" * is_admin = 1 * so it will not collide with a real Entra user. */ final class LocalAdmin { public const OID_PREFIX = 'local:'; public static function isEnabled(): bool { return self::email() !== '' && self::passwordHash() !== ''; } public static function email(): string { $v = getenv('LOCAL_ADMIN_EMAIL'); return is_string($v) ? trim($v) : ''; } public static function displayName(): string { $v = getenv('LOCAL_ADMIN_NAME'); $name = is_string($v) ? trim($v) : ''; return $name !== '' ? $name : 'Local Admin'; } public static function oid(): string { return self::OID_PREFIX . self::email(); } /** Timing-safe credential check. Returns false if local admin is disabled. */ public static function verify(string $email, string $password): bool { if (!self::isEnabled()) { return false; } $emailMatch = hash_equals(self::email(), trim($email)); $pwMatch = password_verify($password, self::passwordHash()); return $emailMatch && $pwMatch; } private static function passwordHash(): string { $v = getenv('LOCAL_ADMIN_PASSWORD_HASH'); return is_string($v) ? trim($v) : ''; } }