Download the PHP package hawksama/module-oauth-security-plus without Composer
On this page you can find all versions of the php package hawksama/module-oauth-security-plus. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download hawksama/module-oauth-security-plus
More information about hawksama/module-oauth-security-plus
Files in hawksama/module-oauth-security-plus
Package module-oauth-security-plus
Short Description A lnot so ightweight Magento 2 module that restricts Admin API token creation to whitelisted IP addresses, enhancing store security.
License OSL-3.0 AFL-3.0
Informations about the package module-oauth-security-plus
OAuth Security Plus for Magento 2
A powerful module that whitelists IP addresses for Magento 2 REST and SOAP Admin API token generation. Helps prevent unauthorized API access by ensuring only requests from trusted IPs can create admin tokens.
๐ซ Why Attackers Try to Steal the Admin Token (OAuth Access Token)
A stolen Admin OAuth Token gives attackers full control over your store, posing serious security risks:
-
Order and Customer Data Theft
- Attackers can extract orders and customer data (emails, phone numbers, addresses).
- Exposing personal data can lead to GDPR, CCPA, or other compliance violations.
-
Fraudulent Order Manipulation
- Malicious actors may modify product prices or create fake discount rules.
- They can also manipulate stock levels to disrupt product availability.
-
Malicious Code Injection
- Attackers can use API access to inject malware or redirect customers to malicious sites.
- This can jeopardize website integrity and user trust.
-
Data Deletion or Ransomware
- They might delete all products, orders, or customer accounts.
- Potentially demand ransom payments to restore lost data.
- DDoS or API Abuse
- Repeated API requests can slow down or crash your server, leading to downtime and lost revenue.
In short, securing your API tokens is essential to protecting both your customers and your business.
๐ Overview
This module intercepts OAuth Token creation requests and checks if the requesting IP is on a whitelist. If not, the request is blocked and logged. Key highlights:
- Simple Whitelist Management using CLI commands.
- Logging of unauthorized attempts and IP addresses.
- Caching for fast IP lookups.
๐ Key Features
Feature | Description |
---|---|
OAuth IP Whitelisting | Intercepts admin token requests and checks if the source IP is allowed. |
CLI Management | Quickly add or remove IPs from the whitelist using bin/magento commands. |
Logging & Auditing | Logs both allowed and blocked attempts, storing username & IP for reference. |
Caching for Performance | Minimizes repeated config lookups for quick IP checks. |
Enabled/Disabled | Easily turn the module on or off using config. |
๐ Installation
Install via Composer
The recommended way to install this module is via Composer.
โ๏ธ CLI Usage
Example commands:
๐ Use Cases
๐ Production Security
- Restrict OAuth (API) Token Generation: Only whitelisted IPs can generate admin tokens.
๐๏ธ Development & Staging
- Block Public Access: Keep staging credentials safe from the public internet.
๐ต๏ธ Auditing & Analytics
- Track Attempts: Log whoโs creating tokens, from where, and how often.
โ FAQ
- Does it block the entire Admin login?
- No, only blocks admin OAuth (API) token creation. The web-based Admin UI remains unaffected.
- How do I add IPv6 addresses?
- IPv6 is supported as long as you pass the proper string format. For advanced subnet rules, consider extending the plugin.
- Where is the log file stored?
- By default, unauthorized attempts are logged in
var/log/api_security_plus.log
.
- By default, unauthorized attempts are logged in
๐งฐ Technical Details
- Compatibility: Magento 2.4.x
-
Code Quality:
โ PHPStan (Level 8)
โ PHPMD
โ PHP_CodeSniffer (Magento Coding Standard)
โ PHP Magic Number Detector - Caching: IP addresses are cached for faster lookups, cleared when new IPs are added or removed.
-
Technology: Uses a plugin on
AdminTokenServiceInterface::createAdminAccessToken
- Extendable: You can augment or replace the plugin logic if you need more complex checks.
๐ฎ Support & Contribution
- Issues: GitHub Issues (if available)
- Email: [email protected]
- Contributions: Pull requests welcome! Please follow Magento & PSR standards.
Protect your Magento 2 store by limiting OAuth Admin Token generation to trusted IPsโsimple, fast, and secure.
All versions of module-oauth-security-plus with dependencies
magento/module-integration Version 100.4.*
hawksama/magento2-admin-menu Version ^1.0