Download the PHP package betterauth/multimodal-php without Composer
On this page you can find all versions of the php package betterauth/multimodal-php. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download betterauth/multimodal-php
More information about betterauth/multimodal-php
Files in betterauth/multimodal-php
Package multimodal-php
Short Description Framework-agnostic authentication library for PHP — works with Symfony, Laravel, or standalone
License MIT
Informations about the package multimodal-php
BetterAuth Multimodal PHP
Framework-agnostic authentication library for PHP. Session-based, token-based (Paseto V4), or both — works with Symfony, Laravel, or standalone via PDO.
Features
- Three authentication modes — Monolith (session/cookie), API (stateless Paseto V4 tokens), Hybrid (both)
- OAuth social login — Google, GitHub, Facebook, Microsoft, Discord, Twitter, Apple
- OpenID Connect server — act as an SSO provider with authorization code + PKCE
- Magic links — passwordless email authentication
- TOTP 2FA — RFC 6238 with backup codes, SHA-256 default, SHA-1 migration path
- Session security — adaptive risk scoring (IP, device, country, impossible travel)
- Multi-tenancy — organizations, teams, members, invitations
- Plugin system — lifecycle hooks (
user.created,token.created,session.created, …) - PDO storage — 20 ready-to-use repositories, replaceable via interfaces
- Password security — Argon2id hashing, zxcvbn-inspired strength validation, auto-rehash on login
Requirements
- PHP 8.2+
- Extensions:
json,openssl,pdo
Installation
Quick start
Session-based (monolith)
Token-based (API)
Authentication modes
| Mode | Method | Use case |
|---|---|---|
MONOLITH |
Session + cookie | Server-rendered apps (Symfony, Laravel) |
API |
Paseto V4 + refresh token | REST APIs, SPAs, mobile apps |
HYBRID |
Both active | Web frontend + mobile clients sharing the same backend |
OAuth
Supported providers: Google, GitHub, Facebook, Microsoft, Discord, Twitter, Apple.
TOTP two-factor authentication
- SHA-256 by default, SHA-1 fallback for legacy migration
- 10 one-time backup codes (bcrypt-hashed)
- 24h re-verification window
Magic links
- 10-minute token expiry
- Rate-limited (3 requests / 5 minutes)
- Auto-creates users (optional)
- No user enumeration (always returns success)
OpenID Connect server
Act as an SSO provider for your own clients:
Supports PKCE (S256 + plain), scopes (openid, profile, email, offline_access), and ID token claims.
Session security
Adaptive risk scoring on every request:
| Signal | Weight |
|---|---|
| Device type change (Desktop → Mobile) | 30 |
| OS family change | 25 |
| Country change | 40 |
| Impossible travel (< 1h + different country) | 50 |
| IP subnet change | 15 |
| Browser family change | 15 |
Thresholds: 0–24 → allow, 25–49 → log, 50–74 → require reauth, 75+ → terminate session.
Multi-tenancy
Plugin system
Built-in hooks: user.created, user.logged_in, user.logged_out, token.created, session.created, oauth.linked.
Storage
All repositories are interface-based. The library ships with 20 PDO implementations that work with any SQL database (SQLite, MySQL, PostgreSQL, MariaDB).
Replace any repository by implementing the corresponding interface:
| Interface | Purpose |
|---|---|
UserRepositoryInterface |
User CRUD + lookup by email/provider |
SessionRepositoryInterface |
Session lifecycle |
RefreshTokenRepositoryInterface |
Token rotation with atomic consume() |
MagicLinkStorageInterface |
Passwordless tokens |
TotpStorageInterface |
TOTP secrets + backup codes |
OAuthClientRepositoryInterface |
OIDC client credentials |
OrganizationRepositoryInterface |
Multi-tenant organizations |
See src/Interfaces/ for the full list (28 interfaces).
Configuration
AuthConfig exposes all settings as constructor parameters with sensible defaults:
| Setting | Default |
|---|---|
| Session lifetime | 7 days |
| Session absolute lifetime | 30 days |
| Access token lifetime | 1 hour |
| Refresh token lifetime | 30 days |
| Rate limit max attempts | 5 |
| Rate limit decay | 300 seconds |
| Cookie HttpOnly | true |
| Cookie Secure | true |
| Cookie SameSite | Lax |
Security
- Tokens: Paseto V4 local encryption (XChaCha20-Poly1305), keys derived via HKDF
- Passwords: Argon2id only, automatic rehash on login when cost parameters change
- Rate limiting: per-key sliding window via PSR-6 cache (Redis, Memcached, APCu) with in-memory fallback
- Anti-enumeration: timing-safe dummy
password_verify()on user-not-found, silent success on unknown emails - CSRF:
hash_equalsstate validation on OAuth callbacks - Refresh tokens: atomic rotation via
consume()— prevents token reuse
Framework integration
This library provides the authentication core. Framework-specific bundles wire it into DI, routing, and middleware:
| Framework | Package |
|---|---|
| Symfony | betterauth/symfony-bundle |
License
MIT
All versions of multimodal-php with dependencies
ext-json Version *
ext-openssl Version *
ext-pdo Version *
paragonie/paseto Version ^3.1
psr/cache Version ^3.0
psr/log Version ^3.0
psr/event-dispatcher Version ^1.0
ramsey/uuid Version ^4.7