承接 eustasy/authenticatron 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

eustasy/authenticatron

Composer 安装命令:

composer require eustasy/authenticatron

包简介

HOTP / TOTP secrets with corresponding QR links and code verification from a simple PHP script.

README 文档

README

Normal (PHP) Normal (Security) Test (PHP) Maintainability Code Coverage

A simple PHP script to create HOTP / TOTP / Google Authenticator secrets, corresponding QR links and code verification.

Based on the original BSD 2 Licensed work found at PHPGangsta/GoogleAuthenticator

Heavily modified to improve security and suit our needs.

Requirements

  • PHP >= 8.2
  • ext-gd (e.g. php8.x-gd) for QR Code generation.
  • jysperu/php-qr-code — installed automatically via Composer.

Installation

If you already use Composer then the eustasy/Authenticatron package can be easily installed.

composer require eustasy/authenticatron

Require the class in your PHP code:

////    Import eustasy\Authenticatron with Composer
require_once __DIR__ . '/vendor/autoload.php';
use eustasy\Authenticatron;

Quick Implementation

////    Create a new account
// Returns a secret (to be stored) a URL (to be clicked on) and a QR Code (to be scanned)
Authenticatron::new($accountName, $issuer);
//  array(3) {
//    ["Secret"]=>
//    string(16) "6MZYWOOFVAKL7LQB"
//    ["URL"]=>
//    string(83) "otpauth://totp/Example Site: John Smith?secret=6MZYWOOFVAKL7LQB&issuer=Example+Site"
//    ["QR"]=>
//    string(630) "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAJQAAACUAQMAAABP8pKXAAAABlBMVEUAAAD///+l2Z/dAAAACXBIWXMAAA7EAAAOxAGVKw4bAAABZklEQVRIia2WUY7DQAhDuQH3vyU3YP1MN+p33EnVJC9ShgGbSVVV66iZ1W/rM16z3u1pjdWobXDEyvc6MUl7vpRpFv2Pjv0N003pUBJy5nid0lYKnry8ZZTkazx1e8sojYKdGiaiUhOxZvmKWuGWNEQWIqYx3LB8zaPrjA36Lr97WAFpiBiyRpaFiKzMiGEYHkF0LusgYT281AK/CUNGBkjlWN7OScIkH5YPx4vSecYkG6RNd5i5gmXMvRBrY2p8nbGiQdBcB+NQ8IxhExLb7j5oIGN0RAKn5aDOj6dfs7Vf3GAdsXUZMN4odZNMp7M7ZGuIa/DzukcEzD0VFTWTrGNOGBsx5rMc6badMVd4bO6yOEO2t+7d6z63LwSMy/NLnx5dqPeMt6LvfR5m7PbQ67Ff2+hrZp9Qa9qO++xkzDUaWo/101sxOzFeydB4yrx9OtTJGd+Yrrc3gfsGCdiJ3NvKv6sT9gdy9gHcop2cdQAAAABJRU5ErkJggg=="
//  }
////    Check a code
// When a code is entered, just retrieve the secret and check them both.
Authenticatron::checkCode($code, $secret)
//  bool(true) - successful auth
//  bool(false) - failed auth

How it Works

Rather than rely on expensive SMS (text messages) that lack global deliverability, Google Authenticator does not even require a network connection to generate its codes. Instead, simply scan the generated QR code with your camera, and receive a new, 6-digit second factor of authentication from your phone every 30 seconds.

It does this by generating a 16 character secret, or seed, that is then encoded as a special URL, along with some identifying information, and outputted as a QR code. The phone reads the codes, and the Google Authenticator app runs the secret through a code generation process to output a time-restricted code. The website follows the same process to produce matching codes without actually having to communicate further.

Potential Flaws & How to Avoid them

Secret Capture

If you hand off the secret to a service like Google Charts as some demos show, then it would be trivial to compromise the second level of authentication from the start. To cure this, make sure you never send the secret in plain text to the user, or cache images such as the QR code. Instead, output it directly as a base64 encoded PNG, preferably served over HTTPS. letsencrypt.org gives out SSL Certificates for free.

Replay Attacks

Quickly re-using an intercepted token to gain access, by taking advantage of the plus/minus one minute rule.

If a token is not marked as invalid as soon as it has been used an attacker who has intercepted the token may be able to quickly replay it to obtain access.

Google TOTP Two-factor Authentication for PHP - idontplaydarts.com

To fix this, log used codes and disallow them from being used a second time, at least for double the variation of your codes allowance.

Brute Force

If there is no upper limit on the number of attempts a user can make at guessing a token it may be possible to brute-force the one-time token.

If the seed is too small and an attacker can intercept a few tokens it may be possible to brute-force the seed value allowing the attacker to generate new one-time tokens. For this reason Google enforces a minimum seed length of 16 characters or 80-bits.

Google TOTP Two-factor Authentication for PHP - idontplaydarts.com

Brute forcing of codes can be fixed in much the same way as brute forcing passwords, primarily with rate-limiting of some kind. Brute forcing of secrets, or seeds, can only be done with intercepted codes. Again, HTTPS is your friend.

Improvements over PHPGangsta/GoogleAuthenticator

  • Fixes time-matching bug for better code recognition.
  • Encodes URL to work best with Google Authenticator.
  • Removes rand in favour of random_bytes for improved security.
  • Returns base64 PNG rather than Google Chart to better obscure secret from snoopers.

With thanks to RebThrees bug report.

How to Implement

Apart from our earlier warnings about things being intercepted without HTTPS and basic brute-force avoidance (limit attempts), there is very little you must avoid to keep second-factor authentication secure. Don't send the secrets to third parties, but store them yourself (you'll need them every time a user tries to log in), and only allow a code to be used once.

Allow fallbacks. Like password resets, users should be able to bypass second-factor by using their email address. Perhaps send a single use code there, or use the Acceptable function to give them one for two or three minutes in the future. Do NOT allow them to simply turn it off without logging in.

References

eustasy/authenticatron 适用场景与选型建议

eustasy/authenticatron 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1.1k 次下载、GitHub Stars 达 11, 最近一次更新时间为 2024 年 03 月 08 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「Authentication」 「hotp」 「totp」 「passwords」 「secret」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 eustasy/authenticatron 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 eustasy/authenticatron 我们能提供哪些服务?
定制开发 / 二次开发

基于 eustasy/authenticatron 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 1.1k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 11
  • 点击次数: 20
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 11
  • Watchers: 2
  • Forks: 1
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2024-03-08