chillerlan/php-authenticator 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

chillerlan/php-authenticator

Composer 安装命令:

composer require chillerlan/php-authenticator

包简介

A generator for counter- and time based 2-factor authentication codes (Google Authenticator). PHP 8.2+

README 文档

README

A generator for counter based (RFC 4226) and time based (RFC 6238) one time passwords (OTP). (a.k.a. Yet Another Google Authenticator Implementation!)

PHP Version Support version License GitHub actions workflow Coverage Codacy Downloads

Documentation

Requirements

Installation

requires composer

via terminal: composer require chillerlan/php-authenticator

composer.json

{
	"require": {
		"php": "^8.4",
		"chillerlan/php-authenticator": "dev-main"
	}
}

Note: replace dev-main with a version constraint, e.g. ^5.0 - see releases for valid versions

Profit!

Usage

Create a secret

The secret is usually being created once during the activation process in a user control panel. So all you need to do there is to display it to the user in a convenient way - as a text string and QR code for example - and save it somewhere with the user data.

use chillerlan\Authenticator\{Authenticator, AuthenticatorOptions};

$options = new AuthenticatorOptions;
$options->secret_length = 32;

$authenticator = new Authenticator($options);
// create a secret (stored somewhere in a *safe* place on the server. safe... hahaha jk)
$secret = $authenticator->createSecret();
// you can also specify the length of the secret key, which overrides the options setting
$secret = $authenticator->createSecret(20);
// set an existing secret
$authenticator->setSecret($secret);

A secret created with Authenticator::createSecret() will also be stored internally, so that you don't need to provide the secret you just created on follow-up operations with the current instance.

Verify a one time code

Now during the login process - after the user has successfully entered their credentials - you would ask them for a one time code to check it against the secret from your user database.

// verify the code
if($authenticator->verify($otp)){
	// that's it - 2FA has never been easier! :D
}

time based (TOTP)

Verify adjacent codes

// try the first adjacent
$authenticator->verify($otp, time() - $options->period); // -> true
// try the second adjacent, default is 1
$authenticator->verify($otp, time() + 2 * $options->period); // -> false
// allow 2 adjacent codes
$options->adjacent = 2;
$authenticator->verify($otp, time() + 2 * $options->period); // -> true

counter based (HOTP)

// switch mode to HOTP
$options->mode = AuthenticatorInterface::HOTP;
// user sends the OTP for code #42, which is equivalent to
$otp = $authenticator->code(42); // -> 123456
// verify [123456, 42]
$authenticator->verify($otp, $counterValueFromUserDatabase) // -> true

URI creation

In order to display a QR code for a mobile authenticator you'll need an otpauth:// URI, which can be created using the following method.

  • $label should be something that identifies the account to which the secret belongs
  • $issuer is the name of your website or company for example, so that the user is able to identify multiple accounts.
$uri = $authenticator->getUri($label, $issuer);

// -> otpauth://totp/my%20label?secret=NKSOQG7UKKID4IXW&issuer=chillerlan.net&digits=6&period=30&algorithm=SHA1

Notes

Keep in mind that several URI settings are not (yet) recognized by all authenticators. Check the Google Authenticator wiki for more info.

// code length, currently 6 or 8
$options->digits = 8;
// valid period between 15 and 60 seconds
$options->period = 45;
// set the HMAC hash algorithm
$options->algorithm = AuthenticatorInterface::ALGO_SHA512;

API

Authenticator

method return description
__construct(SettingsContainerInterface $options = null, string $secret = null) -
setOptions(SettingsContainerInterface $options) Authenticator called internally by __construct()
setSecret(string $secret) Authenticator called internally by __construct()
getSecret() string
createSecret(int $length = null) string $length overrides AuthenticatorOptions setting
code(int $data = null) string $data may be a UNIX timestamp (TOTP) or a counter value (HOTP)
verify(string $otp, int $data = null) bool for $data see Authenticator::code()
getUri(string $label, string $issuer, int $hotpCounter = null, bool $omitSettings = null) string

AuthenticatorOptions

Properties

property type default allowed description
$digits int 6 6 or 8 auth code length
$period int 30 15 - 60 validation period (seconds)
$secret_length int 20 >= 16 length of the secret phrase (bytes, unencoded binary)
$algorithm string SHA1 SHA1, SHA256 or SHA512 HMAC hash algorithm, see AuthenticatorInterface::HASH_ALGOS
$mode string totp totp, hotp, battlenet or steam authenticator mode: time- or counter based, see AuthenticatorInterface::MODES
$adjacent int 1 >= 0 number of allowed adjacent codes
$time_offset int 0 * fixed time offset that will be added to the current time value
$useLocalTime bool true * whether to use local time or request server time
$forceTimeRefresh bool false * whether to force refreshing server time on each call

AuthenticatorInterface

Methods

method return description
setOptions(SettingsContainerInterface $options) AuthenticatorInterface
setSecret(string $encodedSecret) AuthenticatorInterface
getSecret() string
createSecret(int $length = null) string
getServertime() int
getCounter(int $data = null) int internal
getHMAC(int $counter) string internal
getCode(string $hmac) int internal
getOTP(int $code) string internal
code(int $data = null) string
verify(string $otp, int $data = null) bool

Constants

constant type description
TOTP string
HOTP string
STEAM_GUARD string
ALGO_SHA1 string
ALGO_SHA256 string
ALGO_SHA512 string
MODES array map of mode -> classname
HASH_ALGOS array list of available hash algorithms

2FA ALL THE THINGS!

chillerlan/php-authenticator 适用场景与选型建议

chillerlan/php-authenticator 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 133.58k 次下载、GitHub Stars 达 56, 最近一次更新时间为 2017 年 12 月 23 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「otp」 「hotp」 「totp」 「rfc4226」 「rfc6238」 「authenticator」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 chillerlan/php-authenticator 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 chillerlan/php-authenticator 我们能提供哪些服务?
定制开发 / 二次开发

基于 chillerlan/php-authenticator 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 133.58k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 58
  • 点击次数: 47
  • 依赖项目数: 4
  • 推荐数: 4

GitHub 信息

  • Stars: 56
  • Watchers: 2
  • Forks: 2
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2017-12-23