ometra/caronte-sdk
最新稳定版本:4.0.0
Composer 安装命令:
composer require ometra/caronte-sdk
包简介
Caronte SDK
README 文档
README
This documentation follows the project's Coding Standards and PHPDoc Style Guide.
Project Overview
ometra/caronte-sdk is a Laravel package that integrates any Laravel host application with the Caronte centralised authentication server. It handles:
- JWT user authentication (login, logout, 2FA, password recovery)
- Automatic token validation and renewal on every request
- Role-based access control tied to a central role registry
- Application API permission declaration and application-token middleware
- A ready-to-use management UI for users and roles
- A server-side provisioning wrapper for Caronte tenant provisioning
- Server-to-server inter-app communication via application tokens
Primary audience: Internal development teams adding Caronte authentication to a Laravel application.
Project Type & Tech Summary
| Item | Value |
|---|---|
| Type | Laravel Package (library) |
| PHP | ^8.2 |
| Laravel | ^12.0 |
| JWT library | lcobucci/jwt ^5.3 + lcobucci/clock ^3.2 |
| Database | MySQL / any Laravel-supported driver (via host app) |
| Cache | Host app cache (no package-level cache) |
| Queue | None (all requests are synchronous) |
| External service | Caronte authentication server (HTTP API) |
| Optional dependency | inertiajs/inertia-laravel ^2.0 |
Quick Start
-
Install the package
composer require ometra/caronte-sdk
-
Publish the configuration
php artisan vendor:publish --tag=caronte:config
-
Add the three required environment variables
CARONTE_URL=https://your-caronte-server.example.com CARONTE_APP_CN=your-app-canonical-name CARONTE_APP_SECRET=a-secret-at-least-32-characters-long
Apps that belong to an internal application group can also share user tokens and app-to-app credentials:
CARONTE_APPLICATION_GROUP_ID=core-suite CARONTE_APPLICATION_GROUP_SECRET=a-group-secret-at-least-32-characters-long
-
Run migrations (creates local user cache tables)
php artisan migrate
-
Protect routes with the provided middleware:
Route::middleware(['caronte.session', 'caronte.roles:admin'])->group(...);
-
Sync your configured roles with the Caronte server:
php artisan caronte:roles:sync
-
Declare API permissions if external applications will consume your API:
'permissions' => [ 'invoices.read' => 'Read invoices', 'invoices.write' => 'Write invoices', ],
php artisan caronte:permissions:sync
-
Protect external API routes with application-token middleware:
Route::middleware(['caronte.app-token', 'caronte.app-permissions:invoices.read'])->get(...);
-
Visit the app-local management UI at
/caronte/management(default).
Token Types
- User JWTs authenticate humans and are checked by
caronte.session. - User JWTs are read from phase-2 top-level claims first:
sub,aud,jti,tenant_id,roles,metadata,app_id, andtoken_audience. The legacy nesteduserclaim remains supported as a fallback. - Logout routes in the SDK may be called with
GETorPOST, but the SDK always calls the Caronte server logout endpoint withPOST. - App-to-app credentials use
X-Application-Tokenand are checked bycaronte.application. - Application-group credentials use
base64(group_id:application_group_secret). ApplicationTokensauthenticate external applications consuming this app's API and are checked bycaronte.app-tokenpluscaronte.app-permissions:*.
See Deployment Instructions for the full setup guide.
Documentation Index
统计信息
- 总下载量: 163
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 7
- 依赖项目数: 1
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-05-04