Skip to content
rw3iss Auth

AuthClient

class rw3iss\AuthServer\AuthClient src/AuthClient.php ↗

Public facade for the auth-php package.

Composes the ports (TokenValidator, Transport, SessionStore, Clock, RevocationCache) into a small surface for app code. Mirrors the TS reference auth-client/src/core/auth-client.ts in intent, adapted to idiomatic PHP — no reactive snapshot, no cross-tab broadcast (PHP is single-process per request).

Typical use (server-side Laravel app):

$principal = $client->validateBearer($request->bearerToken()); $user = $client->me($accessToken);

Login / refresh / etc. go through the wrapped Transport and surface typed Domain DTOs.

Methods

build()

function build(
Config $config,
Transport $transport,
?RevocationCache $revocationCache = null,
?SessionStore $session = null,
?Clock $clock = null,
?LoggerInterface $logger = null,
): self

Convenience builder for use cases that don’t want to manually compose ports. The caller still passes a concrete Transport (PSR-18 is a hard dep there). Clock + SessionStore default to in-memory.

validateToken()

function validateToken(string $jwt): Principal

Validate an access token (or service token) locally. Returns a typed Principal. Throws TokenExpiredException / TokenInvalidException / TokenRevokedException.

validateBearer()

function validateBearer(?string $headerValue): ?Principal

Validate an “Authorization: Bearer …” header. Returns null when the header is missing or empty (lets the caller decide whether to 401).

login()

function login(string $email, string $password, array $opts = []): AuthResponse

Password login (POST /auth/login). Returns the AuthResponse. When the server requires 2FA, AuthResponse::$requiresTwoFactor is true and $tokens is null — the caller prompts for code and resubmits.

Parameters

  • $optsarray{ organizationId?:string|null, rememberMe?:bool, twoFactorCode?:string|null, appCode?:string|null, }

refresh()

function refresh(?string $refreshToken = null, array $opts = []): AuthResponse

Refresh access + refresh tokens (POST /auth/refresh). Returns the new AuthResponse. Optional context fields switch the active org / app without forcing a fresh password login.

Parameters

  • $optsarray{organizationId?:string|null,appCode?:string|null}

logout()

function logout(): void

Logout the current session (POST /auth/logout). Best-effort: clears the local SessionStore even if the server call fails — the access token reaches natural exp regardless. Authenticated endpoint (auth-server AUDIT 1.23) so the access token is attached.

logoutAll()

function logoutAll(): void

Logout-all: revoke every refresh token + bump per-user token-version (POST /auth/logout/all). After this call, every outstanding access token for the user is invalid cross-replica within ~one cache TTL.

me()

function me(?string $accessToken = null): array

GET /auth/me — current user as a server-authoritative payload.

Returns

  • array<string,mixed>

register()

function register(array $payload): AuthResponse

Register a new user (POST /auth/register).

Parameters

  • $payloadarray<string,mixed> · Body fields per the server’s RegisterRequest DTO

authenticatedRequest()

function authenticatedRequest(
string $method,
string $path,
?array $body = null,
array $headers = [],
): array

Authenticated request helper. Issues the call with the current access token; on 401, attempts ONE refresh + ONE retry (mirrors auth-client autoRetryOn401). Returns the decoded body.

Parameters

  • $bodyarray<string,mixed>|null
  • $headersarray<string,string>

Returns

  • array<string,mixed>

accessToken()

function accessToken(): ?string

The current session’s access token, or null when there isn’t one.

Convenience for host apps (esp. the SSO bridge) that need to forward the logged-in user’s token to a sibling rw3iss API — e.g. rw3iss/auction-sdk-php. Reads from the configured SessionStore; in pure bearer-token mode (no session) the token lives on the request, not here, so this returns null — read it from the guard/Authorization header in that case.