Skip to content
Vendidit Auth

Flows

class Vendidit\AuthServer\Flows Source: src/Flows.php

Aggregator of HTTP flows that don’t belong on the AuthClient main surface. One thin method per auth-server endpoint, all wired through the client’s Transport + SessionStore.

Endpoint map (auth-server/internal/api/routes/routes.go):

  • password reset / change → /auth/password/*
  • email verification → /auth/verify-email*
  • 2FA enroll / enable / off → /auth/2fa/*
  • sessions list / terminate → /auth/sessions*
  • my apps / my orgs → /me/apps, /me/orgs
  • SSO providers / url / etc → /auth/sso/*
  • admin → /admin/*, /auth/check-email, /auth/admin/set-password
  • validate (server-side) → /auth/validate

Methods

setupTwoFactor()

@return array<string,mixed>

listSessions()

@return array<string,mixed>

myApps()

@return array<string,mixed>

myOrgs()

@return array<string,mixed>

startSso(string $provider, string $redirectUrl, ?string $organizationId = null, ?string $inviteCode = null)

Step 1: get the provider auth URL. Stores a PKCE verifier per state.

@return array{auth_url:string,state:string,code_verifier:string}

completeSso(string $provider, string $code, string $state)

Step 2/3: complete the SSO callback. The server returns either {auth_code, expires_in} (PKCE branch) or {user, tokens, …}. We handle both — when PKCE auth_code is returned we POST /auth/sso/exchange with the stored verifier and persist the resulting tokens.

ssoProviders()

@return array<string,mixed>

validateTokenRemote(string $token)

Validate a token at the server (fallback when shared secret unavailable).

@return array<string,mixed>

lookupUsers(array $emails = [], array $ids = [], ?string $serviceToken = null)

Bulk user lookup (system_admin / super_admin only).

@param list $emails @param list $ids @return array<string,mixed>

registerPermissions(string $service, array $permissions, ?string $serviceToken = null)

Register a service’s permission catalog slice (system_admin only).

@param list<array<string,mixed>> $permissions @return array<string,mixed>

clientCredentialsGrant(string $clientId, string $clientSecret, array $scopes = [])

Exchange client credentials for a service-principal access token (POST /oauth/token). Returns the raw {access_token, token_type, expires_in, expires_at, scope} envelope.

@param list $scopes @return array<string,mixed>

pkceVerifier()

RFC 7636 §4.1 — 43..128 chars of unreserved URL-safe random.

pkceChallenge(string $verifier)

RFC 7636 §4.2 — BASE64URL(SHA256(verifier)).