User authentication

src/App.php

@@ -22,7 +22,7 @@
 use Phenix\Facades\Route;
 use Phenix\Logging\LoggerFactory;
 use Phenix\Runtime\Log;
-use Phenix\Session\SessionMiddleware;
+use Phenix\Session\SessionMiddlewareFactory;
 
 class App implements AppContract, Makeable
 {
@@ -169,7 +169,7 @@ private function setRouter(): void
         /** @var array<int, Middleware> $globalMiddlewares */
         $globalMiddlewares = array_map(fn (string $middleware) => new $middleware(), $middlewares['global']);
 
-        $globalMiddlewares[] = SessionMiddleware::make($this->host);
+        $globalMiddlewares[] = SessionMiddlewareFactory::make($this->host);
 
         $this->router = Middleware\stackMiddleware($router, ...$globalMiddlewares);
     }

src/Auth/AuthServiceProvider.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Phenix\Auth;
+
+use Phenix\Auth\Console\PersonalAccessTokensTableCommand;
+use Phenix\Auth\Console\PurgeExpiredTokens;
+use Phenix\Providers\ServiceProvider;
+
+use function in_array;
+
+class AuthServiceProvider extends ServiceProvider
+{
+    public function provides(string $id): bool
+    {
+        return in_array($id, [
+            AuthenticationManager::class,
+        ]);
+    }
+
+    public function register(): void
+    {
+        $this->bind(AuthenticationManager::class);
+    }
+
+    public function boot(): void
+    {
+        $this->commands([
+            PersonalAccessTokensTableCommand::class,
+            PurgeExpiredTokens::class,
+        ]);
+    }
+}

src/Auth/AuthenticationManager.php

@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Phenix\Auth;
+
+use Phenix\Facades\Cache;
+use Phenix\Facades\Config;
+use Phenix\Util\Date;
+
+use function sprintf;
+
+class AuthenticationManager
+{
+    private User|null $user = null;
+
+    public function user(): User|null
+    {
+        return $this->user;
+    }
+
+    public function setUser(User $user): void
+    {
+        $this->user = $user;
+    }
+
+    public function validate(string $token): bool
+    {
+        $hashedToken = hash('sha256', $token);
+
+        /** @var PersonalAccessToken|null $accessToken */
+        $accessToken = PersonalAccessToken::query()
+            ->whereEqual('token', $hashedToken)
+            ->whereGreaterThan('expires_at', Date::now()->toDateTimeString())
+            ->first();
+
+        if (! $accessToken) {
+            return false;
+        }
+
+        $accessToken->lastUsedAt = Date::now();
+        $accessToken->save();
+
+        /** @var class-string<User> $userModel */
+        $userModel = Config::get('auth.users.model', User::class);
+
+        /** @var User|null $user */
+        $user = $userModel::find($accessToken->tokenableId);
+
+        if (! $user) {
+            return false;
+        }
+
+        if (method_exists($user, 'withAccessToken')) {
+            $user->withAccessToken($accessToken);
+        }
+
+        $this->setUser($user);
+
+        return true;
+    }
+
+    public function increaseAttempts(string $clientIdentifier): void
+    {
+        $key = $this->getAttemptKey($clientIdentifier);
+
+        Cache::set(
+            $key,
+            $this->getAttempts($clientIdentifier) + 1,
+            Date::now()->addSeconds(
+                (int) (Config::get('auth.tokens.rate_limit.window', 300))
+            )
+        );
+    }
+
+    public function getAttempts(string $clientIdentifier): int
+    {
+        $key = $this->getAttemptKey($clientIdentifier);
+
+        return (int) Cache::get($key, fn (): int => 0);
+    }
+
+    public function resetAttempts(string $clientIdentifier): void
+    {
+        $key = $this->getAttemptKey($clientIdentifier);
+
+        Cache::delete($key);
+    }
+
+    protected function getAttemptKey(string $clientIdentifier): string
+    {
+        return sprintf('auth:token_attempts:%s', $clientIdentifier);
+    }
+}

src/Auth/AuthenticationToken.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Phenix\Auth;
+
+use Phenix\Util\Date;
+use Stringable;
+
+class AuthenticationToken implements Stringable
+{
+    public function __construct(
+        protected string $id,
+        protected string $token,
+        protected Date $expiresAt,
+    ) {
+    }
+
+    public function id(): string
+    {
+        return $this->id;
+    }
+
+    public function toString(): string
+    {
+        return $this->token;
+    }
+
+    public function expiresAt(): Date
+    {
+        return $this->expiresAt;
+    }
+
+    public function __toString(): string
+    {
+        return $this->toString();
+    }
+}

src/Auth/Concerns/HasApiTokens.php

@@ -0,0 +1,103 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Phenix\Auth\Concerns;
+
+use Phenix\Auth\AuthenticationToken;
+use Phenix\Auth\Events\TokenCreated;
+use Phenix\Auth\Events\TokenRefreshCompleted;
+use Phenix\Auth\PersonalAccessToken;
+use Phenix\Auth\PersonalAccessTokenQuery;
+use Phenix\Facades\Event;
+use Phenix\Util\Date;
+
+use function sprintf;
+
+trait HasApiTokens
+{
+    protected PersonalAccessToken|null $accessToken = null;
+
+    public function token(): PersonalAccessToken
+    {
+        $model = new (config('auth.tokens.model'));
+        $model->tokenableType = static::class;
+        $model->tokenableId = $this->getKey();
+
+        return $model;
+    }
+
+    public function tokens(): PersonalAccessTokenQuery
+    {
+        $model = new (config('auth.tokens.model'));
+
+        return $model::query()
+            ->whereEqual('tokenable_type', static::class)
+            ->whereEqual('tokenable_id', $this->getKey());
+    }
+
+    public function createToken(string $name, array $abilities = ['*'], Date|null $expiresAt = null): AuthenticationToken
+    {
+        $plainTextToken = $this->generateTokenValue();
+        $expiresAt ??= Date::now()->addMinutes(config('auth.tokens.expiration', 60 * 12));
+
+        $token = $this->token();
+        $token->name = $name;
+        $token->token = hash('sha256', $plainTextToken);
+        $token->abilities = json_encode($abilities);
+        $token->expiresAt = $expiresAt;
+        $token->save();
+
+        Event::emitAsync(new TokenCreated($token));
+
+        return new AuthenticationToken(
+            id: $token->id,
+            token: $plainTextToken,
+            expiresAt: $expiresAt
+        );
+    }
+
+    public function generateTokenValue(): string
+    {
+        $entropy = bin2hex(random_bytes(32));
+        $checksum = substr(hash('sha256', $entropy), 0, 8);
+
+        return sprintf(
+            '%s%s_%s',
+            config('auth.tokens.prefix', ''),
+            $entropy,
+            $checksum
+        );
+    }
+
+    public function currentAccessToken(): PersonalAccessToken|null
+    {
+        return $this->accessToken;
+    }
+
+    public function withAccessToken(PersonalAccessToken $accessToken): static
+    {
+        $this->accessToken = $accessToken;
+
+        return $this;
+    }
+
+    public function refreshToken(string $name, array $abilities = ['*'], Date|null $expiresAt = null): AuthenticationToken
+    {
+        $previous = $this->currentAccessToken();
+
+        $newToken = $this->createToken($name, $abilities, $expiresAt);
+
+        if ($previous) {
+            $previous->expiresAt = Date::now();
+            $previous->save();
+
+            Event::emitAsync(new TokenRefreshCompleted(
+                $previous,
+                $newToken
+            ));
+        }
+
+        return $newToken;
+    }
+}

src/Auth/Console/PersonalAccessTokensTableCommand.php

@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Phenix\Auth\Console;
+
+use Phenix\Console\Maker;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class PersonalAccessTokensTableCommand extends Maker
+{
+    /**
+     * @var string
+     *
+     * @phpcsSuppress SlevomatCodingStandard.TypeHints.PropertyTypeHint
+     */
+    protected static $defaultName = 'tokens:table';
+
+    /**
+     * @var string
+     *
+     * @phpcsSuppress SlevomatCodingStandard.TypeHints.PropertyTypeHint
+     */
+    protected static $defaultDescription = 'Creates the database table for personal access tokens.';
+
+    protected function configure(): void
+    {
+        $this->setHelp('This command generates the migration to create the personal access tokens table.');
+
+        $this->addArgument('name', InputArgument::OPTIONAL, 'The migration file name');
+        $this->addOption('force', 'f', InputOption::VALUE_NONE, 'Force creation even if file exists');
+    }
+
+    protected function execute(InputInterface $input, OutputInterface $output): int
+    {
+        // Static timestamped file name for reproducible tests.
+        $fileName = '20251128110000_create_personal_access_tokens_table';
+        $input->setArgument('name', $fileName);
+
+        return parent::execute($input, $output);
+    }
+
+    protected function outputDirectory(): string
+    {
+        return 'database' . DIRECTORY_SEPARATOR . 'migrations';
+    }
+
+    protected function stub(): string
+    {
+        return 'personal_access_tokens_table.stub';
+    }
+
+    protected function commonName(): string
+    {
+        return 'Personal access tokens table';
+    }
+}