Roadmap

VERSION 1.0

This version focuses on the most basic functions and is suitable for small, single-domain websites.

Release date: Late September, 2022.

Note: If a feature is "enabled on demand", it will be marked (EoD).

User Active Record, Active Query and Migration

• ID (Required if GUID not defined, Modifiable but not recommended)
  • Rule: integer, length 8 and starts with '4' or auto-increment, unique.
  • Search by ID, exact and prefix or suffix fuzzy.
• GUID (Required if ID not defined, Modifiable but not recommended)
  • Rule: binary, 128-bit, Primary key.
• Password
  • Password Hash, bcrypt.
  • Authentication Key, unique, not null.
  • Access Token, unique, not null.
  • Password Reset Token, unique, default null.
• IP Address
  • Record the IP address when registering.
  • Supports IPv4 and IPv6.
• Status
  • 0: disabled. The user is disabled and cannot be enabled permanently. All permissions have been disabled.
    • UserNotActiveException, throws if user is not active.
  • 1: enabled. This user is enabled for any authorized activity.
• Source
  • 0: Self-registration.
  • 1: By-invitation.
• Type
  • 0: Individual
  • 1: Organization
  • 2: System
• Associated Active Record.
  • Support (EoD) associated active record.
• Rules are all configurable.
• Active Query
  • Searched by GUID, internal.
  • Searched by ID.
  • Searched by Access Token.
  • Searched by the specified (registration, last updated) time period, such as yesterday, or the last year.
  • Searched by the specified IP address (segment), such as 192.168.0.*, or 172.26.*.*.
  • one or more of above conditions.

Profile Active Record, Active Query and Migration

• Could be enabled on demand with User.
• GUID (same with User's).
• Nickname.
• First name and Last name.
• Gender.
• Timezone.
• Biography.
• Rules are all configurable.
• Searched associated with Active Query of User:
  • Searched by Nickname.
  • Searched by Gender.
  • one or more of above conditions, and conditions listed in User.

Username Active Record, Active Query and Migration

• Could be enabled on demand with User.
• GUID (same with User's).
• Username rule: string, length 5~32, not start with digit or a pure number.
• Could be used as login identifier.
• Could be searched for.
• Rules are all configurable.
• Active Query:
  • Search by username.

Registration and Deregistration

• Register widget:
  • Username field, additional, required and appeared depends on whether the user name function is enabled.
• Register in the console application:
  • Specifiy ID, Username(can be enabled on demand), Profile(can be enabled on demand)
• Register by invitation:
  • Invited by a user
  • Invitation Code

Login and Logout

• LoginMethod:
  • ID (Required).
  • Username (can be enabled on demand).
• Login widget:
  • Uniform login identifiers and automatically differentiate: ID, username, etc.
  • Captcha: can be enabled on demand.
• Login Log:
  • Log every successful login.
  • The contents of the record include IP address and time.

Password History Active Record, and Migrations

• Can be enabled on demand.
• Can determine whether a password has ever been used.

Role-based Access Control

• Three basic roles:
  • User (Default)
  • Admin
  • WebMaster
• Permissions
  • GrantAdmin
  • CreateUser
  • RevokeAdmin
  • DeleteMyself
  • DeleteUser
  • UpdateAdmin
  • UpdateMyself
  • UpdateUser

yii2-debug Panel: User

• Display detail of current logged-in user.
  • User Active Record.
  • Username Active Record, if enabled.
  • Profile Active Record, if enabled.
  • LoginLog Active Record, if enabled.
  • PasswordHistory Active Record, if enabled.
  • roles and permissions, if enabled.

International

• Automatically determine the display language based on the environment.
• Languages:
  • English.
  • Chinese.

Database adaptations

• MySQL
  • 8.0

VERSION 2.0

This version is the enhancement of the previous version, adding a variety of user attributes to improve security and adaptability. This version has added the background management function.

Release date: Late September, 2023.

Note. Subsequent versions only show changes.

User Active Record, Active Query and Migration

• Status
  • 2: suspended. The user cannot be logged in and all permissions are retained.
  • 3: restricted. The user can still log in, but can only perform specified actions.
• Source
  • 2: Automatically generated by administrator.
  • 3: Automatically generated by associated third-party.

Verifiable Interface

• Initial.
• Approve.
• Cancel.

Username Active Record, Active Query and Migration

• User can customize whether its username can be searched.

UserEmail Active Record, Active Query and Migration

• A user can have multiple email addresses.
  • Could be used as login identifier.
• Verified
  • 0: not verified.
  • 1: verified.
• Could be searched:
  • Login Method: choose one of verified email addresses.
  • User can customize whether its email can be searched.

UserPhone Active Record. Active Query and Migration

• A user can have multiple phone numbers.
  • Could be used as login identifier.
• Verified
  • 0: not verified.
  • 1: verified.
• Could be searched:
  • Login Method: choose one of verified phone numbers.
  • User can customize whether its email can be searched.

User Access Token Active Record, Active Query and Migration

The access token is different from the user model's. This token is used for a specific application scenario. The same user will get different tokens in different application scenarios. The token property of the user model can only be used in internal stateless scenarios.

For example:

1. The current user authorizes a third-party application, and the access token issued in this scenario is permanently valid.
2. The current user temporarily logs in to an application, and the issued access token expires after a period of time, such as 30 minutes.

Since this function may be accessed frequently, the Active Record should first consider adapting to MongoDB or redis.

• Field:
  • name.
• Apply:
  • for single time, or limited times.
  • for limited duration, such as 5 minutes, 24 hours, 90 days or forever.
  • for limited IP address (segment), such as 192.168.0.*.
  • for partial associated application, or no limit.
  • by associated application.
  • user itself and used wherever the user wants.
• Rate limit:
  • The maximum number of uses within the specified time period.
• Security:
  • The access token expires immediately after the user changes the password or is not enabled.
• Statistics and log:
  • IP address and timestamp or each call.
  • Log each call and limit the number of log entries and maximum retention time.

Registration and Deregistration

• Register widget:
  • Captcha field, additional, configurable.
• Registration Security:
  • Suspended conditions:
    • according to the total number of users.
    • according to the number of registered users within the specified time period has reached the limit.
    • according to the number of registered users within the specified IP address (segment) has reached the limit.
    • one or more of the above conditions.
  • Conditionally enable captcha:
    • appeared if the number of registered users within the IP address (segment) has reach the threshold.
  • Registration by invitation can be configured whether to apply the security policy.
• Register by invitation:
  • Invited by a user with invite permissions.
  • The remaining times of the invitation code, or the validity period.
  • Prefabricated data before invitation, such as VIP user roles, pre-issued coupons, etc.

Login and Logout

• LoginMethod:
  • Email (can be enabled on demand).
• Login widget:
  • Captcha: can be enabled on demand.
• Login Log:
  • Log every successful and failed login.
• Login Security:
  • The number of failed logins allowed per period, such as 20 times per day, configurable.
  • The number of failed logins allowed per IP address (segment), such as 20 times per IP address (segment), configurable.
  • one or more of the above conditions.

Password History Active Record, and Migrations

• Limit the number of records per user：
  • according to total, such as 10 records, or no limit.
  • according to the duration the record kept, such as 3 years, or forever.

For administration

• Statistics:
  • Total users:
    • registered.
    • disabled.
    • source.
  • Daily report:
    • newly registered.
    • newly logged-in.
    • newly deregistered.
    • newly restricted.
• Edit users:
  • Password.
  • Profile, if enabled.
  • Username, if enabled.
  • Email, if enabled.
  • Phone, if enabled.
  • Enable, disable, restrict, or suspend a user, and leave a reason.
• Control
  • Registration
  • Login
• Import and Export
  • Partial or full import or export can be selected.

Multiple database adaptations

• MySQL
  • 8.0
  • 5.7
  • 5.6
• PostgreSQL
  • 15
  • 14
  • 13
• MariaDB
  • 10.9
  • 10.8
  • 10.7
• MongoDB (Cache, Log)
  • 6.0
  • 5.0
• Redis (Cache, Log)
  • 5.x
  • 6.x
  • 7.x

VERSION 3.0

This version focuses on a wider range of application scenarios, especially adding "single sign-on", "SSL/TLS everywhere", "caching everywhere", "restful API everywhere", "configurable everywhere", "distributed", "customizable permissions and roles", "non-stop maintenance support", "broader databases adaptability", "microservices and containerization (Inversion of Control)", "audit of user and admin behavior", "risk control strategy", "log and report API" and other features.

Release date: Late September, 2024.

Login and Logout

• Login Method:
  • All login identifier could be cached and dynamically updated in Redis or MongoDB.
• Login widget:
  • Ability to use third-party verification services, such as Captcha, Mobile Phone, Email, etc.
• Security:
  • All login successfully and failed logs could be stored to Redis or MongoDB.

Multiple database adaptations

• MySQL
  • 8.0
  • 5.7
  • 5.6
  • 5.5
• PostgreSQL
  • 15
  • 14
  • 13
  • 12
• MariaDB
  • 10.9
  • 10.8
  • 10.7
  • 10.6
• MongoDB (Cache, Log, Rate Limiter)
  • 6.x
  • 5.x
  • 4.x
• Redis (Cache, Log, Rate Limiter)
  • 4.x
  • 5.x
  • 6.x
  • 7.x
  • 8.x