danterobles/totp-authenticator
Composer 安装命令:
composer require danterobles/totp-authenticator
包简介
A lightweight and secure PHP class for implementing TOTP two-factor authentication, compatible with Google Authenticator, Authy, and more.
README 文档
README
Overview
TOTPAuthenticator is a PHP class that implements Time-based One-Time Password (TOTP) authentication according to RFC 6238. It provides a secure way to implement two-factor authentication (2FA) in your PHP applications, compatible with popular authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy.
Features
- Generate secure random secrets for TOTP authentication (minimum 128 bits / 16 bytes)
- Create and validate time-based one-time passwords
- Generate QR code URLs for easy setup with authenticator apps
- Generate backup codes for account recovery
- Input validation with descriptive exceptions for invalid configuration
- Customizable code length (6–8 digits) and time step
- Built-in Base32 encoding/decoding
- Full PHP 7.4+ type hints on all properties and methods
- Compatible with all standard TOTP authenticator applications
Requirements
- PHP 7.4 or higher
- OpenSSL extension (for
random_bytes())
Installation
Raw PHP
Simply include the TOTPAuthenticator.php file in your project:
require_once 'path/to/TOTPAuthenticator.php';
Composer / Laravel
Install via Composer:
composer require danterobles/totp-authenticator
Or copy src/TOTPAuthenticator.php to your Laravel project and update the namespace:
<?php namespace App\Services\Auth; class TOTPAuthenticator { // Class content remains the same }
Optionally register it as a singleton in AppServiceProvider:
use App\Services\Auth\TOTPAuthenticator; public function register() { $this->app->singleton(TOTPAuthenticator::class, function ($app) { return new TOTPAuthenticator(); }); }
Basic Usage
Generate a New Secret
use TOTP\TOTPAuthenticator; // Generates a cryptographically secure random secret (20 bytes / 160 bits by default) $totp = new TOTPAuthenticator(); // Store this secret in your user database $secret = $totp->getSecret(); echo "Your TOTP secret: " . $secret;
Verify a TOTP Code
use TOTP\TOTPAuthenticator; // Initialize with the user's stored secret $totp = new TOTPAuthenticator($userSecret); $userInputCode = $_POST['totp_code']; if ($totp->verifyCode($userInputCode)) { echo "Code is valid!"; } else { echo "Invalid code!"; }
Generate a QR Code URL
use TOTP\TOTPAuthenticator; $totp = new TOTPAuthenticator($userSecret); $qrCodeUrl = $totp->getQRCodeUrl('user@example.com', 'My Application'); // Use with any QR code generation library echo "<img src='https://chart.googleapis.com/chart?chs=200x200&cht=qr&chl=" . urlencode($qrCodeUrl) . "&choe=UTF-8'>";
Generate Backup Codes
use TOTP\TOTPAuthenticator; $totp = new TOTPAuthenticator($userSecret); // Returns an array of plain-text backup codes $backupCodes = $totp->generateBackupCodes(count: 10, length: 10); // Show plain codes once to the user, then store only the hashed versions $hashedCodes = array_map(fn($code) => password_hash($code, PASSWORD_DEFAULT), $backupCodes); // Save $hashedCodes to database
Advanced Configuration
The constructor accepts optional parameters to customize code generation:
// 8-digit codes valid for 60 seconds $totp = new TOTPAuthenticator(secret: null, digits: 8, timeStep: 60);
| Parameter | Type | Default | Constraints |
|---|---|---|---|
$secret |
?string |
null (auto-generated) |
Valid Base32, min 128 bits decoded |
$digits |
int |
6 |
Must be between 6 and 8 |
$timeStep |
int |
30 |
Must be a positive integer |
Invalid values throw \InvalidArgumentException with a descriptive message.
Integration Examples
Raw PHP Authentication Flow
use TOTP\TOTPAuthenticator; function registerUser(string $username, string $password): string { $totp = new TOTPAuthenticator(); $secret = $totp->getSecret(); $passwordHash = password_hash($password, PASSWORD_DEFAULT); $db->query( "INSERT INTO users (username, password_hash, totp_secret) VALUES (?, ?, ?)", [$username, $passwordHash, $secret] ); return $totp->getQRCodeUrl($username, 'My Application'); } function loginUser(string $username, string $password, string $totpCode): bool { $user = $db->query("SELECT * FROM users WHERE username = ?", [$username])->fetch(); if (!$user || !password_verify($password, $user['password_hash'])) { return false; } $totp = new TOTPAuthenticator($user['totp_secret']); if (!$totp->verifyCode($totpCode)) { return false; } $_SESSION['user_id'] = $user['id']; return true; }
Laravel Integration Example
Middleware
<?php namespace App\Http\Middleware; use Closure; use Illuminate\Support\Facades\Auth; use App\Services\Auth\TOTPAuthenticator; class RequireTOTP { public function handle($request, Closure $next) { $user = Auth::user(); if (!$user->totp_enabled) { return $next($request); } if (!session('totp_verified')) { return redirect()->route('totp.verify'); } return $next($request); } }
Controller
<?php namespace App\Http\Controllers\Auth; use App\Http\Controllers\Controller; use Illuminate\Http\Request; use App\Services\Auth\TOTPAuthenticator; class TOTPController extends Controller { public function setup() { $user = auth()->user(); if (!$user->totp_secret) { $totp = new TOTPAuthenticator(); $user->totp_secret = $totp->getSecret(); $user->save(); } else { $totp = new TOTPAuthenticator($user->totp_secret); } return view('auth.totp.setup', [ 'secret' => $user->totp_secret, 'qrCodeUrl' => $totp->getQRCodeUrl($user->email, config('app.name')), 'backupCodes' => $totp->generateBackupCodes(), ]); } public function enable(Request $request) { $user = auth()->user(); $totp = new TOTPAuthenticator($user->totp_secret); if ($totp->verifyCode($request->code)) { $user->totp_enabled = true; $user->save(); return redirect()->route('dashboard') ->with('status', 'Two-factor authentication has been enabled.'); } return back()->withErrors(['code' => 'The verification code is invalid.']); } public function verify() { return view('auth.totp.verify'); } public function validate(Request $request) { $user = auth()->user(); $totp = new TOTPAuthenticator($user->totp_secret); if ($totp->verifyCode($request->code)) { session(['totp_verified' => true]); return redirect()->intended('dashboard'); } return back()->withErrors(['code' => 'The verification code is invalid.']); } }
Routes
Route::middleware(['auth'])->group(function () { Route::get('/totp/setup', [TOTPController::class, 'setup'])->name('totp.setup'); Route::post('/totp/enable', [TOTPController::class, 'enable'])->name('totp.enable'); Route::get('/totp/verify', [TOTPController::class, 'verify'])->name('totp.verify'); Route::post('/totp/validate', [TOTPController::class, 'validate'])->name('totp.validate'); Route::middleware(['require.totp'])->group(function () { Route::get('/dashboard', [DashboardController::class, 'index'])->name('dashboard'); }); });
Security Considerations
- Always store TOTP secrets securely in your database (consider encrypting at rest)
- Store backup codes hashed (e.g.
password_hash()), never in plain text - Use HTTPS to prevent man-in-the-middle attacks
- Implement rate limiting to prevent brute-force attacks
- The class uses
hash_equals()internally to prevent timing attacks - Secrets must be at least 128 bits (16 decoded bytes) — enforced by the constructor
License
This code is provided under the MIT License.
danterobles/totp-authenticator 适用场景与选型建议
danterobles/totp-authenticator 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 7 次下载、GitHub Stars 达 1, 最近一次更新时间为 2025 年 03 月 29 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「php」 「security」 「laravel」 「totp」 「rfc6238」 「authenticator」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 danterobles/totp-authenticator 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 danterobles/totp-authenticator 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 danterobles/totp-authenticator 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
Contao CMS integrity check for some files
A PHP security linter to detect insecure functions like var_dump, print_r, and other dangerous functions in your codebase
Alfabank REST API integration
Cbox SSRF — a hardened, config-driven guard against server-side request forgery for outbound URLs in Laravel. Blocks private/reserved/cloud-metadata targets, pins DNS, and refuses redirects.
统计信息
- 总下载量: 7
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 1
- 点击次数: 33
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2025-03-29