Documentation
Authentication, MFA & user management for the Univeros framework. One line in
config/modules.php— a complete, production-grade identity stack.
Polaris is the official authentication & user-management module for Univeros / Altair applications. A host registers one class and the app gains email-verified login, JWT access tokens with rotating refresh tokens, multi-factor authentication (TOTP/QR, SMS, email), single-use recovery codes, multi-tenant organizations with role-based access control, and a hardened security posture — contributed as routes, Cycle entities, migrations, and middleware with no further host wiring.
The name is the idea: Polaris is the fixed star your application’s identity navigates by.
What you get
Section titled “What you get”| Area | What you get |
|---|---|
| Authentication | Register, email verification, password login, /auth/me, logout / logout-all |
| Tokens | Asymmetric JWT access tokens (RS256/EdDSA) + opaque rotating refresh tokens with reuse detection; JWKS endpoint |
| Sessions | Per-device session list, individual + global revocation |
| MFA / OTP | TOTP (QR), SMS OTP, email OTP, recovery codes, login-MFA gate, step-up |
| Passwords | Argon2id, policy enforcement, breached-password hook, reset & change (logout-everywhere) |
| Multi-tenant RBAC | Organizations, memberships, roles, permissions, invitations, org switching |
| Authorization | Declarative permission guard middleware + a programmatic Gate with policies |
| Security | Rate limiting, account lockout, anti-enumeration, audit log, key rotation |
| Ops | PSR-14 domain events, notification fan-out, transient-row pruning, observability |
Where to start
Section titled “Where to start”The complete, authoritative specification lives in the Auth section:
| Doc | Contents |
|---|---|
| Overview | Goals, scope, framework integration |
| Data model | Entities, tables, relationships, migrations |
| Flows | Register, login, refresh rotation, sessions, password |
| MFA & OTP | TOTP/QR, SMS, email, recovery codes, step-up |
| Multi-tenant RBAC | Organizations, memberships, roles, permissions, guard |
| API reference | Full endpoint catalog + error format |
| Security | Threat model, cryptography, key management |
| Key rotation | Signing-key lifecycle and rollover |
| Configuration | Config schema, env vars, bindings, dependencies |
| Events | PSR-14 domain events |
| Testing | Test strategy + acceptance criteria |
| Implementation plan | Phased build order |
Status
Section titled “Status”Polaris is in active development, built in five phases — foundation, identity core, MFA & OTP, multi-tenant RBAC, and hardening & ops. Progress is tracked in the milestones and issues on GitHub.