amreljako/secure-sanctum

Extended Laravel Sanctum authentication with advanced token security and management.

Maintainers

Package info

github.com/amreljako/secure-sanctum

pkg:composer/amreljako/secure-sanctum

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Stars: 1

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v0.1.0 2025-08-05 20:24 UTC

Requires

MIT 6384ef2d3da6ea5c5864f3b6a6a7aa7385a60e2c

  • Amr Elsayed <amreljako.woop@gmail.com>

This package is auto-updated.

Last update: 2026-03-15 02:20:34 UTC

README

SecureSanctum is a Laravel package that extends the capabilities of Laravel Sanctum by providing enhanced token management, device control, expiration handling, and advanced authentication flow.

Features

  • Secure personal access token generation
  • Token expiration (configurable)
  • Device name storage
  • Token abilities (scopes)
  • Token revocation & cleanup
  • Limit maximum devices per user
  • Optional support for refresh tokens (configurable)
  • Fully integrated with Laravel out of the box

Installation

composer require amreljako/secure-sanctum

Make sure you already have Laravel Sanctum installed.

Configuration

  1. Publish the configuration file:
php artisan vendor:publish --tag=secure-sanctum-config
  1. The published config file: config/secure_sanctum.php
return [
    'token_expiry_days' => 30,
    'allow_multiple_devices' => true,
    'refresh_token_enabled' => true,
    'max_devices_per_user' => 3,
];

Migration

Run the built-in migration to create the user_tokens table:

php artisan migrate

Routes

The package registers these routes automatically (under /api/secure-auth):

Method Endpoint Description
POST /login Issue a new token
POST /logout Revoke current token
GET /tokens List all user tokens

Login Example

Request

POST /api/secure-auth/login
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "secret"
}

Response

{
  "access_token": "plain-text-token",
  "expires_in_days": 30
}

Token Usage

Add the token to your API requests using the Authorization header:

Authorization: Bearer plain-text-token

Token Schema

Table: user_tokens

Column Type Description
user_id foreign key Linked user
token string(64) Hashed token
device_name string Device/browser identifier
abilities JSON Token permissions
expires_at timestamp Expiry date
last_used_at timestamp Last used time
created_at timestamp Created time
updated_at timestamp Updated time

Programmatic Usage

You can create and validate tokens using the TokenManager service:

use Amreljako\SecureSanctum\Services\TokenManager;

$token = app(TokenManager::class)->createToken($user, 'MyDevice', ['*'], 7);

Validate a token manually:

$record = app(TokenManager::class)->validateToken($plainToken);

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

License

This package is open-sourced software licensed under the MIT license.