Skip to content
rw3iss Auth

Flows

class rw3iss\AuthServer\Flows src/Flows.php ↗

Aggregator of HTTP flows that don’t belong on the AuthClient main surface. One thin method per auth-server endpoint, all wired through the client’s Transport + SessionStore.

Endpoint map (auth-server/internal/api/routes/routes.go):

  • password reset / change → /auth/password/*
  • email verification → /auth/verify-email*
  • 2FA enroll / enable / off → /auth/2fa/*
  • sessions list / terminate → /auth/sessions*
  • my apps / my orgs → /me/apps, /me/orgs
  • SSO providers / url / etc → /auth/sso/*
  • admin → /admin/*, /auth/check-email, /auth/admin/set-password
  • validate (server-side) → /auth/validate

Methods

setupTwoFactor()

function setupTwoFactor(): array

Returns

  • array<string,mixed>

listSessions()

function listSessions(): array

Returns

  • array<string,mixed>

myApps()

function myApps(): array

Returns

  • array<string,mixed>

myOrgs()

function myOrgs(): array

Returns

  • array<string,mixed>

startSso()

function startSso(
string $provider,
string $redirectUrl,
?string $organizationId = null,
?string $inviteCode = null,
): array

Step 1: get the provider auth URL. Stores a PKCE verifier per state.

Returns

  • array{auth_url:string,state:string,code_verifier:string}

completeSso()

function completeSso(string $provider, string $code, string $state): AuthResponse

Step 2/3: complete the SSO callback. The server returns either {auth_code, expires_in} (PKCE branch) or {user, tokens, …}. We handle both — when PKCE auth_code is returned we POST /auth/sso/exchange with the stored verifier and persist the resulting tokens.

ssoProviders()

function ssoProviders(): array

Returns

  • array<string,mixed>

validateTokenRemote()

function validateTokenRemote(string $token): array

Validate a token at the server (fallback when shared secret unavailable).

Returns

  • array<string,mixed>

lookupUsers()

function lookupUsers(
array $emails = [],
array $ids = [],
?string $serviceToken = null,
): array

Bulk user lookup (system_admin / super_admin only).

Parameters

  • $emailslist<string>
  • $idslist<string>

Returns

  • array<string,mixed>

bulkImport()

function bulkImport(array $users, array $opts = [], ?string $serviceToken = null): array

Bulk-import users with pre-hashed passwords (system_admin only).

Hashes are stored verbatim — bcrypt values verify on the normal login path immediately, so existing passwords keep working with no reset. The server upserts idempotently by (namespace, email) and returns a per-row status + the resulting uid, so the caller can backfill its own foreign key (e.g. a local users.ven_user_id). Max 500 rows per request.

Parameters

  • $userslist<array<string,mixed>> · Each row: {email, password_hash, hash_algo?, first_name?, last_name?, namespace_tags?, metadata?}.
  • $optsarray{app_code?:string,default_namespace?:string,update?:bool}

Returns

  • array<string,mixed> {created, updated, skipped, errored, rows[]}

registerPermissions()

function registerPermissions(
string $service,
array $permissions,
?string $serviceToken = null,
): array

Register a service’s permission catalog slice (system_admin only).

Parameters

  • $permissionslist<array<string,mixed>>

Returns

  • array<string,mixed>

clientCredentialsGrant()

function clientCredentialsGrant(
string $clientId,
string $clientSecret,
array $scopes = [],
): array

Exchange client credentials for a service-principal access token (POST /oauth/token). Returns the raw {access_token, token_type, expires_in, expires_at, scope} envelope.

Parameters

  • $scopeslist<string>

Returns

  • array<string,mixed>

pkceVerifier()

function pkceVerifier(): string

RFC 7636 §4.1 — 43..128 chars of unreserved URL-safe random.

pkceChallenge()

function pkceChallenge(string $verifier): string

RFC 7636 §4.2 — BASE64URL(SHA256(verifier)).