定制 preverus/preverus-php 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

preverus/preverus-php

Composer 安装命令:

composer require preverus/preverus-php

包简介

Framework-agnostic PHP client for Preverus fraud decisions, events, lookups, and webhooks.

README 文档

README

Framework-agnostic PHP client for Preverus backend enforcement.

Use this package when your application already loads the hosted Preverus browser script and your backend needs to make trusted server-side calls with a private server key.

Install

composer require preverus/preverus-php

Requires PHP 8.1+ and ext-json.

Browser And Server Flow

For server-rendered or non-JS-build sites, load the hosted script in your HTML:

<script
  src="https://cdn.preverus.com/v1/preverus.js"
  data-preverus-key="pk_live_xxx"
  data-preverus-auto="true"
  data-preverus-track-forms="true"
></script>

<form method="POST" action="/register" data-preverus-action="signup">
  <input name="email" type="email">
  <button type="submit">Create account</button>
</form>

Before submit, the script attaches:

preverus_fingerprint
preverus_visitor_id
preverus_risk_session_token
preverus_browser_session_event_id

Your backend sends those fields to Preverus with your private server key before approving sensitive actions.

Never put your server key in browser code.

Quick Start

use Preverus\Client;

$client = new Client($_ENV['PREVERUS_SERVER_KEY']);

$decision = $client->decisions()->evaluate([
    'event_type' => 'signup',
    'user_id' => 'acct_42',
    'ip' => $_SERVER['REMOTE_ADDR'] ?? null,
    'risk_session_token' => $_POST['preverus_risk_session_token'] ?? null,
    'fingerprint' => $_POST['preverus_fingerprint'] ?? null,
    'metadata' => [
        'email' => $_POST['email'] ?? null,
        'browser_session_event_id' => $_POST['preverus_browser_session_event_id'] ?? null,
    ],
], visitorId: $_POST['preverus_visitor_id'] ?? null);

if ($decision->isBlock()) {
    http_response_code(403);
    exit('Unable to create account.');
}

if ($decision->isReview()) {
    // Trigger step-up auth, hold the action, or route to manual review.
}

// Continue signup, login, checkout, withdrawal, or payout.

Prefer risk_session_token when available. It references the stored browser session collected by the hosted script. The token lets Preverus use the full browser/device context without your backend handling raw browser feature vectors.

Configuration

$client = new Client($_ENV['PREVERUS_SERVER_KEY'], [
    'endpoint' => 'https://api.preverus.com',
    'timeout_ms' => 1500,
    'connect_timeout_ms' => 500,
    'retries' => 2,
    'retry_delay_ms' => 150,
    'max_retry_delay_ms' => 1000,
]);

Default retry behavior is intentionally conservative for web requests. The client retries transient network failures and these statuses:

408, 409, 425, 429, 500, 502, 503, 504

The client does not retry validation or authentication errors such as 400, 401, 403, or 422.

For POST calls, pass an idempotency key when the operation may be retried:

$decision = $client->decisions()->evaluate(
    input: [...],
    visitorId: $visitorId,
    idempotencyKey: 'signup:acct_42:' . bin2hex(random_bytes(16)),
);

Decisions

$decision = $client->decisions()->evaluate([
    'event_type' => 'withdraw',
    'user_id' => 'acct_42',
    'ip' => '203.0.113.10',
    'risk_session_token' => 'signed_token_from_browser',
    'metadata' => [
        'payment_address' => '0xabc123',
    ],
], visitorId: 'v_abc123');

$decision->recommendedAction(); // allow, review, block, or deny
$decision->isAllow();
$decision->isReview();
$decision->isBlock();
$decision->toArray();

Recommended production behavior:

allow  -> proceed
review -> step-up auth, hold, or manual review
block  -> deny or hard challenge

Events

Use events for fraud-relevant activity that does not need a synchronous decision.

$event = $client->events()->create([
    'event_type' => 'login',
    'user_id' => 'acct_42',
    'ip' => '203.0.113.10',
    'fingerprint' => $fingerprint,
    'metadata' => [
        'email' => 'person@example.com',
    ],
], visitorId: 'v_abc123');

Visitor Lookup

$visitor = $client->visitors()->lookup(visitorId: 'v_abc123');
$visitor = $client->visitors()->lookup(fingerprint: 'fp_hash');

Metadata Lookup

$result = $client->metadata()->lookup('email', 'person@example.com');
$graph = $client->metadata()->graph('v_abc123');

Use metadata lookup for values such as email, phone, username, and payment address when you want to understand reuse across users or visitors.

Webhook Verification

$valid = $client->webhooks()->verify(
    rawBody: file_get_contents('php://input'),
    timestamp: $_SERVER['HTTP_X_FRAUD_WEBHOOK_TIMESTAMP'] ?? '',
    signatureHeader: $_SERVER['HTTP_X_FRAUD_WEBHOOK_SIGNATURE'] ?? '',
    secret: $_ENV['PREVERUS_WEBHOOK_SECRET'],
);

if (!$valid) {
    http_response_code(400);
    exit('Invalid signature');
}

Reject webhook requests when:

  • The signature is missing or invalid.
  • The timestamp is older than 5 minutes.
  • The webhook ID has already been processed.

Webhook delivery is at-least-once, so store X-Fraud-Webhook-Id or payload id as an idempotency key.

You can also verify, parse, and dispatch events in one flow:

$event = $client->webhooks()->constructEvent(
    rawBody: file_get_contents('php://input'),
    headers: [
        'X-Fraud-Webhook-Timestamp' => $_SERVER['HTTP_X_FRAUD_WEBHOOK_TIMESTAMP'] ?? '',
        'X-Fraud-Webhook-Signature' => $_SERVER['HTTP_X_FRAUD_WEBHOOK_SIGNATURE'] ?? '',
    ],
    secret: $_ENV['PREVERUS_WEBHOOK_SECRET'],
);

if (alreadyProcessed($event->id())) {
    http_response_code(204);
    exit;
}

$client->webhooks()->dispatch($event, [
    'decision.high_risk' => function ($event) {
        // Open a case, notify ops, or hold the account action.
    },
    '*' => function ($event) {
        // Optional catch-all handler.
    },
]);

Error Handling

The core client throws exceptions for API and network failures:

use Preverus\Exceptions\ApiException;
use Preverus\Exceptions\NetworkException;

try {
    $decision = $client->decisions()->evaluate([...]);
} catch (ApiException $error) {
    // Authentication, validation, rate limit, or server response.
    $status = $error->statusCode();
    $code = $error->errorCode();
} catch (NetworkException $error) {
    // Timeout, DNS, TLS, or connection failure.
}

If you want built-in fail-open/fail-review/fail-closed fallback decisions, use preverus/preverus-laravel or implement the same policy in your framework.

Production Checklist

  • Use a browser key only in HTML or frontend code.
  • Use a server key only on your backend.
  • Prefer risk_session_token for decisions when present.
  • Include X-Visitor-ID when available.
  • Send your real customer account ID as user_id.
  • Include request IP and useful metadata such as email, phone, username, and payment address.
  • Use idempotency keys for retried POST requests.
  • Treat review as step-up/manual review, not as an automatic allow.

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 0
  • 依赖项目数: 1
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2026-07-13

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固