Add Configurable Hashing to OTP Generation and Validation #35
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ichtrojan
reviewed
Dec 22, 2024
Comment on lines
+78
to
90
| if (!$isValid) { | ||
| return (object)[ | ||
| 'status' => false, | ||
| 'message' => 'OTP is not valid' | ||
| ]; | ||
| } | ||
|
|
||
| $otp->update(['valid' => false]); | ||
|
|
||
| return (object)[ | ||
| 'status' => true, | ||
| 'message' => 'OTP is valid' | ||
| ]; |
Owner
There was a problem hiding this comment.
if ($isValid) {
$otp->update(['valid' => false]);
return (object)[
'status' => true,
'message' => 'OTP is valid'
];
}
return (object)[
'status' => false,
'message' => 'OTP is not valid'
];Let's flip this for readability
ichtrojan
reviewed
Dec 22, 2024
Owner
ichtrojan
left a comment
ichtrojan
left a comment
There was a problem hiding this comment.
Added a comment.
Also, please update the readme
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem Statement
Currently, the OTP (One-Time Password) package stores tokens in plain text in the database. This could potentially pose a security risk if the database is compromised. We need a way to enhance the security of stored OTPs without breaking existing functionality.
Solution
Implement a configurable hashing feature for OTPs. This will allow users to opt-in to hashing OTPs for enhanced security while maintaining backwards compatibility for those who don't require it.
Changes
use_hashingto control OTP hashing.generatemethod to hash OTPs when the feature is enabled.validatemethod to handle both hashed and non-hashed OTPs.Implementation Details
New Configuration Option
A new configuration option has been added to
config/otp.php:Modified Otp Class
The
Ichtrojan\Otp\Otpclass has been updated:generatemethod, tokens are now hashed usingHash::make()whenuse_hashingis true.validatemethod now usesHash::check()for comparison whenuse_hashingis true.Backwards Compatibility
How to Use
Publish the config file if you haven't already:
To enable OTP hashing, set in your
.envfile:Use the Otp class as before. The hashing will be handled transparently based on your configuration.
Notes
use_hashingsetting, it's recommended to clear any existing OTPs in the database to ensure consistency.Questions?
If you have any questions or need further clarification, please don't hesitate to ask in the comments. Your feedback is valuable and will help ensure this feature meets the project's needs. Thanks for this wonderful package @ichtrojan