ez-php/two-factor
Composer 安装命令:
composer require ez-php/two-factor
包简介
Two-factor authentication module for the ez-php framework — RFC 6238 TOTP, QR code URLs, backup codes, and HTTP middleware
README 文档
README
Two-factor authentication module for the ez-php framework. Provides RFC 6238 TOTP (Time-based One-Time Password) support with pure PHP — no external SDK required. Includes secret generation, QR code URL generation, code verification, backup codes, and HTTP middleware.
Installation
composer require ez-php/two-factor
Setup
1. Implement the interface on your user model
use EzPhp\Auth\UserInterface; use EzPhp\TwoFactor\TwoFactorAuthenticableInterface; final class User implements UserInterface, TwoFactorAuthenticableInterface { public function hasTwoFactorEnabled(): bool { return (bool) $this->two_factor_enabled; } public function getTwoFactorSecret(): string { return $this->two_factor_secret; } // ... UserInterface methods }
2. Register the service provider
In provider/modules.php:
$app->register(\EzPhp\TwoFactor\TwoFactorServiceProvider::class);
3. Add the middleware
Apply TwoFactorMiddleware to routes that require 2FA verification:
// routes/web.php $router->group(['middleware' => [TwoFactorMiddleware::class]], function ($router) { $router->get('/dashboard', [DashboardController::class, 'index']); });
Usage
Enabling 2FA for a user
use EzPhp\TwoFactor\TwoFactorManager; $manager = $container->make(TwoFactorManager::class); // Generate and store the secret $secret = $manager->generateSecret(); // → store $secret in your user record (two_factor_secret column) // Get QR code URL to display to the user $qrUrl = $manager->getQrCodeUrl('MyApp', $user->email, $secret); // → render into a QR code image using your preferred library
Verifying the setup code
// User scans QR code and enters the first code from their app if ($manager->verifyCode($secret, $request->input('code'))) { // Enable 2FA for the user $user->update(['two_factor_enabled' => true, 'two_factor_secret' => $secret]); }
Verifying during login
After the user is authenticated, mark the session as verified:
// In your 2FA verification controller if ($manager->verifyCode(Auth::user()->getTwoFactorSecret(), $request->input('code'))) { $_SESSION[TwoFactorMiddleware::SESSION_KEY] = true; return redirect('/dashboard'); }
Backup codes
// Generate backup codes (store hashes, show plain codes to user once) $codes = $manager->generateBackupCodes(8); foreach ($codes as $code) { $hashes[] = $manager->hashBackupCode($code); } // Store $hashes in the database // Verify a backup code on login foreach ($storedHashes as $hash) { if ($manager->verifyBackupCode($inputCode, $hash)) { // Valid — invalidate this backup code break; } }
Middleware Behaviour
TwoFactorMiddleware runs on every request passing through it:
| Condition | Result |
|---|---|
| No authenticated user | Pass through (200) |
User does not implement TwoFactorAuthenticableInterface |
Pass through (200) |
| User has 2FA disabled | Pass through (200) |
Session contains two_factor_verified = true |
Pass through (200) |
| 2FA required but not verified | 423 Locked + X-Requires-2FA: true |
The X-Requires-2FA: true header signals to API clients that a 2FA verification step is needed.
API Reference
TwoFactorManager
| Method | Description |
|---|---|
generateSecret(): string |
Generates a 16-character Base32 secret (80 bits of entropy) |
generateCode(string $secret, ?int $timestamp = null): string |
Generates a 6-digit TOTP code |
verifyCode(string $secret, string $code, ?int $timestamp = null): bool |
Verifies a code with ±1 time step tolerance |
getQrCodeUrl(string $issuer, string $account, string $secret): string |
Returns an otpauth://totp/... URI for QR code generation |
generateBackupCodes(int $count = 8): string[] |
Generates XXXX-XXXX format backup codes |
hashBackupCode(string $code): string |
Bcrypt-hashes a backup code for storage |
verifyBackupCode(string $code, string $hash): bool |
Verifies a backup code against its hash |
TwoFactorMiddleware
| Constant | Value |
|---|---|
SESSION_KEY |
'two_factor_verified' |
Standards Compliance
- RFC 6238 — TOTP: Time-Based One-Time Password Algorithm
- RFC 4226 — HOTP: HMAC-Based One-Time Password Algorithm
- RFC 4648 — Base32 encoding/decoding
ez-php/two-factor 适用场景与选型建议
ez-php/two-factor 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 0 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 03 月 29 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「framework」 「php」 「security」 「Authentication」 「two-factor」 「otp」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 ez-php/two-factor 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 ez-php/two-factor 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 ez-php/two-factor 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
PHP Framework HLEB2 is the foundation of the web application. Provides ease of development and application performance.
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
Contao CMS integrity check for some files
A PHP security linter to detect insecure functions like var_dump, print_r, and other dangerous functions in your codebase
Alfabank REST API integration
统计信息
- 总下载量: 0
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 39
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2026-03-29