Configuration reference

The bundle is configured under the derafu_platform: key. All values have sensible defaults — most apps need minimal configuration.

# config/packages/derafu_platform.yaml

derafu_platform:

    # ── Identity ────────────────────────────────────────────────────────────
    identity:

        # Entity FQCNs — defaults follow App\Entity\Auth\{Name} convention.
        user_class:                     App\Entity\Auth\User
        organization_class:             App\Entity\Auth\Organization
        role_class:                     App\Entity\Auth\Role
        permission_class:               App\Entity\Auth\Permission
        user_role_class:                App\Entity\Auth\UserRole
        role_permission_class:          App\Entity\Auth\RolePermission
        verification_token_class:       App\Entity\Auth\VerificationToken
        organization_membership_class:  App\Entity\Auth\OrganizationMembership
        organization_invitation_class:  App\Entity\Auth\OrganizationInvitation
        api_key_class:                  App\Entity\Auth\ApiKey
        jwt_token_class:                App\Entity\Auth\JwtToken
        login_record_class:             App\Entity\Auth\LoginRecord
        impersonation_record_class:     App\Entity\Auth\ImpersonationRecord
        team_class:                     App\Entity\Auth\Team
        team_membership_class:          App\Entity\Auth\TeamMembership
        locale_class:                   App\Entity\Auth\Locale
        timezone_class:                 App\Entity\Auth\Timezone

        # Supported locales shown in the language selector.
        supported_locales:
            en: English
            es: Español

        # How long an organization invitation stays valid (seconds).
        invitation_ttl: 604800          # 7 days

        # Seconds after login before sudo mode expires.
        sudo_ttl: 900                   # 15 minutes

        # Account lockout after N consecutive failed logins.
        lockout_max_attempts: 5
        lockout_duration: 1800          # 30 minutes

        # Per-type TTL for one-use verification tokens (seconds, min 60).
        verification_ttl:
            email_verify:  86400        # 1 day
            password_reset: 3600        # 1 hour
            email_change:  86400        # 1 day
            magic_link:    900          # 15 minutes

        # Fixed-window rate limiting per API key. Disabled by default.
        rate_limit:
            enabled: false
            default_limit: 1000         # max requests per window
            default_window: 3600        # window size in seconds
            scope_limits:               # per-scope overrides (optional)
                'write:invoices':
                    limit: 100
                    window: 3600

    # ── Identity UI ─────────────────────────────────────────────────────────
    identity_ui:

        # Your app's base Twig layout. The bundle's templates extend this.
        parent_layout: 'layouts/app.html.twig'

        # Sender address for transactional emails (verification, reset, etc.)
        from_email: [email protected]
        from_name:  App

        # Force users to verify their email before accessing the app.
        require_email_verification: true

    # ── Apps ────────────────────────────────────────────────────────────────
    apps:

        # Entity FQCNs — defaults follow App\Entity\Apps\{Name} convention.
        user_installation_class:         App\Entity\Apps\UserAppInstallation
        organization_installation_class: App\Entity\Apps\OrganizationAppInstallation

        # Catalog overrides: configure app scopes, flags, tags, and
        # which resource classes each app supports. Apps registered as
        # Symfony services (AppDefinitionInterface) are discovered
        # automatically; the catalog section lets you override metadata.
        catalog:
            stripe:
                scopes: [user, organization]
                flags: [featured]
            telegram:
                scopes: [user]
                flags: [featured]
            smtp:
                scopes: [resource]
                resources:
                    - App\Entity\Resource\Project

    # ── Notifications ────────────────────────────────────────────────────────
    notifications:

        # Sender address for notification emails.
        from_email: '%env(MAILER_FROM_EMAIL)%'
        from_name:  '%env(MAILER_FROM_NAME)%'

        # Entity FQCNs — defaults follow App\Entity\Notif\{Name} convention.
        inapp_notification_class:              App\Entity\Notif\InAppNotification
        user_webhook_endpoint_class:           App\Entity\Notif\UserWebhookEndpoint
        organization_webhook_endpoint_class:   App\Entity\Notif\OrganizationWebhookEndpoint
        user_webhook_delivery_class:           App\Entity\Notif\UserWebhookDelivery
        organization_webhook_delivery_class:   App\Entity\Notif\OrganizationWebhookDelivery
        user_notification_preference_class:    App\Entity\Notif\UserNotificationPreference
        user_digest_preference_class:          App\Entity\Notif\UserDigestPreference

        # Webhook delivery log retention policy.
        webhook_delivery_retention:
            max_age_days:    30   # delete deliveries older than N days
            max_per_endpoint: 500 # keep at most N deliveries per endpoint

    # ── API ─────────────────────────────────────────────────────────────────
    api: ~

Container parameters

Every config value is exposed as a container parameter for injection into custom services:

Parameter Example value
derafu_platform.identity.user_class App\Entity\Auth\User
derafu_platform.identity.organization_class App\Entity\Auth\Organization
derafu_platform.identity.invitation_ttl 604800
derafu_platform.identity.sudo_ttl 900
derafu_platform.identity.lockout_max_attempts 5
derafu_platform.identity.lockout_duration 1800
derafu_platform.identity.verification_ttl.email_verify 86400
derafu_platform.identity.verification_ttl.password_reset 3600
derafu_platform.identity.rate_limit.enabled false
derafu_platform.identity.rate_limit.default_limit 1000
derafu_platform.identity.supported_locales ['en' => 'English', ...]
derafu_platform.identity_ui.parent_layout layouts/app.html.twig
derafu_platform.identity_ui.from_email [email protected]
derafu_platform.identity_ui.require_email_verification true
derafu_platform.apps.user_installation_class App\Entity\Apps\UserAppInstallation
derafu_platform.notifications.from_email [email protected]
derafu_platform.notifications.webhook_delivery_retention.max_age_days 30

Service aliases

The bundle aliases every service interface to its default implementation. Type-hint the interface in your constructors:

use Derafu\PlatformBundle\Identity\Contract\Service\RegistrarInterface;
use Derafu\PlatformBundle\Identity\Contract\Service\PermissionCheckerInterface;
use Derafu\PlatformBundle\Identity\Contract\Service\OrganizationManagerInterface;
use Derafu\PlatformBundle\Identity\Contract\Service\InvitationManagerInterface;

public function __construct(
    private readonly RegistrarInterface $registrar,
    private readonly PermissionCheckerInterface $checker,
    private readonly OrganizationManagerInterface $orgManager,
    private readonly InvitationManagerInterface $invitations,
) {}

To swap an implementation, bind your service to the interface in services.yaml:

services:
    Derafu\PlatformBundle\Identity\Contract\Service\PermissionCheckerInterface:
        alias: App\Service\CachingPermissionChecker
On this page
Last updated on 28/05/2026 by Anonymous
Previous
Installation
Next
Entities