating a credential terminates every session that was established by the old credential.
- Suspending or revoking a credential terminates every session bound to it.
All cascades are atomic in the in-memory store; tests have explicit fixtures for each.
Development
composer install
composer test
License
Apache License 2.0. Copyright 2026 NDC Digital, LLC.
flametrench/identity 适用场景与选型建议
flametrench/identity 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 236 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 04 月 25 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「identity」 「Users」 「sessions」 「credentials」 「oidc」 「Argon2id」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 flametrench/identity 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 flametrench/identity 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 flametrench/identity 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Debugging a problem and need to login as one of your customers? This allows you to authenticate as any of your customers.
Pop Session Component for Pop PHP Framework
Eloquent Model for the sessions table as created by artisan session:table
A trait for Laravel models which have many users with roles.
The library provides a flexible way to add role-based access control management to CakePHP 3.x
Authorization package for ARCANESOFT/Foundation.
统计信息
- 总下载量: 236
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 37
- 依赖项目数: 1
- 推荐数: 0
其他信息
- 授权协议: Apache-2.0
- 更新时间: 2026-04-25