Download the PHP package altcha-org/altcha without Composer
On this page you can find all versions of the php package altcha-org/altcha. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download altcha-org/altcha
More information about altcha-org/altcha
Files in altcha-org/altcha
Package altcha
Short Description A lightweight PHP library for creating and verifying ALTCHA challenges.
License MIT
FAQ
Example:
In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
- Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
- To use Composer is sometimes complicated. Especially for beginners.
- Composer needs much resources. Sometimes they are not available on a simple webspace.
- If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
- Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Informations about the package altcha
ALTCHA PHP Library
A lightweight PHP library for creating and verifying ALTCHA challenges using key derivation functions (PBKDF2, Argon2id, Scrypt).
Compatibility
- PHP 8.1+
Migrating from V1 to V2
MIGRATION-v1.md
Example
- Basic Server
- Server Signature
Installation
Usage
API
Altcha
Altcha::createChallenge(CreateChallengeOptions $options): Challenge
Creates a new challenge.
CreateChallengeOptions
| Parameter | Type | Default | Description |
|---|---|---|---|
algorithm |
DeriveKeyInterface |
required | Key derivation algorithm |
cost |
int |
required | Iterations/time cost |
counter |
?int |
null |
Counter for deterministic mode |
data |
?array |
null |
Custom metadata |
expiresAt |
?int |
null |
Unix timestamp for expiration |
keyLength |
int |
32 |
Derived key length in bytes |
keyPrefixLength |
int |
keyLength / 2 |
Key prefix length in bytes |
memoryCost |
?int |
null |
Memory cost (Argon2id/Scrypt) |
nonce |
?string |
null |
Custom nonce (hex) |
parallelism |
?int |
null |
Parallelism factor (Scrypt) |
salt |
?string |
null |
Custom salt (hex) |
When counter is provided and hmacKeySignatureSecret is set, the challenge includes a keySignature for fast verification (skips re-derivation).
Returns: Challenge with parameters (ChallengeParameters) and signature.
Altcha::solveChallenge(SolveChallengeOptions $options): ?Solution
Iterates counter values to find a derived key matching the challenge prefix.
SolveChallengeOptions
| Parameter | Type | Default | Description |
|---|---|---|---|
algorithm |
DeriveKeyInterface |
required | Key derivation algorithm |
challenge |
Challenge |
required | The challenge to solve |
start |
int |
0 |
Initial counter value |
step |
int |
1 |
Counter increment per iteration |
timeout |
float |
30.0 |
Timeout in seconds |
Returns: Solution with counter, derivedKey (hex), and time (seconds). Returns null if no match is found.
Altcha::verifySolution(VerifySolutionOptions $options): VerifySolutionResult
Verifies a solution against its challenge.
VerifySolutionOptions
| Parameter | Type | Default | Description |
|---|---|---|---|
algorithm |
DeriveKeyInterface |
required | Key derivation algorithm |
payload |
Payload |
required | Challenge + solution pair |
VerifySolutionResult
| Property | Type | Description |
|---|---|---|
verified |
bool |
Whether the solution is valid |
expired |
bool |
Whether the challenge has expired |
invalidSignature |
?bool |
Whether the challenge signature is invalid |
invalidSolution |
?bool |
Whether the derived key doesn't match |
time |
float |
Verification time in seconds |
Key Derivation Algorithms
All algorithms implement DeriveKeyInterface.
PBKDF2
Argon2id
Requires ext-sodium (typically bundled with PHP).
Uses memoryCost from challenge options.
Scrypt
Requires ext-scrypt (php-scrypt).
Uses memoryCost (r, default: 8) and parallelism (p, default: 1) from challenge options.
HmacAlgorithm
Enum used for HMAC signing and PBKDF2 hash selection:
HmacAlgorithm::SHA256-SHA-256HmacAlgorithm::SHA384-SHA-384HmacAlgorithm::SHA512-SHA-512
ServerSignature::verifyServerSignature(string|array $data, string $hmacKey, HmacAlgorithm $hmacAlgorithm = HmacAlgorithm::SHA256): ServerSignatureVerification
Verifies a server signature payload.
ServerSignatureVerification
| Property | Type | Description |
|---|---|---|
verified |
bool |
Whether the signature is valid, not expired, and solution verified |
expired |
bool |
Whether the verification data has expired |
invalidSignature |
bool |
Whether the HMAC signature is invalid |
invalidSolution |
bool |
Whether the solution was not verified |
time |
float |
Verification time in seconds |
verificationData |
?ServerSignatureVerificationData |
Parsed verification data |
Verification data is parsed generically from URL-encoded params with auto-detected types (bool, int, float, string, array for fields/reasons). Access values via property or array syntax:
ServerSignature::verifyFieldsHash(array $formData, array $fields, string $fieldsHash, HmacAlgorithm $hmacAlgorithm = HmacAlgorithm::SHA256): bool
Verifies the hash of specific form fields.
Payload
Wraps a Challenge and Solution pair for verification and serialization.
V1 API
The V1 API is available under the AltchaOrg\Altcha\V1 namespace. It uses simple hash-based challenges (SHA-1, SHA-256, SHA-512) instead of key derivation functions.
Tests
License
MIT
