Daycry Auth Documentation

Welcome to the complete documentation for Daycry Auth, a comprehensive authentication and authorization library for CodeIgniter 4.

Getting Started

• Quick Start Guide
  • Requirements
  • Installation
  • Basic Configuration
  • Register Filters
  • Set Up Routes
  • Your First Protected Controller
  • Authentication Helpers
  • What’s Working Now
  • Next Steps
  • Troubleshooting
• ⚙️ Configuration Reference
  • The Configuration Files
  • Database
  • Authenticators
  • Session Authenticator
  • User Settings
  • Password Settings
  • Password Reset
  • Per-User Account Lockout
  • Magic Links
  • Access Tokens
  • JWT Refresh Tokens
  • Logging & Monitoring
  • Authorization Cache
  • Views
  • Redirects
  • Routes
  • Post-Authentication Actions
  • Field Validation Rules
  • OAuth Providers
  • Sessions
  • Trusted Devices (2FA bypass)
  • Compliance & Observability
  • Common Presets
  • Dynamic Configuration

Authentication

• 🔐 Authentication — Complete Guide
  • 📋 Index
  • Session Authenticator
  • Per-User Account Lockout
  • Compromised-Password Recheck on Login
  • Access Token Authenticator
  • JWT Authenticator
  • JWT Refresh Tokens
  • Magic Link Authentication
  • Guest Authenticator
  • Password Reset
  • Force Password Reset
  • Pre-Authentication Events
  • Switching Between Authenticators
  • Custom Authenticators
  • Why HTTP Digest Auth is not supported
• OAuth 2.0 & Social Login
  • Table of Contents
  • How It Works
  • Architecture
  • Installation
  • Configuration
  • Routing
  • Adding Login Buttons
  • Provider Examples
  • Stored Token Data
  • Profile Fields
  • Scopes Granted
  • Refresh Tokens
  • OAuth Events
  • OAuthTokenRepository
  • IdentityType Helper
  • Unlinking a Provider
  • Account Linking Strategy
  • Testing OAuth
• 🔐 TOTP Two-Factor Authentication
  • 📋 Table of Contents
  • How It Works
  • Configuration
  • User Enrollment
  • Login Flow
  • HasTotp Trait Reference
  • Backup Codes
  • Trust This Device
  • UserSecurityController Integration
  • Admin TOTP Reset
  • Disabling TOTP
  • Testing TOTP
  • Security Notes
• 📱 Device Sessions
  • 📋 Table of Contents
  • How It Works
  • Configuration
  • Database Migration
  • Viewing Active Sessions
  • Terminating Sessions
  • Concurrent Session Limit
  • Trusted Devices (2FA bypass)
  • Login Activity Feed
  • UserSecurityController Integration
  • Building a Sessions Management Page
  • New Device Login Notification
  • Admin CLI
  • Testing Device Sessions
  • Security Tips

Controllers & Filters

• 🛡️ Security Filters
  • 📋 Filter Index
  • 🔧 Initial Setup
  • 🔐 Authentication Filters
  • 👥 Authorization Filters
  • 🔗 Chain Filters
  • 📊 Control Filters
  • 🛠️ Advanced Configuration
  • 🎯 Practical Examples
  • 🚨 Error Handling
  • 📈 Monitoring and Debugging
• 🎮 Controllers — Complete Guide
  • 📋 Index
  • BaseAuthController
  • LoginController
  • RegisterController
  • ActionController
  • MagicLinkController
  • PasswordResetController
  • ForcePasswordResetController
  • JwtController
  • UserSecurityController
  • Creating Custom Controllers
  • Best Practices

Authorization & Logging

• 👥 Authorization — Groups & Permissions
  • 📋 Table of Contents
  • Quick Reference
  • Groups
  • Permissions
  • Permission Inheritance
  • Gates & Policies
  • Authorization in Controllers
  • Authorization in Views
  • Route Filters
  • Permission Cache
  • Default Group for New Users
  • Admin Panel
  • Best Practices
• 📊 Logging, Events & Monitoring
  • 📋 Table of Contents
  • CodeIgniter Events
  • Available Events
  • Listening to Events
  • Pre-Authentication Events
  • Suspicious Login Event
  • Database Logging
  • Login Attempt Logging
  • Failed Attempt Blocking
  • Per-User Account Lockout
  • Rate Limiting
  • Audit Log (auth_audit_logs)
  • Monitoring & Querying Logs

Compliance & Operations

• 🛡️ Audit Log & Compliance
  • 📋 Index
  • Audit Log
  • Suspicious Login Detection
  • Compromised-Password Recheck on Login
  • Password History (No Reuse)
  • Password Rotation Policy
  • GDPR Export & Anonymization
  • Quick Configuration Reference
• 🖥️ CLI Commands
  • 📋 Index
  • Setup & Discovery
  • User management
  • Token & session admin
  • Two-factor admin
  • Audit & compliance
  • Cheat sheet

Testing & Reference

• 🧪 Testing Guide
  • 📋 Table of Contents
  • 🏃‍♂️ Quick Start
  • 🧪 Test Categories
  • 🔧 Test Setup
  • 🛡️ Testing Authentication
  • 👥 Testing Authorization
  • 🎛️ Testing Controllers
  • 🔍 Testing Filters
  • 📊 Testing Models
  • 🏗️ Testing Traits
  • 🎯 Testing Best Practices
  • 🚀 Contributing Tests
  • 🔗 Related Documentation
• 🔄 Migration Guide
  • 📋 Index
  • Upgrading to the next release (Unreleased)
  • Upgrading to v5.x
  • Upgrading to v4.x — Config\Auth split
  • General upgrade checklist

Main Features

Authentication

• Multiple Authenticators: Session, Access Token (with scope enforcement), JWT (with refresh tokens), Magic Link

• TOTP Two-Factor Authentication with backup codes and optional “Trust this device” bypass

• Device Session Tracking with optional concurrent-session limit

• Password Reset + Force Password Reset + optional rotation policy + history (no reuse)

• OAuth 2.0 / Social Login: Google, GitHub, Facebook, Microsoft Azure, custom profile fields, OAuth events

Authorization

• Groups & Permissions (RBAC) with optional persistent cache

• API token scope enforcement (token-scope: filter)

• Flexible Filters: Auth, chain, group, permission, token-scope, password-age, rate limiting, force-reset

Security

• Per-User Account Lockout (atomic) — independent of IP-based blocking

• Compromised-Password Recheck on Login (HIBP integration, opt-in)

• Suspicious Login Detection with suspicious-login event for email alerts

• Timing-safe OAuth state validation

Compliance & Operations

• Granular audit log (auth_audit_logs) — 22 canonical event types, filterable CLI

• GDPR helpers — JSON data export + account anonymization

• Admin CLI: auth:tokens revoke, auth:sessions terminate, auth:totp reset, auth:audit, auth:gdpr export|anonymize

• Complete Logging: CI4 Events + database login attempts + audit log

• Highly Customizable: Extend or replace any component

Quick Start

composer require daycry/auth
php spark migrate --all
php spark auth:setup

// Login
$result = auth()->attempt(['email' => 'user@example.com', 'password' => 'secret']);

if ($result->isOK()) {
    return redirect()->to('/dashboard');
}

Documentation Sections

Quick Start Guide

Install and configure Daycry Auth in minutes.

Configuration

Every configuration option explained with examples.

Authentication

Session, Access Token, JWT (with refresh), Magic Link, Password Reset, and more.

OAuth 2.0 & Social Login

Google, GitHub, Facebook, Microsoft Azure — and any OIDC provider. Profile fields, custom resolvers, OAuth events, scopes tracking.

TOTP Two-Factor Authentication

Time-based OTP with authenticator apps.

Device Sessions

Track and manage active logins across devices.

Security Filters

Protect routes with authentication and authorization filters.

Controllers

All included controllers: Login, Register, Password Reset, Force Reset, JWT, UserSecurity.

Authorization

Groups, permissions, permission cache, and RBAC patterns.

Logging & Monitoring

CI4 Events, database logs, per-user lockout, and rate limiting.

Testing

Unit and integration testing with authentication mocking.

Additional Resources

• GitHub: daycry/auth

• CodeIgniter 4 Docs: codeigniter4.github.io

• Packagist: packagist.org/packages/daycry/auth

• Issues: github.com/daycry/auth/issues