🔐 PHPAuth — High-Security PHP Authentication System

A production-ready, senior-level PHP authentication system featuring a modern MVC architecture, enterprise-grade security, and a stunning Glassmorphism UI.

Features · Architecture · Setup · Usage · Security

---

✨ Features

Feature	Status
🔑 User Registration	✅
🔒 Secure Login (with Remember Me)	✅
📧 Email Verification	✅
🔁 Password Reset via Email	✅
🛡️ CSRF Protection	✅
⏱️ Rate Limiting & Account Lockout	✅
🍪 Persistent Sessions (Refresh Tokens)	✅
🎨 Premium Glassmorphism Dark UI	✅
📱 Fully Responsive Design	✅
📮 Gmail SMTP (PHPMailer)	✅
🏗️ MVC Front Controller Pattern	✅

---

🏛️ Architecture

PHPAuth is built with a clean MVC architecture and a Front Controller pattern, designed with scalability and maintainability in mind.

phpauth/
├── .env                        # Environment variables (DB, Mail)
├── .htaccess                   # Root redirect → /public
├── .sql                        # Database schema
├── composer.json               # Composer dependencies
│
├── config/
│   └── db.php                  # PDO connection + .env loader
│
├── public/                     # 🌐 Only publicly accessible directory
│   ├── .htaccess               # Clean URL routing
│   ├── index.php               # Front Controller (entry point)
│   └── assets/                 # CSS, JS, images
│
├── src/                        # Core application logic
│   ├── autoload.php            # PSR-4 class autoloader
│   │
│   ├── Auth/
│   │   └── Auth.php            # Core authentication logic
│   │
│   ├── Controllers/
│   │   ├── BaseController.php  # Abstract base controller
│   │   ├── AuthController.php  # Login, Register, Reset, Verify
│   │   └── ProfileController.php # Dashboard, Settings
│   │
│   ├── Helpers/
│   │   ├── Router.php          # Lightweight URL router
│   │   └── Security.php        # CSRF, sanitization, validation
│   │
│   └── Mail/
│       └── Mailer.php          # PHPMailer SMTP wrapper
│
└── views/                      # Presentation layer
    ├── layout.php              # Master layout template
    ├── includes/
    │   ├── header.php          # Navigation header
    │   └── footer.php          # Footer
    ├── auth/
    │   ├── login.php
    │   ├── register.php
    │   ├── forgot_password.php
    │   ├── reset_password.php
    │   └── verify.php
    └── profile/
        ├── dashboard.php
        └── settings.php

---

⚙️ Setup

Prerequisites

• PHP 8.2+
• MySQL 5.7+
• Apache with mod_rewrite enabled (XAMPP recommended)
• Composer
• A Gmail account with an App Password

1. Clone the Repository

git clone https://github.com/alricium/php-authentication.git
cd php-authentication

2. Install Dependencies

composer install

3. Create the Database

Open your MySQL client (e.g., phpMyAdmin) and run the schema in .sql:

CREATE DATABASE phpauth;
USE phpauth;

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(50) UNIQUE NOT NULL,
    email VARCHAR(100) UNIQUE NOT NULL,
    password_hash VARCHAR(255) NOT NULL,
    is_verified TINYINT(1) DEFAULT 0,
    verification_token VARCHAR(64),
    reset_token VARCHAR(64),
    reset_token_expires_at DATETIME,
    remember_token VARCHAR(64),
    login_attempts INT DEFAULT 0,
    lock_until DATETIME,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

4. Configure Environment Variables

Copy and rename the .env file and fill in your details:

# Database
DB_HOST=localhost
DB_NAME=phpauth
DB_USER=root
DB_PASS=your_password

# Gmail SMTP
MAIL_HOST=smtp.gmail.com
MAIL_PORT=587
MAIL_USER=your-email@gmail.com
MAIL_PASS=your-app-password   # Gmail App Password (not your normal password)
MAIL_FROM=your-email@gmail.com
MAIL_FROM_NAME="PHPAuth System"

How to get a Gmail App Password:

1. Go to Google Account → Security
2. Enable 2-Step Verification
3. Go to App Passwords and create one
4. Copy the 16-character password into MAIL_PASS

5. Configure Apache (XAMPP)

Make sure mod_rewrite is enabled in your httpd.conf:

LoadModule rewrite_module modules/mod_rewrite.so

And ensure AllowOverride All is set in httpd-vhosts.conf or the main config for the htdocs directory.

6. Access the App

Open your browser and navigate to:

http://localhost/phpauth/

---

🚀 Usage

Registration Flow

1. Go to /register
2. Fill in username, email, and password
3. Check your email for a verification link
4. Click the link to activate your account
5. You're in! 🎉

Login

• Supports login with username or email
• Optional "Remember me" — keeps you logged in for 30 days using a secure refresh token
• After 5 failed attempts, the account is locked for 5 minutes

Password Reset

1. Go to /forgot-password
2. Enter your account email
3. Click the reset link sent to your inbox
4. Set a new strong password

---

🛡️ Security

PHPAuth is built with security at its core, following OWASP best practices.

Protection	Implementation
Password Storage	bcrypt hashing via password_hash()
CSRF Attacks	Cryptographically secure token per session
SQL Injection	PDO prepared statements everywhere
XSS	htmlspecialchars() on all output
Brute Force	5-attempt lockout with time-based unlock
Session Hijacking	Session regeneration on login
Sensitive Files	.env is never publicly accessible
Email Tokens	bin2hex(random_bytes(32)) — cryptographically secure
Remember Me	Token stored as hash in DB; rotated on each use

---

🎨 UI Design

The frontend is built with a premium Glassmorphism dark-mode aesthetic:

• 🌑 Dark-mode first design
• ✨ Glassmorphism cards with blur and transparency
• 🎯 Tailwind CSS v3 for utility-first styling
• ✍️ Google Fonts (Inter + Outfit) for modern typography
• 🎞️ Smooth micro-animations on interactive elements
• 📐 Fully responsive for mobile, tablet, and desktop

---

🔗 Routes

Method	Path	Action
GET	/	Dashboard (auth required)
GET	/login	Login page
POST	/login	Process login
GET	/register	Registration page
POST	/register	Process registration
GET	/logout	Logout & destroy session
GET	/verify?token=...	Verify email token
GET	/forgot-password	Forgot password page
POST	/forgot-password	Send reset link
GET	/reset-password?token=...	Reset password page
POST	/reset-password	Process password reset
GET	/profile/settings	Account settings
POST	/profile/settings	Update password

---

📦 Dependencies

Package	Version	Purpose
PHPMailer	^7.0	SMTP email delivery

---

🧑‍💻 Contributing

Pull requests are welcome! For major changes, please open an issue first to discuss what you'd like to change.

1. Fork the repository
2. Create your feature branch (git checkout -b feature/AmazingFeature)
3. Commit your changes (git commit -m 'Add some AmazingFeature')
4. Push to the branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

---

📄 License

This project is licensed under the MIT License — see the LICENSE file for details.

---

Built with ❤️ by a Senior PHP Developer

⭐ Star this repo if you found it helpful!