Download the PHP package padosoft/laravel-rebel-core without Composer
On this page you can find all versions of the php package padosoft/laravel-rebel-core. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download padosoft/laravel-rebel-core
More information about padosoft/laravel-rebel-core
Files in padosoft/laravel-rebel-core
Package laravel-rebel-core
Short Description Core primitives, value objects and contracts for Laravel Rebel: the enterprise authentication control plane (AAL/AMR assurance, security context, audit, Sanctum tokens, rate-limiting). The entry point of the padosoft/laravel-rebel-* ecosystem.
License MIT
Homepage https://github.com/padosoft/laravel-rebel-core
Informations about the package laravel-rebel-core
Laravel Rebel — Core
*The heart of the `padosoft/laravel-rebel-
ecosystem: an enterprise authentication _control plane_ for Laravel** (passwordless OTP, passkey-first, risk-based step-up, SCA, multi-tenant, admin, AI). This-core` package contains the shared "building blocks" (value objects, contracts, assurance, audit, hashing) that all the others rest on.
If this is the first time you see this project, start here: this README explains the WHOLE ecosystem to you.
Table of contents
- What Laravel Rebel is (in 1 minute)
- Glossary (for those who are not auth experts)
- The suite: all the packages
- How they fit together (dependency DAG)
- Web Admin Panel
- What this package does (
-core) - Why Rebel Core vs. the alternatives
- End-to-end flows (narrated examples)
- Installation (junior-proof)
- Configuration (every option explained)
- Usage examples
- Compliance
- Testing
- License
What Laravel Rebel is (in 1 minute)
Laravel already has Fortify (login, registration, password reset, TOTP 2FA, passkey). Rebel does not replace it: it sits on top and adds what an enterprise/ecommerce product needs:
- passwordless login (Shopify-style email-OTP) and passkey-first (the most secure);
- step-up: re-prompting for a strong confirmation only for sensitive actions (change email, credit order, download invoice…), with a security level appropriate to the risk;
- SCA / PSD2 dynamic linking for payments / credit orders in the EU;
- SMS/WhatsApp/voice channels with anti-fraud defenses;
- multi-tenant, audit, web admin panel, AI guard.
Everything is split into small, composable packages: you use only what you need.
In one line: Rebel turns Laravel Fortify into an enterprise authentication control plane.
Glossary (for those who are not auth experts)
| Term | Plain meaning |
|---|---|
| OTP | "One-Time Password": a single-use code (e.g. 6 digits) sent via email/SMS. |
| Passwordless | Login without a password: you prove it's you with an OTP or a passkey. |
| Passkey / FIDO2 / WebAuthn | A cryptographic credential bound to your device (fingerprint/Face ID/key). It is phishing-resistant. |
| Phishing-resistant | Not replayable on a scam site. Only passkeys are (OTP/SMS are not). |
| Step-up | Raising the verification level for a single sensitive action, not for the whole login. |
| AAL (1/2/3) | "Authenticator Assurance Level" (NIST): how strong the authentication is. AAL1 = 1 factor, AAL2 = 2 factors, AAL3 = hardware. |
| AMR | "Authentication Methods References": how you authenticated (e.g. ['webauthn'], ['otp','email']). |
| Dynamic linking (PSD2/SCA) | The payment confirmation is bound to amount + payee: if they change, it expires. |
| Pepper | A server-side secret key used for the HMACs (so stored email/IP are not reversible). |
| Tenant | A "tenant" in a multi-customer system (e.g. site/brand/country of an ecommerce). |
The suite: all the packages
| Package | What it's for | What it does NOT do |
|---|---|---|
laravel-rebel-core (this one) |
Value objects, contracts, assurance, audit, shared hashing | No routes/UI; no Fortify/Twilio/AI |
laravel-rebel-email-otp |
Passwordless email-OTP login (web + mobile/Sanctum) | Does not handle SMS (see channels) |
laravel-rebel-bridge-fortify |
Uses Fortify (password-confirm, passkey, TOTP) as a driver + passkey-first login | Does not reimplement Fortify |
laravel-rebel-step-up |
Step-up per action/purpose, risk-based, with SCA dynamic linking | It is not the login (it's the confirmation of an action) |
laravel-rebel-channels |
Channel/provider abstraction + anti toll-fraud/IRSF + bot gate | Not tied to a specific provider |
laravel-rebel-channel-twilio |
Twilio provider (SMS/WhatsApp/Voice, Verify, webhook) | — |
laravel-rebel-recovery |
High-assurance account recovery + recovery codes | — |
laravel-rebel-sessions |
Device/session, "log out everywhere", refresh rotation | — |
laravel-rebel-admin-api |
JSON API control plane (metrics, audit, anomalies) | No UI (API only) |
laravel-rebel-admin |
Web Admin Panel (Blade + AJAX + vanilla JS) | — |
laravel-rebel-ai-guard |
Anomaly detection + AI copilot (explains, does not decide) | Does not make destructive decisions on its own |
laravel-rebel-auth |
Meta-package: installs the recommended bundle | No business logic |
How they fit together (dependency DAG)
Rules: the core does not depend on Fortify/Twilio/AI. The admin works without ai-guard. The fortify_password_confirm is web-only (mobile uses a token-native step-up).
Web Admin Panel
The suite includes a web administration panel (package laravel-rebel-admin) — Blade + AJAX + vanilla JS, with no mandatory JS framework — to monitor login/OTP/step-up, provider health, audit, anomalies and compliance.
What this package does (-core)
The core is small and stable: it defines the shared "language". It contains:
- Identifiers —
EmailIdentifier,PhoneIdentifier,GenericIdentifier: normalize and mask email/phone. - Keyed hashing —
KeyedHasher/HmacKeyedHasher: HMAC with a versioned pepper and rotation (for email/IP/OTP). - Assurance —
Aal,AssuranceLevel: the security model that prevents, for example, an email-OTP (AAL1) from "covering" an action that requires a passkey. - Context —
SecurityContext,TenantContext,DeviceContext: the context of a request (IP/UA already hashed). - Risk —
RiskAssessment,RiskLevel,RecommendedAction. - Auth —
LoginResult(web|token),TokenPair(Sanctum access+refresh). - Audit —
AuditEvent,DatabaseAuditLogger(+rebel_auth_eventstable),Redactor(never OTP/secret in the logs). - Contracts —
TokenIssuer,SubjectResolver,TenantResolver,RiskEvaluator,AuditLogger,SessionRegistry,DeviceTrust,BotProtection,RateLimiter,Clock(PSR-20). - Tenancy —
CurrentTenant+BelongsToTenanttrait (per-tenant isolation). - Config —
php artisan rebel:validate-configcommand (fail-fast in CI).
Why Rebel Core vs. the alternatives
There is no drop-in package that gives you a shared auth "core" / contracts layer with first-class NIST assurance, keyed hashing with rotation and built-in audit redaction. The realistic alternatives are: building these primitives by hand, relying on framework-native auth only, or pulling in a heavier all-in-one bundle. Here is how they compare for a shared core that the rest of an auth suite can build on.
| Capability | Rebel Core | Shopify | Hand-rolled primitives | Fortify (framework-native) | Spatie permission/multitenancy |
|---|---|---|---|---|---|
| First-class NIST AAL/AMR assurance model | ✅ | ❌ | ❌ | ❌ | ❌ |
satisfies() guard (blocks email-OTP on phishing-resistant purposes) |
✅ | ❌ | ❌ | ❌ | ❌ |
| Keyed HMAC hashing with versioned pepper + rotation | ✅ | ❌ | ❌ | ❌ | ❌ |
| Audit trail with automatic secret redaction | ✅ | ➖ | ❌ | ❌ | ❌ |
| GDPR-safe IP/UA stored as keyed HMAC (never cleartext) | ✅ | ❌ | ❌ | ❌ | ❌ |
Web/mobile LoginResult + Sanctum TokenPair contract |
✅ | ❌ | ❌ | ❌ | ❌ |
| Per-tenant isolation trait + safe queue worker reset | ✅ | ❌ | ❌ | ❌ | ✅ |
PSR-20 testable Clock for OTP/step-up expirations |
✅ | ❌ | ❌ | ❌ | ❌ |
| Stable contracts to swap implementations (channels, risk, sessions) | ✅ | ❌ | ❌ | ❌ | ❌ |
validate-config fail-fast command for CI |
✅ | ❌ | ❌ | ❌ | ❌ |
| Zero hard dependency on Fortify/Twilio/AI | ✅ | ➖ | ✅ | ❌ | ✅ |
| Login/registration/password-reset screens | ❌ (by design) | ✅ | ❌ | ✅ | ❌ |
Legend: ✅ built-in · ➖ partial / hosted-only / not exposed to you · ❌ not available. Note on Shopify: it is a hosted, closed commerce platform — you can't self-host it, extend its auth internals, or reuse these low-level primitives in your own Laravel app; it's a black box you don't control, so most developer-facing rows are ❌/➖.
Honest take: Fortify and the Spatie packages are excellent at what they do — Fortify ships the actual auth screens, Spatie handles permissions/multitenancy. Rebel Core is not competing on those; it provides the assurance/audit/hashing/contracts substrate they don't, and it stays unopinionated so you can layer the rest of the suite (or Fortify itself, via
bridge-fortify) on top.
End-to-end flows (narrated examples)
1) Passwordless login (ecommerce customer)
2) B2B credit order (step-up + SCA)
3) Account recovery (the most delicate point)
Installation (junior-proof)
You usually don't install
-coreon its own: it comes as a dependency of the other packages. But you can use it stand-alone for its value objects/contracts.
1. Require the package
2. Publish the config (optional)
3. Set the pepper in .env (secret key for the HMACs)
4. (If you use the audit) run the migrations
5. Validate the config
Done. Now the contracts/value objects are available.
Configuration (every option explained)
File: config/rebel-core.php
| Key | Default | What it does | When to change it |
|---|---|---|---|
peppers |
[1 => env('REBEL_PEPPER_V1')] |
Map version => secret for the HMACs |
Add a version to rotate the pepper |
pepper_current |
1 |
Version used for new hashes | When you rotate, set the new version |
hmac_algo |
sha256 |
HMAC algorithm | Rarely; it must be supported by PHP |
hash_ip |
true |
Stores the IP as an HMAC (never in cleartext) | Leave it true for GDPR |
hash_user_agent |
true |
Stores the User-Agent as an HMAC | Leave it true for GDPR |
audit.mode |
sync |
How events are written: sync (inline) or queue (a job per event) |
Set queue for high volume / enterprise |
audit.connection / audit.queue |
null |
Queue connection + name for mode=queue (Horizon-compatible) |
Point at a dedicated audit queue |
geo.enabled |
true |
Record the request country on every event | Disable if you don't want geo |
geo.country_header |
CF-IPCountry |
Request header the country is read from | Point at your proxy's header (Cloudflare sets CF-IPCountry) |
Audit dispatch (sync vs queued) — capture is turnkey, you choose how/where. Every package in
the suite records through the same AuditLogger contract, which always persists to
rebel_auth_events (never just in session). By default the write is synchronous; for high-volume
/ enterprise workloads, switch to a queued write (works directly with Horizon and any Laravel
queue) — the event is fully enriched (country, etc.) before it is queued, so nothing is lost:
The destination is the bound AuditLogger / DatabaseAuditLogger (table + DB connection) —
rebind it to send the trail anywhere you like.
Country enrichment. The audit records the request country (ISO 3166-1 alpha-2), read from a
request header. Put Cloudflare in front and it sets CF-IPCountry for you (clean, accurate,
no extra service); behind another proxy, point geo.country_header at whatever it sets.
Pepper rotation (example):
Usage examples
Identifiers (normalization + masking)
Keyed hashing (with rotation)
Assurance (the central security rule)
SecurityContext from a request
Audit (with automatic secret redaction)
Tenancy (per-tenant isolation)
Testable time (PSR-20 Clock)
Compliance
Rebel is designed by-design on recognized standards (details in the ADRs/docs/):
- NIST 800-63B-4 — AAL/AMR model; email-OTP = AAL1; SMS = "restricted"; only passkeys are phishing-resistant.
- PSD2 / SCA — dynamic linking for B2B credit orders (does not replace the PSP's 3DS2 for cards).
- GDPR — IP/identifiers as keyed HMAC +
key_version(rotation), log redaction, no PII in cleartext.
See docs/adr/ADR-0005-design-lock.md.
🔋 Vibe coding with batteries included
This package ships AI batteries — so you (and your AI agent) can extend it correctly on the first try:
CLAUDE.md— a concise AI working guide (purpose, conventions, architecture, how to extend, Definition of Done). Plain Markdown, so Claude Code, Cursor, Copilot and Codex all read it.AGENTS.md— the agent/workflow contract (branch → PR → CI → tag/release, the gates)..claude/skills/— invocable skills (at leastrebel-package-dev) encoding the suite's TDD loop, the PHPStan-level-max recipes, the security/telemetry rules, and the release discipline.
Open the repo in your AI editor and just start — the rules, guardrails and extension recipes come
with it. PRs that follow the shipped CLAUDE.md pass CI (PHPStan max + Pest + Pint) and review the
first time around.
Testing
License
MIT — see LICENSE. © Padosoft.
All versions of laravel-rebel-core with dependencies
illuminate/contracts Version ^12.0|^13.0
illuminate/support Version ^12.0|^13.0
psr/clock Version ^1.0
spatie/laravel-package-tools Version ^1.92