 |
VOOZH | about |
|
VOOZH | about |
This document describes the multi-layered security architecture of the Light framework, covering both authentication (verifying user identity) and authorization (enforcing access control). The system implements JWT-based stateless authentication with multiple authentication methods (password, 2FA, WebAuthn, OAuth providers), combined with a role-based access control (RBAC) system for fine-grained permission management.
For information about the User model structure and database fields, see Core Database Models. For session tracking implementation details, see User Model and Sessions. For detailed API documentation of authentication mutations, see AuthController.
The Light framework implements defense-in-depth security with authentication and authorization enforced at multiple layers: request middleware level, GraphQL field level, and business logic level.
Sources: src/Controller/AuthController.php1-636 src/Auth/Service.php1-141 src/Model/User.php1-389 permissions.yml1-16
The authentication process validates user credentials through multiple methods and generates JWT tokens upon successful verification.
Sources: src/Controller/AuthController.php373-456 src/Model/User.php206-227
The Light framework supports four authentication methods that feed into a unified JWT token generation pipeline.
Password-based authentication validates credentials using PHP's password_verify() function with support for modern bcrypt hashes and legacy hash detection.
Implementation: src/Controller/AuthController.php374-456
Key Features:
$5, $6 prefixes) and prompts administrator resetLockout Logic:
User::isAuthLocked() checks:
- Query UserLog for user_id + IP
- Count FAIL results within auth_lockout_duration (default: 15 minutes)
- Lock if failures >= auth_lockout_attempts (default: 5)
Sources: src/Controller/AuthController.php374-456 src/Model/User.php206-227
Time-based one-time password (TOTP) authentication using RFC 6238 standard, compatible with Google Authenticator and other TOTP apps.
Setup Flow:
getMy2FA() to generate new secretupdateMy2FA(secret, code) with first TOTP codeImplementation: src/Controller/AuthController.php497-530
QR Code Generation:
URL format: otpauth://totp/{username}@{host}?secret={secret}
Generated by: Endroid\QrCode\QrCode
Verification:
Light\Security\TwoFactorAuthentication::checkCode()secret field populatedConfig::Value('two_factor_authentication') is trueReset Capability:
Administrators with user.reset2fa permission can reset user's 2FA via reset2FA(user_id) mutation, clearing the secret field.
Sources: src/Controller/AuthController.php31-61 src/Controller/AuthController.php497-530 src/Model/User.php129-144
WebAuthn/FIDO2 support for passwordless authentication using security keys, platform authenticators (Face ID, Windows Hello), or hardware tokens.
Credential Storage:
User::credential field as JSON arrayUser::getWebAuthn() returning array of Light\Type\WebAuthn objectsFlow:
Sources: src/Model/User.php147-158
Integration with three OAuth providers: Google, Microsoft, and Facebook. Each provider follows a similar flow with provider-specific token validation.
Login Flow: src/Controller/AuthController.php303-330
Configuration: Requires Config::Value('authentication_google_client_id')
User Linking:
User::Get(['google' => $payload['sub']])$payload['sub'] in user.google fieldunlinkGoogle() mutation (clears google field)Sources: src/Controller/AuthController.php203-234 src/Controller/AuthController.php303-330
Login Flow: src/Controller/AuthController.php237-267
API Integration:
https://graph.microsoft.com/v1.0/meuser.microsoft fieldConfiguration: Requires Config::Value('authentication_microsoft_client_id')
Sources: src/Controller/AuthController.php188-201 src/Controller/AuthController.php237-267
Login Flow: src/Controller/AuthController.php270-300
API Integration:
https://graph.facebook.com/me?fields=id,name,emailuser.facebook fieldConfiguration: Requires Config::Value('authentication_facebook_app_id')
Sources: src/Controller/AuthController.php121-150 src/Controller/AuthController.php270-300
The Light framework uses dual-token JWT architecture with separate access and refresh tokens.
Access Token:
Refresh Token:
Token Lifetimes:
Config::Value('access_token_expire', 900) seconds (default: 15 minutes)Config::Value('refresh_token_expire', 604800) seconds (default: 7 days)Sources: src/App.php300-350 (from diagram context)
Tokens are stored in HTTP-only cookies with security attributes:
Access Token Cookie:
Refresh Token Cookie:
Security Features:
httponly: true - Prevents JavaScript accesssamesite: Lax - CSRF protectionpath: /refresh_token for refresh token - Limits refresh token exposuresecure flag when HTTPS enabledSources: src/Controller/AuthController.php349-367
JWT validation is performed by Auth\Service class during request processing.
Validation Flow:
Implementation Details:
Token Extraction: src/Auth/Service.php36-48
Priority:
1. Authorization: Bearer {token} header
2. access_token cookie
JWT Decoding: src/Auth/Service.php50-79
Revocation Check: src/Auth/Service.php58-60
View-As Mode: src/Auth/Service.php64-72
payload->view_as exists, loads two users:
$this->user: The user being impersonated$this->org_user: The original authenticated userSources: src/Auth/Service.php28-80
Token revocation is implemented using a hybrid cache + database approach for immediate invalidation with audit trail.
Logout Process: src/Controller/AuthController.php333-370
Individual Session Revocation: src/Model/User.php50-54
Cache Key Format:
revoked_token_{jti}
TTL: refresh_token_expire seconds
This ensures tokens cannot be used after logout even if the JWT hasn't technically expired.
Sources: src/Controller/AuthController.php333-370 src/Model/User.php50-54
Sessions are tracked in the UserLog model with each login creating a unique session record identified by JWT ID (jti).
UserLog Fields:
jti: JWT ID (unique session identifier)user_id: Foreign key to Userlogin_dt: Login timestamplogout_dt: Logout timestamp (NULL for active sessions)result: "SUCCESS" or "FAIL"ip: Client IP addressuser_agent: Browser user agent stringlast_access_time: Updated on each requestActive Sessions Query: src/Model/User.php56-82
Session Data Structure:
Last Access Update: src/Model/User.php201-204
Called automatically during JWT validation in Auth\Service for every authenticated request.
Sources: src/Model/User.php50-82 src/Model/User.php201-204
The Light framework implements role-based access control (RBAC) with permissions defined in YAML configuration and stored in the database.
Sources: permissions.yml1-16 menus.yml1-171 src/Model/User.php297-311
Default Roles (permissions.yml):
| Role | Permissions |
|---|---|
Administrators | * (wildcard - all permissions) |
Power Users | user.list, user.read, user.add, user.delete, user.update, role.list, user.role.add, user.role.remove, user.changePassword, role.getUser |
Everyone | Default role assigned when user has no explicit roles |
Role Assignment: src/Model/User.php297-311
Wildcard Permission:
The Administrators role has * permission, which grants access to all operations. This is checked via:
Sources: permissions.yml1-16 src/Model/User.php297-311 src/Auth/Service.php132-134
The RBAC system provides multiple methods for checking permissions at different layers of the application.
@Logged Annotation: Requires user to be authenticated but no specific permission.
@Right Annotation: Requires specific permission(s) to access field.
Implementation: Enforced by GraphQLite's schema factory during GraphQL query execution. If permission check fails, field access is denied before method executes.
Sources: src/Controller/AuthController.php105-118
User::isGranted(): src/Model/User.php283-291
User::isGrantedRights(): src/Model/User.php268-280
User::getPermissions(): src/Model/User.php188-199
Sources: src/Model/User.php188-199 src/Model/User.php268-291
User::isAllowedPath(): src/Model/User.php96-123
Checks if user can access a specific route path based on menu configuration.
Menu Permission Configuration (menus.yml):
Sources: src/Model/User.php96-123 menus.yml1-171
Auth\Service::isAllowed(): src/Auth/Service.php122-139
Used by GraphQLite to enforce @Right annotations.
Sources: src/Auth/Service.php122-139
The system implements configurable password policies and secure password reset flows.
Configuration:
Config::Value('password_expiration'): Enable/disable expiration (boolean)Config::Value('password_expiration_duration', 90): Days until expiration (default: 90)Enforcement: src/Controller/AuthController.php446-452
User Field:
password_dt: Timestamp of last password changeSources: src/Controller/AuthController.php446-452 src/Controller/AuthController.php64-102
The password reset process uses JWT tokens with embedded verification codes to prevent brute force attacks.
Reset Process:
JWT Payload Structure:
Rate Limiting: src/Controller/AuthController.php541-551
reset_code_attempt_{code_hash}Sources: src/Controller/AuthController.php533-594 src/Controller/AuthController.php596-635
| Feature | Implementation | Location |
|---|---|---|
| Brute Force Protection | IP-based lockout after 5 failed attempts in 15 minutes | src/Model/User.php206-227 |
| Token Revocation | Cache-based blacklist with revoked_token_{jti} keys | src/Controller/AuthController.php333-370 |
| Password Hashing | bcrypt via password_hash(), PASSWORD_DEFAULT | src/Controller/AuthController.php383 |
| JWT Signing | HS256 with $_ENV['JWT_SECRET'] | src/Auth/Service.php51 |
| HTTP-Only Cookies | Prevents XSS token theft | src/Controller/AuthController.php349-367 |
| CSRF Protection | SameSite cookie attribute | src/Controller/AuthController.php356 |
| Session Tracking | Every login/logout logged to UserLog with IP and user agent | src/Model/User.php56-82 |
| 2FA Rate Limiting | 5 attempts per 10 minutes during setup | src/Controller/AuthController.php33-39 |
| Password Reset Rate Limiting | 5 code verification attempts | src/Controller/AuthController.php541-551 |
| Role Inheritance | Wildcard * permission for Administrators | permissions.yml1-3 |
| Field-Level Authorization | @Right annotations on GraphQL fields | src/Controller/AuthController.php107 |
Sources: Multiple files as cited above.
Refresh this wiki