Download the PHP package padosoft/laravel-rebel-core without Composer

On this page you can find all versions of the php package padosoft/laravel-rebel-core. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package laravel-rebel-core

Laravel Rebel — Core

*The heart of the `padosoft/laravel-rebel-ecosystem: an enterprise authentication _control plane_ for Laravel** (passwordless OTP, passkey-first, risk-based step-up, SCA, multi-tenant, admin, AI). This-core` package contains the shared "building blocks" (value objects, contracts, assurance, audit, hashing) that all the others rest on.

Laravel 12|13 PHP 8.3+ PHPStan max Pest 4 MIT

If this is the first time you see this project, start here: this README explains the WHOLE ecosystem to you.


Table of contents


What Laravel Rebel is (in 1 minute)

Laravel already has Fortify (login, registration, password reset, TOTP 2FA, passkey). Rebel does not replace it: it sits on top and adds what an enterprise/ecommerce product needs:

Everything is split into small, composable packages: you use only what you need.

In one line: Rebel turns Laravel Fortify into an enterprise authentication control plane.


Glossary (for those who are not auth experts)

Term Plain meaning
OTP "One-Time Password": a single-use code (e.g. 6 digits) sent via email/SMS.
Passwordless Login without a password: you prove it's you with an OTP or a passkey.
Passkey / FIDO2 / WebAuthn A cryptographic credential bound to your device (fingerprint/Face ID/key). It is phishing-resistant.
Phishing-resistant Not replayable on a scam site. Only passkeys are (OTP/SMS are not).
Step-up Raising the verification level for a single sensitive action, not for the whole login.
AAL (1/2/3) "Authenticator Assurance Level" (NIST): how strong the authentication is. AAL1 = 1 factor, AAL2 = 2 factors, AAL3 = hardware.
AMR "Authentication Methods References": how you authenticated (e.g. ['webauthn'], ['otp','email']).
Dynamic linking (PSD2/SCA) The payment confirmation is bound to amount + payee: if they change, it expires.
Pepper A server-side secret key used for the HMACs (so stored email/IP are not reversible).
Tenant A "tenant" in a multi-customer system (e.g. site/brand/country of an ecommerce).

The suite: all the packages

Package What it's for What it does NOT do
laravel-rebel-core (this one) Value objects, contracts, assurance, audit, shared hashing No routes/UI; no Fortify/Twilio/AI
laravel-rebel-email-otp Passwordless email-OTP login (web + mobile/Sanctum) Does not handle SMS (see channels)
laravel-rebel-bridge-fortify Uses Fortify (password-confirm, passkey, TOTP) as a driver + passkey-first login Does not reimplement Fortify
laravel-rebel-step-up Step-up per action/purpose, risk-based, with SCA dynamic linking It is not the login (it's the confirmation of an action)
laravel-rebel-channels Channel/provider abstraction + anti toll-fraud/IRSF + bot gate Not tied to a specific provider
laravel-rebel-channel-twilio Twilio provider (SMS/WhatsApp/Voice, Verify, webhook)
laravel-rebel-recovery High-assurance account recovery + recovery codes
laravel-rebel-sessions Device/session, "log out everywhere", refresh rotation
laravel-rebel-admin-api JSON API control plane (metrics, audit, anomalies) No UI (API only)
laravel-rebel-admin Web Admin Panel (Blade + AJAX + vanilla JS)
laravel-rebel-ai-guard Anomaly detection + AI copilot (explains, does not decide) Does not make destructive decisions on its own
laravel-rebel-auth Meta-package: installs the recommended bundle No business logic

How they fit together (dependency DAG)

Rules: the core does not depend on Fortify/Twilio/AI. The admin works without ai-guard. The fortify_password_confirm is web-only (mobile uses a token-native step-up).


Web Admin Panel

The suite includes a web administration panel (package laravel-rebel-admin) — Blade + AJAX + vanilla JS, with no mandatory JS framework — to monitor login/OTP/step-up, provider health, audit, anomalies and compliance.


What this package does (-core)

The core is small and stable: it defines the shared "language". It contains:


Why Rebel Core vs. the alternatives

There is no drop-in package that gives you a shared auth "core" / contracts layer with first-class NIST assurance, keyed hashing with rotation and built-in audit redaction. The realistic alternatives are: building these primitives by hand, relying on framework-native auth only, or pulling in a heavier all-in-one bundle. Here is how they compare for a shared core that the rest of an auth suite can build on.

Capability Rebel Core Shopify Hand-rolled primitives Fortify (framework-native) Spatie permission/multitenancy
First-class NIST AAL/AMR assurance model
satisfies() guard (blocks email-OTP on phishing-resistant purposes)
Keyed HMAC hashing with versioned pepper + rotation
Audit trail with automatic secret redaction
GDPR-safe IP/UA stored as keyed HMAC (never cleartext)
Web/mobile LoginResult + Sanctum TokenPair contract
Per-tenant isolation trait + safe queue worker reset
PSR-20 testable Clock for OTP/step-up expirations
Stable contracts to swap implementations (channels, risk, sessions)
validate-config fail-fast command for CI
Zero hard dependency on Fortify/Twilio/AI
Login/registration/password-reset screens ❌ (by design)

Legend: ✅ built-in · ➖ partial / hosted-only / not exposed to you · ❌ not available. Note on Shopify: it is a hosted, closed commerce platform — you can't self-host it, extend its auth internals, or reuse these low-level primitives in your own Laravel app; it's a black box you don't control, so most developer-facing rows are ❌/➖.

Honest take: Fortify and the Spatie packages are excellent at what they do — Fortify ships the actual auth screens, Spatie handles permissions/multitenancy. Rebel Core is not competing on those; it provides the assurance/audit/hashing/contracts substrate they don't, and it stays unopinionated so you can layer the rest of the suite (or Fortify itself, via bridge-fortify) on top.


End-to-end flows (narrated examples)

1) Passwordless login (ecommerce customer)

2) B2B credit order (step-up + SCA)

3) Account recovery (the most delicate point)


Installation (junior-proof)

You usually don't install -core on its own: it comes as a dependency of the other packages. But you can use it stand-alone for its value objects/contracts.

1. Require the package

2. Publish the config (optional)

3. Set the pepper in .env (secret key for the HMACs)

4. (If you use the audit) run the migrations

5. Validate the config

Done. Now the contracts/value objects are available.


Configuration (every option explained)

File: config/rebel-core.php

Key Default What it does When to change it
peppers [1 => env('REBEL_PEPPER_V1')] Map version => secret for the HMACs Add a version to rotate the pepper
pepper_current 1 Version used for new hashes When you rotate, set the new version
hmac_algo sha256 HMAC algorithm Rarely; it must be supported by PHP
hash_ip true Stores the IP as an HMAC (never in cleartext) Leave it true for GDPR
hash_user_agent true Stores the User-Agent as an HMAC Leave it true for GDPR
audit.mode sync How events are written: sync (inline) or queue (a job per event) Set queue for high volume / enterprise
audit.connection / audit.queue null Queue connection + name for mode=queue (Horizon-compatible) Point at a dedicated audit queue
geo.enabled true Record the request country on every event Disable if you don't want geo
geo.country_header CF-IPCountry Request header the country is read from Point at your proxy's header (Cloudflare sets CF-IPCountry)

Audit dispatch (sync vs queued) — capture is turnkey, you choose how/where. Every package in the suite records through the same AuditLogger contract, which always persists to rebel_auth_events (never just in session). By default the write is synchronous; for high-volume / enterprise workloads, switch to a queued write (works directly with Horizon and any Laravel queue) — the event is fully enriched (country, etc.) before it is queued, so nothing is lost:

The destination is the bound AuditLogger / DatabaseAuditLogger (table + DB connection) — rebind it to send the trail anywhere you like.

Country enrichment. The audit records the request country (ISO 3166-1 alpha-2), read from a request header. Put Cloudflare in front and it sets CF-IPCountry for you (clean, accurate, no extra service); behind another proxy, point geo.country_header at whatever it sets.

Pepper rotation (example):


Usage examples

Identifiers (normalization + masking)

Keyed hashing (with rotation)

Assurance (the central security rule)

SecurityContext from a request

Audit (with automatic secret redaction)

Tenancy (per-tenant isolation)

Testable time (PSR-20 Clock)


Compliance

Rebel is designed by-design on recognized standards (details in the ADRs/docs/):

See docs/adr/ADR-0005-design-lock.md.


🔋 Vibe coding with batteries included

This package ships AI batteries — so you (and your AI agent) can extend it correctly on the first try:

Open the repo in your AI editor and just start — the rules, guardrails and extension recipes come with it. PRs that follow the shipped CLAUDE.md pass CI (PHPStan max + Pest + Pint) and review the first time around.


Testing


License

MIT — see LICENSE. © Padosoft.


All versions of laravel-rebel-core with dependencies

PHP Build Version
Package Version
Requires php Version ^8.3
illuminate/contracts Version ^12.0|^13.0
illuminate/support Version ^12.0|^13.0
psr/clock Version ^1.0
spatie/laravel-package-tools Version ^1.92
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package padosoft/laravel-rebel-core contains the following files

Loading the files please wait ...