kilogram/auth
Composer 安装命令:
composer require kilogram/auth
包简介
Secure and simple validation library for Telegram Login Widget and Web App data (including Third-Party validation support).
README 文档
README
Telegram Auth 🔑
Secure and simple validation library for Telegram Login Widget and Web App (including Third-Party validation support).
Features
- ✅ Telegram Login Widget – validate payloads from the login widget (hash verification, timestamp check).
- ✅ Telegram Web App – authenticate users inside mini‑apps by verifying
initData. - ✅ Third‑Party Use – validate Telegram data for external services (without a bot token, using bot ID).
- ✅ Simple API – ready‑to‑use methods like
isValidLoginWidget(),validateWebApp(), plus exceptions for error handling. - ✅ Secure by design – uses cryptographically strong hashing (
hash_hmac,sodium) to prevent data tampering. - ✅ PHP 8.2+ – modern, strictly typed code.
Requirements
- PHP:
^8.2 - ext-hash:
* - ext-sodium:
*
Installation
composer require kilogram/auth
Quick start
Note
Usage examples are also available in the examples directory.
Login Widget (simple)
Basic validation of the data received from the Telegram Login Widget. Checks the hash and timestamp, returns a boolean result.
use Kilogram\Auth\Validator; $data = $_GET; $validator = new Validator($_ENV['TELEGRAM_BOT_TOKEN']); if ($validator->isValidLoginWidget($data)) { echo "Authenticated. User ID: " . $data['id']; } else { echo "Authentication failed"; }
Login Widget (with exceptions)
A more robust approach that throws specific exceptions for invalid input (missing parameters) and validation failures (tampered data).
use Kilogram\Auth\Validator; use Kilogram\Auth\Exceptions\InvalidDataException; use Kilogram\Auth\Exceptions\ValidationException; $data = $_GET; $validator = new Validator($_ENV['TELEGRAM_BOT_TOKEN']); try { $validator->validateLoginWidget($data); echo "Authenticated. Hello " . ($data['first_name'] ?? 'user'); } catch (InvalidDataException $e) { // Developer error: invalid input format (e.g. missing "hash") echo "Bad request: " . $e->getMessage(); } catch (ValidationException $e) { // Invalid signature: possible tampering echo "Authentication failed"; }
Web App (simple)
Verifies the initData string from a Telegram Web App. Returns true if the signature is valid and the data is fresh.
use Kilogram\Auth\Validator; $initData = $_POST['initData']; $validator = new Validator($_ENV['TELEGRAM_BOT_TOKEN']); if ($validator->isValidWebApp($initData)) { echo "Web App authenticated"; } else { echo "Invalid initData"; }
Web App (with exceptions)
Same as above, but throws exceptions for malformed input or invalid signatures, giving you finer control over error handling.
use Kilogram\Auth\Validator; use Kilogram\Auth\Exceptions\InvalidDataException; use Kilogram\Auth\Exceptions\ValidationException; $initData = $_POST['initData']; $validator = new Validator($_ENV['TELEGRAM_BOT_TOKEN']); try { $validator->validateWebApp($initData); echo "Web App authenticated"; } catch (InvalidDataException $e) { // Developer error: initData format is broken / empty echo "Bad request: " . $e->getMessage(); } catch (ValidationException $e) { // Invalid signature echo "Authentication failed"; }
Web App Third-Party (simple)
Validates data for third‑party services without using a bot token. Only the bot ID is required.
use Kilogram\Auth\Validator; $initData = $_POST['initData']; if (Validator::isValidWebAppDataForThirdParty($initData, $botId)) { echo "Web App authenticated (Third-Party)!"; } else { echo "Invalid data"; }
Web App Third-Party (with exceptions)
The same third‑party validation, but with exception-based error reporting.
use Kilogram\Auth\Validator; use Kilogram\Auth\Exceptions\ValidationException; $initData = $_POST['initData']; try { Validator::validateWebAppDataForThirdParty($initData, $botId); echo "Web App authorized!"; } catch (ValidationException $e) { echo "Authentication failed"; }
Tip
When to use simple vs exceptions?
Use the simple methods (isValid*) when you only need a boolean result (e.g., in controllers, middleware, or conditional logic).
Use the exception methods (validate*) when you need granular error handling – they distinguish between malformed input (developer errors, e.g., missing parameters) and invalid signatures (security issues, e.g., tampered data).
License
MIT
kilogram/auth 适用场景与选型建议
kilogram/auth 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1 次下载、GitHub Stars 达 0, 最近一次更新时间为 2025 年 12 月 25 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 「Authentication」 「validation」 「auth」 「bot」 「webapp」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 kilogram/auth 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 kilogram/auth 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 kilogram/auth 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Automatically logs-in users if they are already authenticated by a remote source. (e.g. environment variable REMOTE_USER)
GraphQL authentication for your headless Craft CMS applications.
Provide a way to secure accesses to all routes of an symfony application.
Laravel middleware to restrict a site or specific routes using HTTP basic authentication
It's a barebone security class written on PHP
Email Toolkit Plugin for CakePHP
统计信息
- 总下载量: 1
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 19
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2025-12-25