Enterprise User Management Package for Laravel Last updated: 2026-07-02
- Password-based login/registration
- Magic link (passwordless) authentication
- Passkey/WebAuthn support (biometric, hardware keys)
- OAuth/Social login (Google, GitHub, Microsoft, Apple)
- Password reset via email link
- Password change for authenticated users
- Configurable password complexity rules (min/max, mixed case, numbers, symbols)
- Email verification with signed links
- TOTP authenticator app support (Google Authenticator, Authy, 1Password)
- Email OTP (6-digit codes with configurable expiry)
- Recovery codes (8 single-use backup codes, hash-stored)
- Preferred MFA method tracking per user
- MFA enforcement during login flow
- Setup verification (pending → active): authenticator only enforced after the user proves the setup with a valid TOTP; abandoned setups purged by
neev:clean-pending-mfa-setups
- Team CRUD with auto-slug generation
- Invite members by email with signed links
- Role-based access (member, admin, owner)
- Accept/reject invitations
- Request-to-join flow for public teams
- Team switching (multi-team users)
- Ownership transfer
- Reserved slug prevention
- Email domain claiming by teams
- DNS verification for domains
- Auto-join rules based on email domain
- Primary domain assignment per team
- Custom security rules per domain
- Subdomain-based tenant routing
- Custom domain support with DNS verification
-
TenantResolverservice (singleton, hostname-based) - Per-tenant authentication configuration
- Per-tenant SSO (Microsoft Entra ID, Google Workspace, Okta)
-
TenantSSOManagerwith dynamic Socialite configuration - Auto-provisioning of SSO users
- Single/multi-tenant user mode option
- Brute force protection (progressive delay via
login_throttle: exponential backoff afterdelay_afterfailures, capped atmax_delay_seconds) - Login attempt tracking (IP, browser, OS, device, GeoIP location)
- Password history (prevents reusing last N passwords)
- Password expiry enforcement (
password_expiry_daysconfig + opt-inneev:password-not-expiredmiddleware, added in v0.4.0) - Email verification enforcement (opt-in
neev:verified-emailmiddleware, added in v0.4.4) - MaxMind GeoIP integration for IP geolocation
- Persistent API tokens with permission scoping
- Temporary login tokens with auto-expiry
- Token CRUD (create, update, delete, list, bulk delete)
- SHA256 token hashing
- Single email per user on the
userstable (separateemails/passwordstables dropped and consolidated ontousers) - Email verification tracking
- Email change with reverification
- Mailables: VerifyUserEmail, EmailOTP, LoginUsingLink, TeamInvitation, TeamJoinRequest
- 66 Blade templates (auth, account, team, components, layouts)
- 35+ reusable Blade components
- Guest & authenticated layouts
- Email templates (5 files)
- 12 migrations covering the schema (users + login_attempts, otps, passkeys, multi_factor_auths, recovery_codes, tenants, access_tokens, teams + memberships, team_invitations, domains, team_auth_settings, tenant_auth_settings); password history stored as JSON on
users
-
neev:install- Setup wizard (tenant yes/no, teams yes/no) -
neev:download-geoip- Download MaxMind GeoLite2 database -
neev:clean-login-attempts- Remove old login records - Tenant commands - create / list / show
- Domain commands - add / verify / list
- Member commands - add / remove / list
- Auth settings commands - configure / show
- Team command - activate
-
neev:web- Web authentication with MFA (TenantMiddleware > ResolveTeamMiddleware > NeevMiddleware > EnsureTenantMembership > BindContextMiddleware) -
neev:api- API token authentication (TenantMiddleware > ResolveTeamMiddleware > NeevAPIMiddleware > EnsureTenantMembership > BindContextMiddleware) -
neev:login- MFA step-up JWT authentication (TenantMiddleware > ResolveTeamMiddleware > JwtLoginMiddleware > EnsureTenantMembership > BindContextMiddleware) -
neev:tenant- Tenant resolution, required (TenantMiddleware:required > ResolveTeamMiddleware > BindContextMiddleware) -
neev:active-team- Blocks inactive teams -
neev:active-tenant- Blocks inactive tenants -
neev:tenant-member- Verifies user belongs to tenant -
neev:resolve-team- Resolves team from route parameter -
neev:ensure-sso- Enforces SSO-only access for current context -
neev:password-not-expired- Blocks users with expired passwords (opt-in) -
neev:verified-email- Blocks users with unverified email (opt-in)
- Minimal config surface (~20 keys, two orthogonal identity flags
tenant+team) after the v0.4.0 config overhaul; per-tenant/team auth behaviour lives intenant_auth_settings/team_auth_settingsDB tables
- Markdown docs in
docs/(README, installation, configuration, authentication, API reference, web routes, CLI commands, teams, MFA, multi-tenancy, security, architecture, architecture internals, db schema) plus design docs (docs/rfcs/,config-refactor.md,spa-cookie-mode.md)
-
LoggedIn/LoggedOut(renamed fromLoggedInEvent/LoggedOutEvent) -
DomainVerified/DomainReverified/DomainVerificationFailed- Domain lifecycle events (v0.4.0) - Laravel-native events where semantics match:
Registered,PasswordReset,Lockout -
PasswordChanged,EmailVerified,MfaMethodAdded,MfaMethodRemoved,RecoveryCodesGenerated,TeamCreated,TeamDeleted,MemberAdded,MemberRemoved,TenantCreated,SsoUserProvisioned - Event listeners / subscribers for common use cases (e.g. security-event email notifications)
Items identified during the production readiness audit. All critical, high, and medium code issues have been fixed. These are remaining documentation and feature gaps.
- Events system expansion — Laravel-native events (
Registered,PasswordReset,Lockout) plus Neev events for MFA changes, password changes, team/tenant lifecycle, membership, SSO provisioning, email verification, and domain verification. Documented indocs/README.md. - Identity mode decision matrix — four-mode matrix + "Four Questions to Decide" in
docs/multi-tenancy.md, cross-linked from architecture.md. - SSO SPA flow documentation — covered in
docs/spa-authentication.md(SSO → SPA section: discovery, redirect, cookie vs fragment callback). - Middleware usage and ordering documentation — authoritative "Middleware Usage & Ordering" section in
docs/architecture-internals.md. - Queue/background job tenant context — documented in
docs/multi-tenancy.md(Console & Queue Context) with a complete job example. - OAuth security bypass documentation — verified against the callback flows and prominently documented in
docs/authentication.md+docs/security.md, with mitigations (provider allowlist,neev:ensure-sso). - CORS/SPA guidance — covered in
docs/spa-authentication.md(backend setup: cors.php example, credentials, encryption caveats).
- Remove unused
MembershipService— removed (verified: never injected or referenced). - Extract
isDomainVerified()— the four private copies (plus one inline variant) replaced byDomain::isVerifiedForEmail(). (The old note'sEmailDomainValidatortarget no longer exists.) - Web/API registration feature parity —
RegistrationServicenow owns validation rules, user creation, invitation acceptance, federated-domain team rules, OAuth registration, the transaction, and theRegisteredevent; all four controllers delegate to it. Future hooks (email reputation, RFC-001 self-registration routing) plug in here. -
Lint violations in demo/ directory— obsolete:demo/is gitignored (local-only, not shipped).
- Email reputation package —
EmailDomainValidator(hardcoded free-email list,require_company_email) was removed in v0.4.0 on the promise of a standalone email-reputation package (docs/email-reputation-package.md, still proposed). Until it ships, consuming apps have no company-email enforcement. Decide v1 scope (classification-only vs network validation) and data sources:
- Test suite - Comprehensive test suite with 60%+ line coverage
- Unit tests for Services, Middleware, Models, Traits, Scopes
- Feature tests for Authentication flows, Tenant SSO, Tenant Domains
- Expand test coverage - Additional tests needed:
- Feature tests for MFA flows (TOTP setup/verify, Email OTP, recovery codes)
- Feature tests for Team management (CRUD, invitations, membership, switching)
- Feature tests for API token management
- Integration tests for rate limiting and brute force protection
- SAML 2.0 support - Currently only OAuth/Socialite-based SSO; SAML would unlock enterprise IdPs (ADFS, PingFederate, etc.)
- SMS-based MFA - Only TOTP and email OTP supported currently
- Suspicious login detection & alerts - Mentioned in docs but no dedicated implementation beyond GeoIP tracking
- Session management - Active sessions listing (
GET /neev/sessions, web views), remote logout of all sessions, and single-session revoke (DELETE /neev/sessions/{id}) - Admin override for MFA recovery - Support-assisted account recovery when all MFA methods lost
- Webhook support - Allow apps to receive webhook callbacks on auth/team events
- Audit logging - Comprehensive audit trail beyond login attempts (e.g., permission changes, team settings updates, token operations)
- Account deletion / data export - GDPR compliance features (right to deletion, data portability)
- Email notifications for security events - New device login, password changed, MFA disabled, etc.
- Admin dashboard views - Team/user administration for app owners
- IP allowlist/blocklist - Per-tenant or global IP access control
- Rate limiting with Redis - Distributed rate limiting for multi-server deployments (currently cache-based)
- Decompose large controllers -
UserAuthController.php(27 methods) andTeamApiController.php(26 methods) could benefit from splitting into focused controllers. ⚠ BREAKING when done: apps that publishedroutes/neev.phpreference these controller class names — splitting/renaming breaks their published copies. Must ship with an UPGRADING entry (re-publish or update class references), not as casual housekeeping. - PHPStan / static analysis - Level 5 with Larastan, integrated in CI
- PHP CS Fixer / Pint config - PSR-12 code style enforcement via Pint
- CI/CD pipeline - GitHub Actions for tests, static analysis, code style, Codecov coverage
- Automated GeoIP database updates - Scheduled workflow for monthly MaxMind DB refresh
- Package publishing automation - Automated Packagist release on tag
- Feature-flagged design: All major features (teams, tenancy, federation, MFA) are toggle-able via config
- Extensible models: User and Team models are swappable via config
- Laravel 12.x compatible, PHP 8.3+
- Key dependencies: geoip2/geoip2, web-auth/webauthn-lib, laravel/socialite, spomky-labs/otphp, ssntpl/laravel-acl