ihorchyshkala/passkey-plugin
Composer 安装命令:
composer require ihorchyshkala/passkey-plugin
包简介
WebAuthn/Passkey authentication for October CMS backend
README 文档
README
WebAuthn/Passkey authentication for the October CMS backend. Lets administrators sign in using fingerprint, face recognition, or screen lock instead of a password.
Features
- Passwordless login — "Sign in with Passkey" button on the backend login page
- Discoverable credentials — no username required, the passkey identifies the user
- Multi-device support — USB security keys, NFC, Bluetooth, hybrid, and platform authenticators
- Per-user management — register, name, and delete passkeys from the user profile tab
- Admin management — users with
admins.managepermission can manage passkeys for other users - Rate limiting — max 10 authentication attempts per minute per IP
- IDOR protection — user context derived from URL parameters and permissions, not POST data
- Signature counter validation — detects cloned authenticators
- 15 languages — Arabic, Chinese, Dutch, English, French, German, Japanese, Korean, Latvian, Polish, Portuguese, Russian, Spanish, Turkish, Ukrainian
Requirements
- October CMS 3.1+ (plugin v1.x) or October CMS 4.x (plugin v2.x)
- PHP 8.0.2+ (v1.x) or PHP 8.2+ (v2.x)
- HTTPS (required by the WebAuthn specification)
- A WebAuthn-capable browser (all modern browsers)
Installation
Via Composer
composer require ihorchyshkala/passkey-plugin
Via October CMS Marketplace
Search for Passkey Authentication in the October CMS plugin marketplace, or install from the admin panel:
Settings → Updates & Plugins → Install Plugins → "Passkey Authentication"
Manual Installation
Clone this repository into plugins/ihorchyshkala/passkey/ and run migrations:
php artisan october:migrate
Usage
Signing in with a Passkey
Once a passkey is registered, the login page shows a "Sign in with Passkey" button below the standard login form. Click it, authenticate with your device (fingerprint, face, PIN), and you're in — no password needed.
Registering a Passkey
- Go to Settings → Administrators → (your user) → Passkeys tab, or My Account → Passkeys
- Click Add Passkey
- Give it a descriptive name (e.g. "MacBook Pro", "YubiKey")
- Click Create Passkey and follow the browser prompt
- The passkey appears in the list immediately
Removing a Passkey
Click Remove next to any passkey in the list. A confirmation dialog prevents accidental deletion.
Version Compatibility
| Branch | Plugin | October CMS | PHP | Laravel |
|---|---|---|---|---|
1.x |
v1.x | v3.1+ | >=8.0.2 | 9 / 10 / 11 |
master |
v2.x | v4.x | >=8.2 | 12 |
Composer constraints on october/rain ensure the correct version is installed automatically. The namespace IHORCHYSHKALA\Passkey is the same on both branches.
How It Works
The plugin implements the WebAuthn Level 2 specification using the lbuchs/webauthn PHP library.
Registration flow:
- Backend generates a challenge with user info and excluded credentials
- Browser calls
navigator.credentials.create()with the options - Authenticator creates a key pair and signs the challenge
- Backend verifies the attestation and stores the public key
Authentication flow:
- Backend generates a challenge (no user info — discoverable credentials)
- Browser calls
navigator.credentials.get() - Authenticator signs the challenge with the private key
- Backend verifies the signature against the stored public key and logs the user in
Challenges are stored in the server session with a 120-second TTL and are consumed on use (one-time).
Security
- All credentials are stored server-side; private keys never leave the authenticator
- Challenges expire after 120 seconds and are single-use
- Rate limiting prevents brute-force attempts (10/min per IP)
- User verification is required for both registration and authentication
- Signature counters are validated to detect cloned authenticators
- IDOR protection: user targeting uses URL parameters verified against permissions, not client-supplied POST data
- Generic error messages prevent credential enumeration
Database
The plugin creates one table: ihorchyshkala_passkey_credentials
| Column | Type | Description |
|---|---|---|
id |
int | Primary key |
backend_user_id |
int | Foreign key to backend_users (cascade delete) |
credential_id |
varchar(512) | Base64url-encoded credential ID (indexed) |
public_key |
text | COSE public key |
name |
string | User-given name for the passkey |
sign_count |
int | Signature counter |
transports |
text | JSON array of supported transports |
created_at |
timestamp | |
updated_at |
timestamp |
License
MIT
ihorchyshkala/passkey-plugin 适用场景与选型建议
ihorchyshkala/passkey-plugin 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 0 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 02 月 16 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「Authentication」 「october」 「octobercms」 「FIDO2」 「webauthn」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 ihorchyshkala/passkey-plugin 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 ihorchyshkala/passkey-plugin 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 ihorchyshkala/passkey-plugin 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
User plugin for October CMS
Laravel Horizon integration for October CMS
Automatically logs-in users if they are already authenticated by a remote source. (e.g. environment variable REMOTE_USER)
GraphQL authentication for your headless Craft CMS applications.
Provide a way to secure accesses to all routes of an symfony application.
Laravel middleware to restrict a site or specific routes using HTTP basic authentication
统计信息
- 总下载量: 0
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 35
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-02-16