Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Laravel Sentinellog
Assessments

Laravel Sentinellog Laravel Package

harryes/laravel-sentinellog

All-in-one Laravel security and auth logging package: tracks login/logout/failed attempts with device + geo detection, alerts, TOTP 2FA, session management, brute-force protection, geo-fencing, SSO, and new-location verify/deny flows.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Security Layer Alignment: The package integrates seamlessly with Laravel’s built-in authentication system (auth facade), leveraging middleware (auth, throttle) and events (Attempting, Authenticated, Failed). This aligns well with Laravel’s security-first architecture, particularly for applications requiring audit trails, anomaly detection, or compliance (e.g., GDPR, SOC2).
  • Modular Design: Features like 2FA, geo-fencing, and SSO are implemented as optional services, allowing TPMs to adopt them incrementally. The package avoids monolithic dependencies, making it suitable for microservices or monolithic Laravel apps.
  • Event-Driven Extensibility: Uses Laravel’s event system (e.g., LoginAttempted, SessionHijacked) to trigger custom logic (e.g., Slack alerts, SIEM integration). This enables observability without tight coupling.

Integration Feasibility

  • Low Friction for Laravel Apps: Designed for Laravel’s ecosystem (e.g., uses config(), ServiceProvider, Middleware). No major framework modifications required.
  • Database Schema: Introduces 4–5 new tables (auth_logs, devices, geo_fences, sso_tokens). Migration-friendly but requires schema validation in CI/CD (e.g., Flyway/Liquibase).
  • Third-Party Dependencies:
    • GeoIP: Relies on geoip2/geoip2 (requires MaxMind DB license for production).
    • 2FA: Uses phpqrcode/phpqrcode (lightweight, no major risks).
    • Notifications: Extends Laravel’s Notifiable trait (supports email, SMS via channels like nesbot/carbon for scheduling).

Technical Risk

Risk Area Mitigation Strategy
Performance Overhead Log aggregation (e.g., Elasticsearch) recommended for high-traffic apps.
GeoIP Compliance License costs for MaxMind DB; consider open-source alternatives (e.g., db-ip).
Session Hijacking Requires secure cookie settings (SANCTUM/PASSPORT config) to prevent CSRF.
SSO Token Leaks Enforce short-lived tokens (e.g., 15-minute TTL) and use Laravel Sanctum for revocation.
Migration Complexity Test schema changes in staging; use Laravel Zero-Downtime Migrations for production.

Key Questions for TPM

  1. Compliance Requirements:
    • Does the app need immutable audit logs? If so, consider blockchain-anchoring (e.g., vechain/vechain) for auth_logs.
  2. Scalability Needs:
    • For >10K MAU, evaluate asynchronous logging (e.g., Laravel Queues + Redis) to avoid DB bottlenecks.
  3. Vendor Lock-in:
    • Are there custom authentication flows (e.g., OAuth2) that conflict with the package’s middleware?
  4. Monitoring:
    • How will failed login alerts integrate with existing SIEM tools (e.g., Splunk, Datadog)?
  5. User Experience:
    • Will geo-fencing or new-device notifications cause friction? A/B test with a subset of users first.

Integration Approach

Stack Fit

  • Best For:
    • Enterprise SaaS: Multi-tenant apps needing audit trails and anomaly detection.
    • Regulated Industries: Healthcare (HIPAA), Finance (PCI-DSS) requiring login activity logs.
    • Legacy Modernization: Apps upgrading from custom auth systems to Laravel’s ecosystem.
  • Less Ideal For:
    • High-Velocity Apps: Real-time systems (e.g., trading platforms) where logging latency is critical.
    • Minimalist Auth: Apps using social logins only (e.g., GitHub OAuth) may not need 2FA/geo-fencing.

Migration Path

  1. Phase 1: Core Logging (2–4 weeks)
    • Install package, configure config/sentinellog.php.
    • Enable authentication logging and device tracking (lowest risk).
    • Validate logs via tinker: AuthLog::latest()->take(5)->get().
  2. Phase 2: Security Layers (3–6 weeks)
    • Implement brute-force protection (test with artisan sentinellog:test).
    • Add geo-fencing (mock IP addresses in testing: 192.168.1.1US).
    • Integrate 2FA for admin users (use Laravel Breeze or Jetstream templates).
  3. Phase 3: Advanced Features (4–8 weeks)
    • Configure SSO with Laravel Sanctum or Passport.
    • Set up new-device notifications (test with Mail::fake()).
    • Optimize session management (e.g., config('session.lifetime')).

Compatibility

Component Compatibility Notes
Laravel Versions Tested on 10–13; backport to 9.x may require composer require adjustments.
PHP 8.2+ Uses named arguments, enums, and attributes (no breaking changes).
Database Supports MySQL, PostgreSQL, SQLite (test transactions for rollback).
Queue Workers Async features (e.g., notifications) require queue:work (use supervisor for prod).
Caching GeoIP data cached via cache()->remember() (TTL: 24h).

Sequencing

  • Pre-requisites:
    • Laravel 10+ with PHP 8.2+.
    • Database migrations run before first login (or use --seed).
    • Environment variables for SENTINELLOG_GEOIP_PATH and MAIL_* (if using notifications).
  • Post-Install Checks:
    • Run php artisan sentinellog:install (if available in future versions).
    • Verify middleware in app/Http/Kernel.php: 
      'web' => [
    \Harryes\SentinelLog\Http\Middleware\TrackLogin::class,
],
  • Rollback Plan:
    • Drop new tables (auth_logs, etc.) and remove middleware if integration fails.
    • Use config(['sentinellog.enabled' => false]) to disable features temporarily.

Operational Impact

Maintenance

  • Package Updates:
    • Monitor GitHub releases for Laravel version support (e.g., 13.x updates).
    • Use composer require harryes/laravel-sentinellog:^1.0 with update constraints.
  • Dependency Management:
    • GeoIP DB: Automate updates via cron (wget + chmod for MaxMind DB).
    • 2FA Secrets: Rotate google2fa secrets periodically (store in config or env).
  • Logging Retention:
    • Implement log cleanup (e.g., AuthLog::where('created_at', '<', now()->subDays(90))->delete()).

Support

  • Debugging Tools:
    • Artisan Commands:
      • php artisan sentinellog:test (simulate brute-force attacks).
      • php artisan sentinellog:clear (purge logs for testing).
    • Logging:
      • Check storage/logs/laravel.log for SentinelLog entries (e.g., LoginAttempted).
  • Common Issues:
    • GeoIP Failures: Verify SENTINELLOG_GEOIP_PATH points to a valid .mmdb file.
    • 2FA QR Codes: Ensure phpqrcode is installed (composer require phpqrcode/phpqrcode).
    • Session Hijacking: Confirm SESSION_DRIVER=redis and SANCTUM_STATEFUL_DOMAINS are configured.

Scaling

  • Horizontal Scaling:
    • Stateless Middleware: Package’s auth tracking is request-scoped; no shared memory issues.
    • Database Load: Offload logs to read replicas or Elasticsearch for analytics.
  • Performance Tuning:
    • Batch Logs: Use DB::transaction() for bulk inserts (e.g., AuthLog::insert($events)).
    • Cache GeoIP: Reduce DB calls with Cache::remember().
  • High Availability:
    • Queue Failures: Monitor failed_jobs table for stuck notifications.
    • Geo-Fencing:
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
codeflextech/permission-manager
karnoweb/livewire-datepicker
sayedenam/sayed-dashboard
milito/query-filter
apiboxsym/user-bundle
apiboxsym/health-check-bundle
jayeshmepani/jpl-moshier-ephemeris-php
elnasnato/laraliveui
labrodev/rest-sdk
sampaui/sampaui
babelqueue/php-sdk
facebook/capi-param-builder-php
babelqueue/symfony
hamzi/corewatch
minionfactory/raw-hydrator
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver