Download the PHP package univeros/polaris without Composer

On this page you can find all versions of the php package univeros/polaris. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package polaris

Polaris

Authentication, MFA & user management for the Univeros framework. One line in config/modules.php — a complete, production-grade identity stack.

PHP Univeros module Multi-tenant MFA Status

Polaris is the official authentication & user-management module for Univeros / Altair applications. A host registers one class and the app gains email-verified login, JWT access tokens with rotating refresh tokens, multi-factor authentication (TOTP/QR, SMS, email), single-use recovery codes, multi-tenant organizations with role-based access control, and a hardened security posture — contributed as routes, Cycle entities, migrations, and middleware with no further host wiring.

The name is the idea: Polaris is the fixed star your application's identity navigates by.


Why Polaris


Features

Area What you get
Authentication Register, email verification, password login, /auth/me, logout / logout-all
Tokens Asymmetric JWT access tokens (RS256/EdDSA) + opaque rotating refresh tokens with reuse detection; JWKS endpoint
Sessions Per-device session list, individual + global revocation
MFA / OTP TOTP (QR), SMS OTP, email OTP, recovery codes, login-MFA gate, step-up
Passwords Argon2id, policy enforcement, breached-password hook, reset & change (logout-everywhere)
Multi-tenant RBAC Organizations, memberships, roles, permissions, invitations, org switching
Authorization Declarative permission guard middleware + a programmatic Gate with policies
Security Rate limiting, account lockout, anti-enumeration, audit log, key rotation
Ops PSR-14 domain events, notification fan-out, transient-row pruning, observability

Quick start

Provide the secrets (env / secret manager):

Apply the migrations and verify:

That single registration contributes every /auth, /users, and /orgs route, the entities, the migrations, the auth/authorization middleware, and the container bindings. Bind production SMS/email providers in your host container when you're ready — Polaris ships dev (log) drivers so flows work out of the box.


How it works

Every endpoint follows the framework's Action → Input → Domain → Responder shape, and Polaris plugs into the framework's existing auth seams rather than replacing them:

Login returns a short-lived JWT access token plus a rotating refresh token; presenting an already-rotated refresh token is treated as theft and revokes the entire token family.


API surface

A representative slice (full catalog in docs/auth/api-reference.md):

Method Path Purpose
POST /auth/register Create account, send verification
POST /auth/login Password login → tokens or MFA challenge
POST /auth/token/refresh Rotate refresh → new access + refresh
POST /auth/mfa/totp/enroll Start TOTP enrollment → secret + QR
POST /auth/mfa/verify Complete MFA → tokens
GET /auth/sessions List active devices/sessions
POST /orgs Create an organization (creator → owner)
POST /orgs/{id}/invites Invite a member
POST /auth/switch-org Switch active org → re-scoped token

Versioning & mounting are the host's responsibility. Polaris contributes relative, unversioned routes; the host front controller mounts them under whatever scheme (e.g. a /v1 prefix) it uses for its own surface.

Endpoints are generated from YAML specs under api/ via bin/altair spec:scaffold.


Multi-factor authentication

Three factor types, one uniform verification flow:

SMS and email delivery are provider-agnostic ports — bind Twilio, Vonage, SES, SMTP, or anything else; dev Log drivers ship in the box. Details in docs/auth/mfa-otp.md.


Multi-tenant RBAC

Identity is global; authority is scoped to an organization:

Org creators become owner; admin/member templates are seeded per org and fully customizable. The access token carries the active org and resolved roles, so authorization is mostly stateless; an AuthorizationMiddleware enforces per-endpoint permissions and a Gate handles the rules permissions can't express (last-owner protection, role hierarchy). Cross-tenant access is denied by design. See docs/auth/rbac.md.


Security

Polaris follows established standards — JWT (RFC 7519), JWKS (RFC 7517), TOTP (RFC 6238), OAuth 2.0 refresh semantics + Security BCP (RFC 9700), Problem Details (RFC 9457), and OWASP ASVS for password storage. Secrets are never stored in plaintext (hashed or encrypted at rest), comparisons are constant-time, and signing keys are asymmetric with kid-based rotation. Full threat model in docs/auth/security.md.


Documentation

The complete, authoritative specification lives in docs/auth/:

Doc Contents
README Overview, goals, framework integration
data-model Entities, tables, relationships, migrations
flows Register, login, refresh rotation, sessions, password
mfa-otp TOTP/QR, SMS, email, recovery, step-up
rbac Orgs, memberships, roles, permissions, guard
api-reference Full endpoint catalog + error format
security Threat model, crypto, key management
configuration Config schema, env, bindings, deps
events PSR-14 domain events
testing Test strategy + acceptance criteria
implementation-plan Phased build order

Agent-oriented orientation is in AGENT.md.


Roadmap & status

Polaris is in active development, built in five phases tracked on GitHub:

Phase Milestone
0 — Foundation identity, config/secrets, deps, CI
1 — Identity core register, login, JWT + rotating refresh, sessions
2 — MFA & OTP TOTP/QR, SMS, email, recovery, step-up
3 — Multi-tenant RBAC orgs, roles, permissions, invitations
4 — Hardening & ops audit, observability, key rotation, sign-off

Progress lives in the milestones and issues; each phase has an epic tracking issue.


Testing

The target is ≥ 80 % coverage with unit, integration, and E2E layers, with TOTP validated against RFC 6238 vectors and OTP channels exercised through in-memory senders. See docs/auth/testing.md.


Contributing

Issues and pull requests are welcome on github.com/univeros/polaris. Please read AGENT.md and the relevant spec doc first, follow the conventions (strict types, immutability, small files, tests-first), and run composer qa before opening a PR.


License

Proprietary. © Univeros. See composer.json.


All versions of polaris with dependencies

PHP Build Version
Package Version
Requires php Version >=8.3
endroid/qr-code Version ^6.0
psr/http-client Version ^1.0
spomky-labs/otphp Version ^11.3
symfony/uid Version ^7.0
univeros/http Version ^2.0
univeros/module Version ^2.0
univeros/observability Version ^2.0
univeros/persistence Version ^2.0
univeros/security Version ^2.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package univeros/polaris contains the following files

Loading the files please wait ...