Daycry Auth Documentation

Welcome to the complete documentation for Daycry Auth, a comprehensive authentication and authorization library for CodeIgniter 4.

Getting Started

• Quick Start Guide
  • Requirements
  • Installation
  • Basic Configuration
  • Filters
  • Set Up Routes
  • Your First Protected Controller
  • Authentication Helpers
  • What’s Working Now
  • Next Steps
  • Troubleshooting
• ⚙️ Configuration Reference
  • The Configuration Files
  • Database
  • Authenticators
  • Session Authenticator
  • User Settings
  • Password Settings
  • Password Reset
  • Per-User Account Lockout
  • Magic Links
  • Access Tokens
  • JWT Refresh Tokens
  • Logging & Monitoring
  • Authorization Cache
  • Performance: Hot-Path Write Throttles
  • Views
  • Redirects
  • Routes
  • Post-Authentication Actions
  • Field Validation Rules
  • OAuth Providers
  • Sessions
  • Trusted Devices (2FA bypass)
  • WebAuthn / Passkeys
  • Password Confirmation (“sudo mode”)
  • Compliance & Observability
  • Scheduled Maintenance (auth:purge)
  • Common Presets
  • Dynamic Configuration

Authentication

• 🔐 Authentication — Complete Guide
  • 📋 Index
  • The auth() Facade
  • Session Authenticator
  • Remember Me — Expiry & Theft Detection
  • Per-User Account Lockout
  • Compromised-Password Recheck on Login
  • Login-Attempt Log & Token Fingerprints
  • Access Token Authenticator
  • JWT Authenticator
  • JWT Access-Token Revocation
  • JWT Refresh Tokens
  • Magic Link Authentication
  • WebAuthn / Passkeys
  • Guest Authenticator
  • Password Reset
  • Force Password Reset
  • Pre-Authentication Events
  • Switching Between Authenticators
  • Custom Authenticators
  • Why HTTP Digest Auth is not supported
• OAuth 2.0 & Social Login
  • Table of Contents
  • How It Works
  • Architecture
  • Installation
  • Configuration
  • Routing
  • Adding Login Buttons
  • Provider Examples
  • Account Linking & Email Verification
  • Explicit Linking for Logged-In Users
  • Stored Token Data
  • Profile Fields
  • Scopes Granted
  • Refresh Tokens
  • OAuth Events
  • OAuthTokenRepository
  • IdentityType Helper
  • Unlinking a Provider
  • Account Linking Strategy
  • Testing OAuth
• 🔐 TOTP Two-Factor Authentication
  • 📋 Table of Contents
  • How It Works
  • Configuration
  • User Enrollment
  • Login Flow
  • HasTotp Trait Reference
  • Brute-Force Lockout & Anti-Replay
  • Backup Codes
  • Trust This Device
  • UserSecurityController Integration
  • Admin TOTP Reset
  • Disabling TOTP
  • Testing TOTP
  • Security Notes
• 🔑 WebAuthn / Passkeys
  • 📋 Table of Contents
  • Availability vs. Enforcement
  • How It Works
  • Configuration
  • Routes & JSON Endpoints
  • Enrollment
  • Passwordless Login
  • Passkey as a Second Factor
  • HasWebAuthn Trait Reference
  • Storage
  • Frontend / JavaScript
  • Security Invariants
  • Testing
  • Security Notes
• 📱 Device Sessions
  • 📋 Table of Contents
  • How It Works
  • Configuration
  • Database Migration
  • Revocation Invalidates the Live Session
  • Viewing Active Sessions
  • Terminating Sessions
  • Concurrent Session Limit
  • Trusted Devices (2FA bypass)
  • Login Activity Feed
  • UserSecurityController Integration
  • Building a Sessions Management Page
  • New Device Login Notification
  • Admin CLI
  • Testing Device Sessions
  • Security Tips

Controllers & Filters

• 🛡️ Security Filters
  • 📋 Filter Index
  • 🔧 Initial Setup
  • 🔐 Authentication Filters
  • 👥 Authorization Filters
  • 🔗 Chain Filters
  • 📊 Control Filters
  • 🛠️ Advanced Configuration
  • 🎯 Practical Examples
  • 🚨 Error Handling
  • 📈 Monitoring and Debugging
• 🎮 Controllers — Complete Guide
  • 📋 Index
  • BaseAuthController
  • LoginController
  • RegisterController
  • ActionController
  • MagicLinkController
  • PasswordResetController
  • ForcePasswordResetController
  • JwtController
  • OauthController
  • WebAuthnController
  • UserSecurityController
  • Creating Custom Controllers
  • Best Practices

Authorization & Logging

• 👥 Authorization — Groups & Permissions
  • 📋 Table of Contents
  • Quick Reference
  • Groups
  • Permissions
  • Permission Inheritance
  • Gates & Policies
  • Gate → RBAC Bridge
  • Resolvable Repository Services
  • Authorization in Controllers
  • Authorization in Views
  • Route Filters
  • Permission Cache
  • Default Group for New Users
  • Admin Panel
  • Best Practices
• 📊 Logging, Events & Monitoring
  • 📋 Table of Contents
  • CodeIgniter Events
  • Available Events
  • Listening to Events
  • Pre-Authentication Events
  • Suspicious Login Event
  • Database Logging
  • Login Attempt Logging
  • Failed Attempt Blocking
  • Per-User Account Lockout
  • Rate Limiting
  • Audit Log (auth_audit_logs)
  • Monitoring & Querying Logs

Compliance & Operations

• 🛡️ Audit Log & Compliance
  • 📋 Index
  • Audit Log
  • Token Fingerprints in the Login Log
  • Hashed-at-Rest Tokens (Magic Link & Password Reset)
  • Suspicious Login Detection
  • Remember-Me Theft Detection
  • JWT Access-Token Revocation (token_version)
  • Refresh-Token Revoke Reasons
  • Compromised-Password Recheck on Login
  • Password History (No Reuse)
  • Password Rotation Policy
  • GDPR Export & Anonymization
  • Scheduled Cleanup (auth:purge)
  • Quick Configuration Reference
• 🖥️ CLI Commands
  • 📋 Index
  • Setup & Discovery
  • User management
  • Token & session admin
  • Maintenance
  • Two-factor admin
  • Audit & compliance
  • Cheat sheet

Testing & Reference

• 🧪 Testing Guide
  • 📋 Table of Contents
  • 🏃‍♂️ Quick Start
  • 🧪 Test Categories
  • 🔧 Test Setup
  • 🛡️ Testing Authentication
  • 👥 Testing Authorization
  • 🎛️ Testing Controllers
  • 🔍 Testing Filters
  • 📊 Testing Models
  • 🏗️ Testing Traits
  • 🔑 Testing WebAuthn
  • 🎯 Testing Best Practices
  • 🚀 Contributing Tests
  • 🔗 Related Documentation
• 🔄 Migration Guide
  • 📋 Index
  • Upgrading to this release — token-version revocation & hashed ephemeral tokens
  • Upgrading to the next release (Unreleased)
  • Upgrading to v5.x
  • Upgrading to v4.x — Config\Auth split
  • General upgrade checklist

Main Features

Authentication

• Multiple Authenticators: Session, Access Token (with scope enforcement), JWT (with refresh tokens), Magic Link

• JWT Access-Token Revocation: users.token_version lets you invalidate every outstanding access token at once — User::revokeIssuedTokens() (“log out everywhere”), fired automatically on ban and password change (JWT)

• TOTP Two-Factor Authentication with backup codes, optional “Trust this device” bypass, brute-force lockout, and single-use (anti-replay) codes (TOTP)

• WebAuthn / Passkeys — passwordless login (usernameless/discoverable) and passkey 2FA, phishing-resistant, opt-in per user behind a global availability flag (WebAuthn)

• Device Session Tracking with optional concurrent-session limit and real, enforced revocation — a revoked session is forced to re-authenticate on the next request (Device Sessions)

• Password Reset + Force Password Reset + optional rotation policy + history (no reuse), with hashed-at-rest magic-link & reset tokens

• OAuth 2.0 / Social Login: Google, GitHub, Facebook, Microsoft Azure, custom profile fields, OAuth events, explicit account linking (oauth/link/(:segment)) and verified-email merge safety (OAuth)

Authorization

• Groups & Permissions (RBAC) with optional persistent cache, uniform wildcard matching (*, posts.*) across user- and group-level permissions, and a Gate → RBAC bridge (gateFallbackToRbac)

• API token scope enforcement (token-scope: filter)

• Per-Route Rate Limiting — rates:<limit>,<period> overrides the global limit for a single route (<period> in seconds or SECOND/MINUTE/HOUR/DAY/WEEK) (Filters)

• Sudo Mode (Password Confirmation) — password-confirm:<seconds> enforces a fresh confirmation on the most sensitive routes, overriding the global window (Filters)

• Flexible Filters: Auth, chain, group, permission, gate, token-scope, password-age, rate limiting (rates), force-reset, password-confirm

Security

• Per-User Account Lockout (atomic) — independent of IP-based blocking, now also applied to TOTP / backup-code verification

• Compromised-Password Recheck on Login (HIBP integration, opt-in)

• Suspicious Login Detection with suspicious-login event for email alerts, plus remember-me theft detection (a mismatched validator purges all of the user’s tokens and fires remember-me-theft)

• Secret-safe login log — Access Token / JWT credentials are stored in auth_logins as a non-reversible SHA-256 fingerprint, never the raw bearer token

• Timing-safe OAuth state validation

Compliance & Operations

• Granular audit log (auth_audit_logs) — 22 canonical event types, filterable CLI

• GDPR helpers — JSON data export + account anonymization

• Admin CLI: auth:tokens revoke, auth:sessions terminate, auth:totp reset, auth:audit, auth:gdpr export|anonymize

• Scheduled Maintenance: auth:purge [--days <n>] — purges expired remember-me tokens and old terminated device sessions; run on a schedule instead of the probabilistic on-login purge (CLI Commands)

• Complete Logging: CI4 Events + database login attempts + audit log

• Highly Customizable: Extend or replace any component

Quick Start

composer require daycry/auth
php spark migrate --all
php spark auth:setup

// Login
$result = auth()->attempt(['email' => 'user@example.com', 'password' => 'secret']);

if ($result->isOK()) {
    return redirect()->to('/dashboard');
}

Documentation Sections

Quick Start Guide

Install and configure Daycry Auth in minutes.

Configuration

Every configuration option explained with examples.

Authentication

Session, Access Token, JWT (with refresh), Magic Link, Password Reset, and more.

OAuth 2.0 & Social Login

Google, GitHub, Facebook, Microsoft Azure — and any OIDC provider. Profile fields, custom resolvers, OAuth events, scopes tracking, explicit account linking, and allowUnverifiedEmailLink merge safety.

TOTP Two-Factor Authentication

Time-based OTP with authenticator apps, brute-force lockout, and single-use anti-replay codes.

Device Sessions

Track and manage active logins across devices, with enforced revocation that forces re-authentication.

Security Filters

Protect routes with authentication and authorization filters, including per-route rate limits (rates:<limit>,<period>) and sudo mode (password-confirm:<seconds>).

Controllers

All included controllers: Login, Register, Password Reset, Force Reset, JWT, UserSecurity.

Authorization

Groups, permissions, permission cache, wildcard matching, the Gate → RBAC bridge, and RBAC patterns.

Logging & Monitoring

CI4 Events, database logs, per-user lockout, and rate limiting.

Testing

Unit and integration testing with authentication mocking.

Additional Resources

• GitHub: daycry/auth

• CodeIgniter 4 Docs: codeigniter4.github.io

• Packagist: packagist.org/packages/daycry/auth

• Issues: github.com/daycry/auth/issues