定制 flametrench/identity 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

flametrench/identity

Composer 安装命令:

composer require flametrench/identity

包简介

Identity primitives for Flametrench: users, credentials (Argon2id-pinned passwords, passkeys, OIDC), and user-bound sessions with rotation on refresh.

README 文档

README

CI

Identity primitives for Flametrench: users, credentials (Argon2id-pinned password + passkey + OIDC), user-bound sessions with rotation on refresh, and v0.2 multi-factor authentication (ADR 0008, ADR 0010) — TOTP (RFC 6238), recovery codes, and WebAuthn assertion verification across ES256 / RS256 / EdDSA.

The PHP counterpart of @flametrench/identity. Same shapes, same lifecycle, same Argon2id parameter floor, same opaque-bearer-token-vs-session-id distinction.

Status: v0.2.0 (stable). PHP 8.3+, ext-sodium required (for token base64url encoding). Includes the production-ready PostgresIdentityStore alongside the in-memory reference store. Per ADR 0014 the User entity carries an optional display_name with a partial-update updateUser operation; per ADR 0015 listUsers provides cursor-paginated user enumeration with a credential-identifier substring filter; per ADR 0013 the Postgres adapter cooperates with adopter-side outer transactions via savepoints when nested.

Install

composer require flametrench/identity

Quick start

use Flametrench\Identity\InMemoryIdentityStore;

$store = new InMemoryIdentityStore();

// Create a user + a password credential.
$user = $store->createUser();
$cred = $store->createPasswordCredential($user->id, 'alice@example.com', 'correcthorsebatterystaple');

// Verify and open a session.
$verified = $store->verifyPassword('alice@example.com', 'correcthorsebatterystaple');
$sw = $store->createSession($verified->usrId, $verified->credId, ttlSeconds: 3600);

// Later, verify an incoming bearer token.
$session = $store->verifySessionToken($sw->token);

Argon2id is pinned

Password credentials use PHP's native PASSWORD_ARGON2ID at the spec floor (m=19456, t=2, p=1). These match the OWASP Password Storage Cheat Sheet floor and are the same parameters used by @flametrench/identity. Implementations MUST NOT use bcrypt, scrypt, PBKDF2, or any other algorithm — the spec is opinionated on this point because inconsistency causes breaches.

Sessions: tokens vs. ids

The session id is an identifier (appears in logs, audit, admin). The bearer token is separate — 32 random bytes, base64url-encoded — and only the SHA-256 hash is persisted. The plaintext token is returned exactly once from createSession / refreshSession and never leaves the caller's control via this SDK. Same separation as the spec defines.

refreshSession rotates: new session id, new token, old session revoked. In-place refresh is not spec-conformant.

Credential type discrimination

PHP doesn't have discriminated unions, so credentials are three concrete classes implementing the Credential interface:

$cred = $store->getCredential($credId);
match (true) {
    $cred instanceof PasswordCredential => /* ... */,
    $cred instanceof PasskeyCredential  => /* ... */,
    $cred instanceof OidcCredential     => /* ... */,
};

Sensitive material (password hash, passkey public key bytes) is stored internally and never exposed on the public Credential shape — verification uses verifyPassword() and never returns hash material to callers.

Errors

Class Code
NotFoundException not_found
DuplicateCredentialException conflict.duplicate_credential
InvalidCredentialException unauthorized.invalid_credential
CredentialNotActiveException conflict.credential_not_active
CredentialTypeMismatchException conflict.credential_type_mismatch
SessionExpiredException unauthorized.session_expired
InvalidTokenException unauthorized.invalid_token
AlreadyTerminalException conflict.already_terminal
PreconditionException precondition.<specifics>

Cascade semantics (spec-required)

  • Revoking a user revokes every active credential AND terminates every active session.
  • Suspending a user terminates every active session but leaves credentials alone (the user can be reinstated and their creds still work).
  • Rotating a credential terminates every session that was established by the old credential.
  • Suspending or revoking a credential terminates every session bound to it.

All cascades are atomic in the in-memory store; tests have explicit fixtures for each.

Development

composer install
composer test

License

Apache License 2.0. Copyright 2026 NDC Digital, LLC.

flametrench/identity 适用场景与选型建议

flametrench/identity 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 236 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 04 月 25 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「identity」 「Users」 「sessions」 「credentials」 「oidc」 「Argon2id」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 flametrench/identity 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 flametrench/identity 我们能提供哪些服务?
定制开发 / 二次开发

基于 flametrench/identity 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 236
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 37
  • 依赖项目数: 1
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: Apache-2.0
  • 更新时间: 2026-04-25