padosoft/laravel-rebel-demo

Demo / integration application for the padosoft/laravel-rebel-* enterprise authentication suite.

Maintainers

Package info

github.com/padosoft/laravel-rebel-demo

Type:project

pkg:composer/padosoft/laravel-rebel-demo

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

dev-main 2026-06-04 07:05 UTC

Requires

Requires (Dev)

MIT fe352609b38da5240c4a5b3b4821c7111cdb08fe

AuthenticationlaraveldemopadosoftRebel

This package is auto-updated.

Last update: 2026-06-04 07:06:02 UTC

README

A real Laravel 13 application that installs, activates and wires together the entire padosoft/laravel-rebel-* suite, and exercises every package end to end — front-end (real browser) and back-end. This is the guarantee gate: proof the ecosystem works together, not just in each package's own unit tests.

Laravel Rebel Web Admin Panel

Laravel 13 PHP 8.4 Playwright MIT

What this app proves

Every package in the suite is installed and active in one Laravel app, sharing one database, one session and one audit trail:

core · email-otp · step-up · bridge-fortify · channels · channel-twilio · admin-api · admin · sessions · recovery · ai-guard · bot-protection · channel-vonage · channel-bird · channel-telegram · channel-discord · bridge-passkeys · bridge-spatie-otp · bridge-laragear-2fa · bridge-otpz

Each capability has a clickable demo on the landing page (/) so you can exercise it yourself.

Verified end to end (in a real browser + back-end)

Flow Packages exercised What is asserted
Passwordless email-OTP login (/account/login) core, email-otp start → real email with code → verify → done; identifier is HMAC'd; email_otp.requested/verified land in the audit
Web Admin Panel (/admin/rebel) admin, admin-api, core fail-closed Gate, panel shell + assets load, widgets call the API, Audit Explorer shows live cross-package events
Admin API (/rebel/admin/api/v1/*) admin-api 401 without an admin session (fail-closed), 200 with one
Fortify password login (/login) bridge-fortify Fortify auth succeeds and its login.succeeded / logout events are mapped into the Rebel audit
Recovery codes (/demo/recovery) recovery 10 single-use codes; a code verifies once, reuse is rejected, remaining decrements
Sessions & refresh rotation (/demo/sessions) sessions a refresh token rotates; presenting the old token is flagged as reuse (theft signal)
Step-up policy (/demo/stepup) step-up the checkout-credit-order purpose loads with its assurance + PSD2/SCA dynamic linking on
AI anomaly detection (/demo/ai-guard) ai-guard the deterministic detector runs over the live audit window and reports cases raised
9 extras hub (/demo/extras) bot-protection, channel-vonage/bird/telegram/discord, bridge-passkeys/spatie-otp/laragear-2fa/otpz live DriverRegistry dump, DeliveryChannelRegistry, ProviderRegistry; Turnstile test-key form (passes live + offline); otpz bridge OTP email end-to-end

channels + channel-twilio boot and register in this app; the Twilio provider is verified against the real Twilio Verify API by its own opt-in live test suite (it sends a real SMS, so it is intentionally not fired on every demo run).

Extras hub — 9 new packages (/demo/extras)

Capability Package Live vs configure-to-enable
Bot-protection (Turnstile) bot-protection Live — Cloudflare official test keys (sitekey 1x00000000000000000000AA) always pass; bot.check.passed recorded in audit
Vonage SMS/Voice channel channel-vonage Configure-to-enable: set VONAGE_API_KEY + VONAGE_API_SECRET
Bird SMS channel channel-bird Configure-to-enable: set BIRD_ACCESS_KEY
Telegram delivery channel channel-telegram Configure-to-enable: set TELEGRAM_BOT_TOKEN
Discord delivery channel channel-discord Configure-to-enable: set DISCORD_WEBHOOK_URL
Passkeys step-up driver bridge-passkeys + spatie/laravel-passkeys Live — driver registered (AAL2 phishing-resistant); full enrollment needs a real WebAuthn device
Spatie OTP step-up driver bridge-spatie-otp + spatie/laravel-one-time-passwords Live — driver registered + exercised via the bridge OTP form (sends OTP email to Mailtrap)
Laragear TOTP step-up driver bridge-laragear-2fa + laragear/two-factor Live — driver registered (AAL2 TOTP); enrollment (QR scan) not wired in this demo; see bridge-bug note
Otpz email OTP step-up driver bridge-otpz + benbjurstrom/otpz Live — driver registered + exercised end-to-end (sends email OTP via Mailtrap, verified in the browser)

The hub renders the live registries — every step-up driver, delivery channel and verification provider actually registered in this boot — plus the Turnstile bot-protection check and the otpz bridge OTP form:

Extras hub: live step-up driver / delivery channel / verification provider registries, bot-protection and otpz step-up

The Audit Explorer, live

The admin panel reads the unified audit log written by every package. After clicking through the demos you can see OTP, recovery, session and Fortify events side by side:

Audit Explorer with live cross-package events

Web Admin Panel

laravel-rebel-admin ships a self-hosted security-operations dashboard (the dark UI above): security overview, OTP/step-up funnels, channel performance, provider health, an audit explorer, device & session trust, risk rules, anomaly cases, an AI copilot and a compliance center — tenant-aware and fail-closed (you must pass the rebel-admin Gate). In this demo /demo/login-as-admin signs you in as the seeded admin so you can open /admin/rebel.

Screenshots

The demo end to end — the landing page, both sign-in paths, the email-OTP step-up, and the live web admin panel.
Demo home — every capability, with auth state
 Sign in (Fortify password)
Passwordless email-OTP login
 Step-up: a sensitive action is guarded
Step-up: email-OTP challenge
 Step-up: confirmed → action unlocked
Web Admin Panel — Security Overview
 Web Admin Panel — Audit Explorer (live events)
Extras hub — 9 new packages (live registries)
 Demo home — every capability

Run it in 3 minutes

git clone https://github.com/padosoft/laravel-rebel-demo
cd laravel-rebel-demo

composer install
cp .env.example .env
php artisan key:generate

# SQLite is the default; create the file then migrate + seed
php artisan migrate --seed

# publish the suite's config, migrations and the admin panel assets
php artisan vendor:publish --provider="Padosoft\Rebel\Admin\RebelAdminServiceProvider" --force

php artisan serve

Open http://127.0.0.1:8000 and click through the demos.

Start clean (recommended if anything looks off)

If you pulled updates, added packages, or see 404s / stale routes / a login you can't get past, you almost certainly have a stale cache or an un-seeded DB. Reset to a known-good state and restart the server:

cd laravel-rebel-demo

composer update                  # pull the latest rebel-* releases
php artisan optimize:clear       # clear cached routes/config/views (the usual cause of 404s)
php artisan migrate:fresh --seed # recreate the schema + seed users and risk rules
php artisan vendor:publish --provider="Padosoft\Rebel\Admin\RebelAdminServiceProvider" --tag=rebel-admin-assets --force

php artisan serve                # http://127.0.0.1:8000

Always restart php artisan serve after changing routes/packages — a long-running dev server keeps serving the old route table.

Credentials & email

  • Seeded users: admin@demo.test (admin) and demo.customer@example.com — both with password password.
  • Email goes to Mailtrap when MAIL_MAILER=smtp (set the MAIL_* values in .env); the OTP, step-up and password-reset messages all land in your Mailtrap inbox. Prefer no mailbox? set MAIL_MAILER=log and read the code from storage/logs/laravel.log.

Rebel vs Shopify — the whole suite, side by side

This demo exists because Rebel does, self-hosted in your own app, what hosted platforms keep behind a black box. How the suite compares to Shopify's customer auth and to plain Laravel:

Capability (all live in this demo) Laravel Rebel Shopify Fortify only Sanctum/Passport
Passwordless email-OTP login
Risk-based step-up per action
PSD2/SCA dynamic linking
Refresh-token rotation + reuse detection
Single-use, hashed recovery codes
Unified, HMAC'd audit trail
Self-hosted web admin panel over your data ➖ (hosted)
Anomaly detection + advisory AI
Self-hosted, you own the data
Multi-tenant for your app
Bot-protection (Turnstile/reCAPTCHA/hCaptcha) ➖ (hosted)
Passkey / WebAuthn step-up
TOTP 2FA step-up (laragear, spatie, otpz)
Multi-channel delivery (SMS, Telegram, Discord, Voice)

✅ built-in · ➖ partial / hosted-only / opaque · ❌ not available. Shopify is a great hosted product, but it's a closed black box you can't self-host, extend, audit or run multi-tenant. Rebel gives you the same capabilities — and several Shopify doesn't have — in your own Laravel app.

🔋 Vibe coding with batteries included

This app ships AI batteries — so you (and your AI agent) can extend the demo correctly on the first try:

  • CLAUDE.md — a concise AI working guide (what the demo is, conventions, how it wires the whole padosoft/laravel-rebel-* suite, where the extension points are, Definition of Done). Plain Markdown, so Claude Code, Cursor, Copilot and Codex all read it.
  • .claude/skills/ — invocable skills (at least rebel-package-dev) encoding the suite's TDD loop, the PHPStan-level-max recipes, the security/telemetry rules, and the release discipline used across the packages this app installs.

Open the repo in your AI editor and just start — the rules, guardrails and extension recipes come with it.

License

MIT — see LICENSE. Built by Padosoft.