Download the PHP package micro-module/ist-auth-bundle without Composer

On this page you can find all versions of the php package micro-module/ist-auth-bundle. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of micro-module/ist-auth-bundle

Informations about the package ist-auth-bundle

micro-module/ist-auth-bundle

Pure HttpKernel JWT/IST authentication bundle for Symfony 8.

Latest Version PHP Version

Validates Inter-Service Tokens (IST — JWT HS256) via pure symfony/http-kernel event listeners. No symfony/security-bundle, no UserInterface, no Voter, no firewall YAML.

Designed for inter-microservice authentication where a monolith (or any upstream service) mints short-lived HS256 JWTs and downstream microservices validate them per request without pulling in the full Symfony security stack.

Why this bundle exists

symfony/security-bundle is designed for session-based user authentication. For stateless service-to-service JWTs it brings significant complexity (firewalls, authenticators, passports, voters, user providers) and couples every consumer to a heavy authentication lifecycle.

This bundle takes the opposite approach:

Total production footprint: ~40 classes, ~3,500 LOC.

Features

Area Capability
JWT validation HS256-pinned, typ=IST enforced, 8KB payload cap, JSON depth ≤8, hash_equals via firebase/php-jwt
Algorithm confusion Pre-decode alg === 'HS256' check, segment base64url regex, RSA-pubkey-as-HMAC defence (TG-01)
Policy engine PCRE route-name matching, fail-safe REQUIRED default, 4 auth levels (None, Required, ExhibitorOwner, Admin)
Admin resolution 3 strategies (allowlist, claim, audience-based) selectable via config
Resource ownership Consumer-implemented ResourceOwnershipCheckerInterface port
Sub-request isolation RequestStack depth ≤3, strips Authorization header, resets state
Bypass routes Byte-anchored regex on _route name only (no path traversal)
Error envelopes ER-1 (401) / ER-2 (403) from enum reasons — never $exception->getMessage()
Observability Correlation-ID propagator, Monolog JWT redactor, Prometheus metrics, OTel span attrs
Anti-replay Optional JTI guard with Redis + in-memory stores (opt-in via anti_replay.enabled)
OpenAPI Auto-declares bearerAuth scheme via Nelmio post-processor
Audit Dedicated security Monolog channel for SIEM

Requirements

Installation

Register the bundle in config/bundles.php:

Configuration

Create config/packages/ist_auth.yaml:

Environment variables:

Fail-safe default: routes not matched by any route_policies entry are treated as REQUIRED. Unknown paths never default to public.

Usage

Reading the principal in a controller

Type-hint the principal argument — the bundle's argument resolver injects the correct instance:

Per-controller policy override (optional)

Attribute values merge with config policies; config wins on conflict.

Implementing resource ownership

Consumers provide a thin adapter in their own Infrastructure layer:

Register the alias (or tag autowire: true):

Architecture

Listener topology (priorities are locked)

Priority Event Listener Purpose
128 kernel.request BypassRouteListener Match _route name against bypass regex; skip auth
96 kernel.request SubRequestIsolationListener Reset state on sub-requests, cap depth at 3, strip Authorization
64 kernel.request IstAuthenticationListener Extract Bearer, validate JWT, write PrincipalState
32 kernel.request IstAuthorizationListener Match route policy, enforce level + ownership
PHP_INT_MAX/2 kernel.exception IstExceptionListener Map validation/authz exceptions → ER-1 / ER-2
-10 kernel.response CorrelationIdResponseListener Echo X-Correlation-Id header

Canary tests (ListenerPriorityCanaryTest) use EventDispatcher::getListenerPriority() to lock these priorities — any drift is a merge blocker.

Layer structure

Enforced by depfile.yaml (Deptrac):

Security invariants

The following are enforced by tests and CI scripts — any violation is a merge blocker:

  1. Algorithm pinningalg === 'HS256' strict equality before signature verification (src/Domain/Validator/)
  2. Segment base64url validation before json_decode (defeats byte injection, scripts/ci/no-raw-jwt.sh)
  3. hash_equals via firebase/php-jwt — never rolled locally
  4. Payload ≤ 8KB, JSON depth ≤ 8 — DoS defence
  5. Secrets ≥ 43 base64url chars — boot-time fail-to-start
  6. typ === 'IST' strict, case-sensitive
  7. No $e->getMessage() in error envelopes (SR-7, scripts/ci/forbidden-getmessage.sh)
  8. Raw JWT never loggedAuthorizationHeaderRedactor Monolog processor
  9. Correlation-ID sanitized with \A[A-Za-z0-9_-]{1,128}\z (byte-anchored, not ^…$)
  10. Bypass matches _route name only — never raw paths

See tests/Unit/Domain/Validator/ for the full algorithm-confusion matrix (lowercase alg, none, RS256, RS384, RS512, ES256, PS256 — all rejected).

Development

All commands run from the bundle repo root:

Local development with a consumer service

When developing the bundle alongside a consuming project, use Composer's path repository feature:

Note the per-package preferred-install override — without it, a global "dist" setting silently converts the symlink into a copy.

Versioning

Development tags:

v1.0.0 ships after full GATE-9G verification (24 acceptance criteria

License

MIT. See LICENSE.

Contributing

Issues and pull requests welcome at https://github.com/temafey/micro_modules_ist_auth_bundle.

Security reports: follow the coordinated disclosure protocol documented in SECURITY.md (7-day triage SLA).

All versions of ist-auth-bundle with dependencies

PHP Build Version
Package Version
Requires php Version ^8.4
firebase/php-jwt Version ^7.0
monolog/monolog Version ^3.0
open-telemetry/api Version ^1.0
predis/predis Version ^2.2 || ^3.0
psr/log Version ^3.0
symfony/config Version ^8.0
symfony/dependency-injection Version ^8.0
symfony/http-foundation Version ^8.0
symfony/http-kernel Version ^8.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package micro-module/ist-auth-bundle contains the following files

Loading the files please wait ...