Download the PHP package biponix/laravel-secure-otp without Composer

On this page you can find all versions of the php package biponix/laravel-secure-otp. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package laravel-secure-otp

Laravel Secure OTP

Latest Version on Packagist GitHub Tests Action Status GitHub Code Style Action Status Total Downloads

A production-ready, secure OTP (One-Time Password) package for Laravel applications. Generate and verify OTP codes via Email, SMS, WhatsApp, or any Laravel notification channel.

Features

Installation

You can install the package via composer:

Run the migrations:

The migrations will run automatically from the package. If you need to customize the migration, you can publish it first:

Publish the config file (optional):

Configuration

The config file (config/secure-otp.php) allows you to customize:

Usage

Quick Start

Without Type Validation (Pass-through Mode)

With Type Validation (Recommended for production)

Basic Usage Example

Using with Dependency Injection

Custom Identifier Types

Create custom identifier types for phones, usernames, or any identifier format you need.

Step 1: Create Type Class

Step 2: Register Type in AppServiceProvider

Step 3: Use With Type Parameter

More Examples:

Generate Without Sending (Custom Delivery)

Send Synchronously (Block Until Sent)

Using the Facade (Optional)

Custom Notification Channels

Create your own notification class to route OTPs via SMS, WhatsApp, or other channels based on identifier type.

Type-Based Channel Routing:

Register Your Notification:

Update your .env:

Usage:

Cleanup Expired OTPs

The package requires scheduled cleanup to remove expired OTP records from the database.

Step 1: Add to Laravel Scheduler

In Laravel 11+, add to routes/console.php:

Or in app/Console/Kernel.php (Laravel 10 and below):

Step 2: Ensure Cron is Running

Make sure your server has the Laravel scheduler cron job configured:

Manual Cleanup (Optional)

Programmatic Cleanup (Advanced)

Security Features

1. HMAC-Based Storage (Rainbow Table Protection)

OTP codes are hashed using HMAC-SHA256 with a secret key before storage. This prevents rainbow table attacks even if the database is compromised. Plain codes are never saved.

2. Timing-Safe Comparison

Uses hash_equals() to prevent timing attacks during verification.

3. Context-Aware Rate Limiting (Brute Force Protection)

Separate rate limits for generation vs verification to balance security and user experience:

Generation (Sending OTP)

Verification (Checking OTP)

Key Features:

4. Generic Responses

Returns boolean values instead of detailed error messages to prevent enumeration attacks.

5. Race Condition Protection

Uses distributed cache locks (Cache::lock()) combined with database transactions and row-level locks (lockForUpdate()) to serialize OTP generation and ensure only one valid OTP exists per identifier at any time. Lock timeouts (3 seconds) provide friendly error messages under high concurrency.

6. Replay Attack Prevention

Previous OTPs are automatically invalidated when a new one is generated.

7. Attempt Limiting

Maximum verification attempts per OTP (default: 3) to prevent brute force attacks.

8. Security Logging with Privacy

Logs all security events (invalid codes, rate limits, etc.) with PII masking:

API Reference

generate(string $identifier, ?string $type = null): string

Generates an OTP code without sending it (for custom delivery methods).

Parameters:

Returns:

Throws:

Examples:


send(string $identifier, ?string $type = null): void

Generates and queues an OTP notification to the given identifier (non-blocking).

Parameters:

Returns:

Throws:

Examples:


sendNow(string $identifier, ?string $type = null): void

Generates and sends an OTP synchronously to the given identifier (blocks until sent).

Parameters:

Returns:

Throws:


verify(string $identifier, string $code, ?string $type = null): bool

Verifies an OTP code for the given identifier.

Parameters:

Returns:

Important: The $type parameter must match what was used when sending the OTP to ensure proper normalization.

Examples:


addType(string $name, OtpIdentifierType $type): void

Register a custom identifier type for validation and normalization.

Parameters:

Example:


cleanupExpired(): int

Deletes expired OTP records older than configured hours.

Returns: Number of deleted records

Testing

The package includes comprehensive tests:

Run tests with coverage (requires PCOV or Xdebug):

The package maintains 100% code coverage with 103 comprehensive tests covering all security features, edge cases, and error scenarios.

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Contributions are welcome! Please see CONTRIBUTING for details.

Security Vulnerabilities

If you discover a security vulnerability, please send an email to [email protected]. All security vulnerabilities will be promptly addressed.

Credits

License

The MIT License (MIT). Please see License File for more information.


All versions of laravel-secure-otp with dependencies

PHP Build Version
Package Version
Requires php Version ^8.1|^8.2|^8.3|^8.4
spatie/laravel-package-tools Version ^1.16
illuminate/contracts Version ^10.0|^11.0|^12.0|^13.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package biponix/laravel-secure-otp contains the following files

Loading the files please wait ...