Voyti

YiiRocks/Voyti

voyti is a highly customizable user management, authentication, and authorization extension for Yii Framework 3, ported from 2amigos/yii2-usuario.

Installation

composer require yiirocks/voyti

Optional packages:

composer require yiirocks/recaptcha
composer require chillerlan/php-authenticator chillerlan/php-qrcode

Quick Start

1. Run migrations

php yii migrate

Five migrations create the user, profile, social_account, token, and session_history tables with all columns included.

2. Configure the module (optional)

Sensible defaults are auto-registered via the Yii3 config plugin — no manual setup is required. To customize, override ModuleConfig in config/params.php:

use YiiRocks\Voyti\ModuleConfig;

return [
    ModuleConfig::class => new ModuleConfig(
        enableRegistration: true,
        enablePasswordRecovery: true,
        enableTwoFactorAuthentication: true,
        recaptchaVersion: 'v3',
        emailChangeStrategy: 1,
        enableGdprCompliance: true,
        maxPasswordAge: 90,
        enableRestApi: true,
    ),
];

3. Done

Routes, DI bindings, event listeners, and console commands are all auto-registered. The package works out of the box under the /voyti URL prefix. REST API routes (under /voyti/api/v1) are enabled when enableRestApi is true.

Configuration

ModuleConfig provides the following options, all configurable via named arguments:

General

Option	Type	Default	Description
enableRegistration	bool	true	Allow new user registration
enableEmailConfirmation	bool	true	Require email confirmation
allowPasswordRecovery	bool	true	Allow password recovery
allowAccountDelete	bool	false	Allow users to delete their account
generatePasswords	bool	false	Auto-generate passwords on registration
enableAutoLogin	bool	true	Auto-login after registration
allowUnconfirmedEmailLogin	bool	false	Allow login without email confirmation
enableSocialNetworkRegistration	bool	true	Allow social network registration
rememberLoginLifespan	int	1209600	Remember-me duration in seconds
tokenConfirmationLifespan	int	86400	Confirmation token validity in seconds
tokenRecoveryLifespan	int	21600	Recovery token validity in seconds

Security & Passwords

Option	Type	Default	Description
blowfishCost	int	10	Bcrypt cost factor
maxPasswordAge	?int	null	Max password age in days (null = no limit)
minPasswordRequirements	array	['lower'=>1,'digit'=>1,'upper'=>1]	Minimum character type requirements
disableIpLogging	bool	false	Disable IP address logging
administrators	array	[]	Admin user IDs or usernames
administratorPermissionName	?string	null	Permission name for admin access

Two-Factor Authentication

Option	Type	Default	Description
enableTwoFactorAuthentication	bool	false	Enable 2FA
twoFactorAuthenticationForcedPermissions	array	[]	Permissions that require 2FA
twoFactorAuthenticationCycles	int	1	2FA code generation cycles

GDPR Compliance

Option	Type	Default	Description
enableGdprCompliance	bool	false	Enable GDPR features
gdprPrivacyPolicyUrl	?string	null	URL to privacy policy
gdprAnonymizePrefix	string	'GDPR'	Prefix for anonymized usernames
gdprRequireConsentToAll	bool	false	Require consent on all pages

Email

Option	Type	Default	Description
emailChangeStrategy	int	1	0=insecure, 1=default (confirm new), 2=secure (confirm both)
mailParams	array	[...]	Mail from address and subject overrides

Session & reCAPTCHA

Option	Type	Default	Description
enableSessionHistory	bool	false	Track session history
numberSessionHistory	int|false	false	Max sessions to keep per user
timeoutSessionHistory	int|false	false	Session timeout in seconds
recaptchaVersion	?string	null	'v2', 'v3', or null to disable

REST API

Option	Type	Default	Description
enableRestApi	bool	false	Enable REST API
adminRestPrefix	string	'api/v1'	REST API URL prefix

Console Commands

Command	Description
voyti:create	Create a new user
voyti:delete	Delete a user
voyti:confirm	Confirm a user's email
voyti:password	Change a user's password

Middleware

Three PSR-15 middleware classes for access control:

Middleware	Description
AccessRuleMiddleware	Redirects non-admin users; checks administratorPermissionName
PasswordAgeEnforceMiddleware	Redirects to password change when maxPasswordAge is exceeded
TwoFactorAuthenticationEnforceMiddleware	Redirects to 2FA setup when required permissions are assigned

Register them in your application's middleware pipeline as needed.

RBAC Management

Built on yiisoft/rbac. The extension provides a full admin UI for managing permissions, roles, and rules with parent-child hierarchy support, assignment management, and filtering. Default roles are configured in config/rbac.php:

return [
    'rbac' => [
        'guest' => [],
        'user' => [],
        'admin' => [],
    ],
];

Social Authentication

Nine built-in auth clients are included:

• Facebook, GitHub, Google, Keycloak
• LinkedIn, Microsoft365, Twitter, VKontakte, Yandex

Each implements the auth client interface and maps provider attributes to the SocialNetworkAccount entity. The service layer handles account lookup, creation, linking, and user login.

Views

Web Views

Web views are in src/resources/views/bootstrap5/ and use the @voytiViews alias. Override via Yii3 View theme pathMap:

// config/params.php
'yiisoft/view' => [
    'theme' => [
        'pathMap' => [
            '@voytiViews' => [
                '/path/to/your/custom/views',
                '@voyti/resources/views/bootstrap5',
            ],
        ],
    ],
],

Mail Views

Mail templates use the @voytiMail alias — separate from web views so they can be overridden independently:

'yiisoft/view' => [
    'theme' => [
        'pathMap' => [
            '@voytiMail' => [
                '/path/to/your/custom/mail',
                '@voyti/resources/mail',
            ],
        ],
    ],
],

Testing

# Unit tests (264 tests, 3509 assertions)
composer phpunit

# Mutation testing (275 mutants, 100% MSI)
composer infection

# Code style
composer php-cs-fixer

# Static analysis
composer psalm

# Mess detector
composer phpmd

Support

Create an Issue