artapamudaid / secure-api-server
Laravel package for secure API HMAC authentication
Installs: 3
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
pkg:composer/artapamudaid/secure-api-server
Requires (Dev)
- orchestra/testbench: ^8.0 || ^9.0 || ^10.0 || ^11.0
- phpunit/phpunit: ^12.0
README
A secure API authentication package for Laravel using API Key + Secret + HMAC signature with nonce & timestamp validation.
Built for protecting internal or third-party API calls with full management support.
โจ Features
- ๐ Generate secure API Key & Secret
- ๐ Validate signature using HMAC
- ๐ Protects with
X-TIMESTAMPandX-NONCE - ๐ซ Revoke or delete API Keys
- ๐ค Enforce one key per user
- ๐ฆ Fully tested with PHPUnit 12
๐ฆ Installation (via Packagist)
composer require artapamudaid/secure-api-server
Lalu:
php artisan vendor:publish --tag=config php artisan migrate
โ๏ธ Configuration
Konfigurasi berada di config/apikey.php:
return [ 'enabled' => true, 'timestamp_tolerance' => 300, // in seconds (default 5 minutes) ];
๐ API Endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /secure-api/key |
Generate API key + secret |
| GET | /secure-api/keys |
List all API keys |
| DELETE | /secure-api/key/{id} |
Delete API key |
| PATCH | /secure-api/key/{id}/revoke |
Revoke API key |
| POST | /secure-api/ping |
Test secure endpoint |
๐งพ Required Headers for Secured Endpoints
X-API-KEY: {api_key}
X-API-SIGNATURE: {hmac_signature}
X-TIMESTAMP: {unix_timestamp}
X-NONCE: {random_string}
HMAC Signature format:
HMAC_SHA256(api_key . nonce . timestamp, secret)
๐งช Running Tests
composer install vendor/bin/phpunit
Dibangun menggunakan:
-
PHPUnit ^12.0
-
Orchestra Testbench (Laravel testing framework)
๐ก Laravel Compatibility
| Laravel Version | Support |
|---|---|
| 8.x | โ |
| 9.x | โ |
| 10.x | โ |
| 11.x | โ |