定制 ihorchyshkala/passkey-plugin 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

ihorchyshkala/passkey-plugin

Composer 安装命令:

composer require ihorchyshkala/passkey-plugin

包简介

WebAuthn/Passkey authentication for October CMS backend

README 文档

README

WebAuthn/Passkey authentication for the October CMS backend. Lets administrators sign in using fingerprint, face recognition, or screen lock instead of a password.

Features

  • Passwordless login — "Sign in with Passkey" button on the backend login page
  • Discoverable credentials — no username required, the passkey identifies the user
  • Multi-device support — USB security keys, NFC, Bluetooth, hybrid, and platform authenticators
  • Per-user management — register, name, and delete passkeys from the user profile tab
  • Admin management — users with admins.manage permission can manage passkeys for other users
  • Rate limiting — max 10 authentication attempts per minute per IP
  • IDOR protection — user context derived from URL parameters and permissions, not POST data
  • Signature counter validation — detects cloned authenticators
  • 15 languages — Arabic, Chinese, Dutch, English, French, German, Japanese, Korean, Latvian, Polish, Portuguese, Russian, Spanish, Turkish, Ukrainian

Requirements

  • October CMS 3.1+ (plugin v1.x) or October CMS 4.x (plugin v2.x)
  • PHP 8.0.2+ (v1.x) or PHP 8.2+ (v2.x)
  • HTTPS (required by the WebAuthn specification)
  • A WebAuthn-capable browser (all modern browsers)

Installation

Via Composer

composer require ihorchyshkala/passkey-plugin

Via October CMS Marketplace

Search for Passkey Authentication in the October CMS plugin marketplace, or install from the admin panel:

Settings → Updates & Plugins → Install Plugins → "Passkey Authentication"

Manual Installation

Clone this repository into plugins/ihorchyshkala/passkey/ and run migrations:

php artisan october:migrate

Usage

Signing in with a Passkey

Once a passkey is registered, the login page shows a "Sign in with Passkey" button below the standard login form. Click it, authenticate with your device (fingerprint, face, PIN), and you're in — no password needed.

Registering a Passkey

  1. Go to Settings → Administrators → (your user) → Passkeys tab, or My Account → Passkeys
  2. Click Add Passkey
  3. Give it a descriptive name (e.g. "MacBook Pro", "YubiKey")
  4. Click Create Passkey and follow the browser prompt
  5. The passkey appears in the list immediately

Removing a Passkey

Click Remove next to any passkey in the list. A confirmation dialog prevents accidental deletion.

Version Compatibility

Branch Plugin October CMS PHP Laravel
1.x v1.x v3.1+ >=8.0.2 9 / 10 / 11
master v2.x v4.x >=8.2 12

Composer constraints on october/rain ensure the correct version is installed automatically. The namespace IHORCHYSHKALA\Passkey is the same on both branches.

How It Works

The plugin implements the WebAuthn Level 2 specification using the lbuchs/webauthn PHP library.

Registration flow:

  1. Backend generates a challenge with user info and excluded credentials
  2. Browser calls navigator.credentials.create() with the options
  3. Authenticator creates a key pair and signs the challenge
  4. Backend verifies the attestation and stores the public key

Authentication flow:

  1. Backend generates a challenge (no user info — discoverable credentials)
  2. Browser calls navigator.credentials.get()
  3. Authenticator signs the challenge with the private key
  4. Backend verifies the signature against the stored public key and logs the user in

Challenges are stored in the server session with a 120-second TTL and are consumed on use (one-time).

Security

  • All credentials are stored server-side; private keys never leave the authenticator
  • Challenges expire after 120 seconds and are single-use
  • Rate limiting prevents brute-force attempts (10/min per IP)
  • User verification is required for both registration and authentication
  • Signature counters are validated to detect cloned authenticators
  • IDOR protection: user targeting uses URL parameters verified against permissions, not client-supplied POST data
  • Generic error messages prevent credential enumeration

Database

The plugin creates one table: ihorchyshkala_passkey_credentials

Column Type Description
id int Primary key
backend_user_id int Foreign key to backend_users (cascade delete)
credential_id varchar(512) Base64url-encoded credential ID (indexed)
public_key text COSE public key
name string User-given name for the passkey
sign_count int Signature counter
transports text JSON array of supported transports
created_at timestamp
updated_at timestamp

License

MIT

ihorchyshkala/passkey-plugin 适用场景与选型建议

ihorchyshkala/passkey-plugin 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 0 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 02 月 16 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「Authentication」 「october」 「octobercms」 「FIDO2」 「webauthn」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 ihorchyshkala/passkey-plugin 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 ihorchyshkala/passkey-plugin 我们能提供哪些服务?
定制开发 / 二次开发

基于 ihorchyshkala/passkey-plugin 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 35
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-02-16