Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Configurable Hashing to OTP Generation and Validation #35

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Configurable Hashing to OTP Generation and Validation #35

wants to merge 1 commit into from

Conversation

sadiqumarOG
Copy link

Problem Statement

Currently, the OTP (One-Time Password) package stores tokens in plain text in the database. This could potentially pose a security risk if the database is compromised. We need a way to enhance the security of stored OTPs without breaking existing functionality.

Solution

Implement a configurable hashing feature for OTPs. This will allow users to opt-in to hashing OTPs for enhanced security while maintaining backwards compatibility for those who don't require it.

Changes

  1. Added a new configuration option use_hashing to control OTP hashing.
  2. Modified the generate method to hash OTPs when the feature is enabled.
  3. Updated the validate method to handle both hashed and non-hashed OTPs.
  4. No database schema changes were made to ensure a smooth transition.

Implementation Details

New Configuration Option

A new configuration option has been added to config/otp.php:

return [
    'use_hashing' => env('OTP_USE_HASHING', false),
];

Modified Otp Class

The Ichtrojan\Otp\Otp class has been updated:

  • In the generate method, tokens are now hashed using Hash::make() when use_hashing is true.
  • The validate method now uses Hash::check() for comparison when use_hashing is true.

Backwards Compatibility

  • The public API of the Otp class remains unchanged.
  • Existing OTPs will continue to work as before.
  • The hashing feature is opt-in, defaulting to the previous behavior.

How to Use

  1. Publish the config file if you haven't already:

    php artisan vendor:publish --tag=otp-config

  2. To enable OTP hashing, set in your .env file:

    OTP_USE_HASHING=true

  3. Use the Otp class as before. The hashing will be handled transparently based on your configuration.

Notes

  • When changing the use_hashing setting, it's recommended to clear any existing OTPs in the database to ensure consistency.
  • This feature enhances security without impacting performance significantly.

Questions?

If you have any questions or need further clarification, please don't hesitate to ask in the comments. Your feedback is valuable and will help ensure this feature meets the project's needs. Thanks for this wonderful package @ichtrojan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sadiqumarOG @sadiqumar18