UserTrait uses trait:short, trait:short, trait:short, trait:short, trait:short
Defines the complete set of custom property names associated with authenticated user entities in the application domain.
This trait centralizes all user-related schema keys used by the authentication, authorization, identity, session-management, invitation, and RBAC layers of the project.
The constants declared here are intended to:
- Normalize property naming across the codebase
- Avoid hardcoded string literals
- Improve IDE auto-completion and refactoring safety
- Provide a single source of truth for custom user attributes
- Facilitate schema serialization and hydration
- Ensure consistency between models, DTOs, APIs, and persistence layers
This trait aggregates several specialized traits related to:
- Applications
- Permissions
- Protected resources
- Roles
- External or internal services
Typical usage:
$user[ UserTrait::STATUS ] = 'active' ;
Tags
Table of Contents
Constants
- ACTIVATED : string = 'activated'
- Indicates whether the user account has completed its activation flow.
- APP_META_DATA : string = 'appMetadata'
- Read-only metadata associated with the user.
- APPLICATIONS : string = 'applications'
- APPLICATIONS_COUNT : string = 'applicationsCount'
- BLOCKED_FOR : string = 'blockedFor'
- Indicates why or for which scope the user is blocked.
- COLOR : string = 'color'
- DEVICES : string = 'devices'
- Collection of known or trusted user devices.
- FIRST_LOGIN_AT : string = 'firstLoginAt'
- Timestamp of the user's first successful login.
- INVITATION_STATUS : string = 'invitationStatus'
- Materialized lifecycle status of the latest invitation associated with the user.
- LAST_LOGIN : string = 'lastLogin'
- Timestamp of the user's most recent successful authentication.
- LOGINS_COUNT : string = 'loginsCount'
- Total number of successful user authentications.
- MAX_LEVEL : string = 'maxLevel'
- Maximum role level assigned to the user across all associated roles.
- METADATA : string = 'metadata'
- Read/write metadata associated with the user.
- PENDING_EMAIL : string = 'pendingEmail'
- Email address currently awaiting verification.
- PENDING_EMAIL_CODE_EXPIRES_AT : string = 'pendingEmailCodeExpiresAt'
- Expiration timestamp of the verification code associated with the pending email workflow.
- PENDING_EMAIL_CODE_HASH : string = 'pendingEmailCodeHash'
- Secure hash of the verification code associated with the pending email verification workflow.
- PENDING_EMAIL_SINCE : string = 'pendingEmailSince'
- Timestamp indicating when the pending email workflow started.
- PERMISSIONS : string = 'permissions'
- PERMISSIONS_COUNT : string = 'permissionsCount'
- PROTECTED : string = 'protected'
- ROLES : string = 'roles'
- ROLES_COUNT : string = 'rolesCount'
- SERVICES : string = 'services'
- SERVICES_COUNT : string = 'servicesCount'
- SIGNED_UP : string = 'signedUp'
- Indicates whether the user completed the signup workflow.
- STATUS : string = 'status'
- Lifecycle status of the user account.
- SYSTEM : string = 'system'
- TOKENS_INVALID_BEFORE : string = 'tokensInvalidBefore'
- Epoch-seconds timestamp defining the authentication revocation cutoff for all access tokens issued to the user.
Constants
ACTIVATED
Indicates whether the user account has completed its activation flow.
public
string
ACTIVATED
= 'activated'
This flag is generally set after the first successful authentication or after an email/account verification workflow.
Related model property:
public bool|null $activated ;
APP_META_DATA
Read-only metadata associated with the user.
public
string
APP_META_DATA
= 'appMetadata'
Commonly used for:
- Roles
- Permission snapshots
- VIP flags
- Internal application configuration
- Derived authorization information
Related model property:
public array|object|null $appMetadata ;
APPLICATIONS
public
string
APPLICATIONS
= 'applications'
APPLICATIONS_COUNT
public
string
APPLICATIONS_COUNT
= 'applicationsCount'
BLOCKED_FOR
Indicates why or for which scope the user is blocked.
public
string
BLOCKED_FOR
= 'blockedFor'
This field may contain:
- API restrictions
- Application-specific bans
- Temporary suspension reasons
- Security mitigation contexts
Related model property:
public array|string|null $blockedFor ;
COLOR
public
string
COLOR
= 'color'
DEVICES
Collection of known or trusted user devices.
public
string
DEVICES
= 'devices'
Used to:
- Manage refresh-token associations
- Revoke sessions per device
- Force reauthentication
- Track authenticated environments
Related model property:
public array|null $devices ;
FIRST_LOGIN_AT
Timestamp of the user's first successful login.
public
string
FIRST_LOGIN_AT
= 'firstLoginAt'
Immutable audit-oriented field generally stored in ISO 8601 format.
Related model property:
public string|null $firstLoginAt ;
INVITATION_STATUS
Materialized lifecycle status of the latest invitation associated with the user.
public
string
INVITATION_STATUS
= 'invitationStatus'
Used by administrative interfaces to expose invitation state without requiring additional collection lookups.
Typical values include:
- pending
- accepted
- cancelled
- expired
- revoked
Related model property:
public string|null $invitationStatus ;
LAST_LOGIN
Timestamp of the user's most recent successful authentication.
public
string
LAST_LOGIN
= 'lastLogin'
Related model property:
public string|null $lastLogin ;
LOGINS_COUNT
Total number of successful user authentications.
public
string
LOGINS_COUNT
= 'loginsCount'
Commonly used for:
- Analytics
- User activity indicators
- Security heuristics
- Administrative dashboards
Related model property:
public int|null $loginsCount ;
MAX_LEVEL
Maximum role level assigned to the user across all associated roles.
public
string
MAX_LEVEL
= 'maxLevel'
Materialized helper field mainly used by administrative interfaces to expose hierarchy hints and UX restrictions.
Related model property:
public int|null $maxLevel ;
METADATA
Read/write metadata associated with the user.
public
string
METADATA
= 'metadata'
Typically contains:
- User preferences
- UI customization
- Profile extensions
- Domain-specific settings
Related model property:
public array|object|null $metadata ;
PENDING_EMAIL
Email address currently awaiting verification.
public
string
PENDING_EMAIL
= 'pendingEmail'
Used during email-change workflows where the previously verified email remains authoritative until confirmation succeeds.
Related model property:
public string|null $pendingEmail ;
PENDING_EMAIL_CODE_EXPIRES_AT
Expiration timestamp of the verification code associated with the pending email workflow.
public
string
PENDING_EMAIL_CODE_EXPIRES_AT
= 'pendingEmailCodeExpiresAt'
Usually stored as an ISO 8601 string.
Related model property:
public string|null $pendingEmailCodeExpiresAt ;
PENDING_EMAIL_CODE_HASH
Secure hash of the verification code associated with the pending email verification workflow.
public
string
PENDING_EMAIL_CODE_HASH
= 'pendingEmailCodeHash'
The raw verification code must never be persisted.
Related model property:
public string|null $pendingEmailCodeHash ;
PENDING_EMAIL_SINCE
Timestamp indicating when the pending email workflow started.
public
string
PENDING_EMAIL_SINCE
= 'pendingEmailSince'
Usually stored as an ISO 8601 string.
Related model property:
public string|null $pendingEmailSince ;
PERMISSIONS
public
string
PERMISSIONS
= 'permissions'
PERMISSIONS_COUNT
public
string
PERMISSIONS_COUNT
= 'permissionsCount'
PROTECTED
public
string
PROTECTED
= 'protected'
ROLES
public
string
ROLES
= 'roles'
ROLES_COUNT
public
string
ROLES_COUNT
= 'rolesCount'
SERVICES
public
string
SERVICES
= 'services'
SERVICES_COUNT
public
string
SERVICES_COUNT
= 'servicesCount'
SIGNED_UP
Indicates whether the user completed the signup workflow.
public
string
SIGNED_UP
= 'signedUp'
Related model property:
public string|null $signedUp ;
STATUS
Lifecycle status of the user account.
public
string
STATUS
= 'status'
This status controls whether authentication and access are allowed.
Typical values include:
- active
- disabled
- suspended
- pending
Related model property:
public string|null $status ;
SYSTEM
public
string
SYSTEM
= 'system'
TOKENS_INVALID_BEFORE
Epoch-seconds timestamp defining the authentication revocation cutoff for all access tokens issued to the user.
public
string
TOKENS_INVALID_BEFORE
= 'tokensInvalidBefore'
This property is updated during bulk session revocation flows, including:
- Administrative "revoke all sessions" actions
- Self-service "log out everywhere" operations
- Security incident mitigation procedures
During authentication, the middleware compares this value against
the JWT iat (issued-at) claim:
token.iat < tokensInvalidBefore
If true, the token is rejected with:
- HTTP status
401 Unauthorized - revocation reason
tokens_revoked
even when the token signature and expiration are still valid.
The value is intentionally stored as an integer epoch timestamp rather than ISO 8601 for extremely fast integer comparisons during authenticated API requests.
A null value means no global token revocation cutoff currently
applies to the user.
Related model property:
public int|null $tokensInvalidBefore ;