Download the PHP package rollerworks/split-token without Composer
On this page you can find all versions of the php package rollerworks/split-token. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download rollerworks/split-token
More information about rollerworks/split-token
Files in rollerworks/split-token
Package split-token
Short Description Token-Based Authentication Protocol without Side-Channels
License MPL-2.0
Homepage https://rollerworks.github.io
Informations about the package split-token
Rollerworks SplitToken Component
SplitToken provides a Token-Based Authentication Protocol without Side-Channels.
This technique is based of Split Tokens: Token-Based Authentication Protocols without Side-Channels. Which was first proposed by Paragon Initiative Enterprises.
SplitToken-Based Authentication is best used for password resetting or one-time single-logon.
While possible, this technique is not recommended as a replacement for OAuth or Json Web Tokens.
Introduction
Unlike traditional Token-Based Authentication Protocols a SplitToken consists of two parts: The selector (used in the query) and the verifier (not used in the query).
-
The selector is a 24 bytes fixed-length random string, which used as an identifier. You can safely create an unique index for field.
-
The verifier works as a password and is only provided to the user, the database only holds a salted (cryptographic) hash of the verifier.
The length of this value is heavily dependent on the used hashing algorithm and should not be hardcoded.
The full token is provided to the user or recipient and functions as a combined identifier (selector) and password (verifier).
Caution: You NEVER store the full token as-is! You only store the selector, and a (cryptographic) hash of the verifier.
Installation
To install this package, add rollerworks/split-token
to your composer.json:
Now, [Composer][composer] will automatically download all required files, and install them for you.
Requirements
PHP 8.1 with the sodium extension enabled (default since PHP 8).
Basic Usage
Once a result is found using the selector, the stored verifier-hash is used to compute a matching hash of the provided verifier. And the values are compared in constant-time to protect against side-channel attacks.
See also:
- Replacing an existing token
- Using metadata for advanced usage
- Configuring the hasher
Error Handling
Because of security reasons, a SplitToken
only throws generic runtime
exceptions for wrong usage, but no detailed exceptions about invalid input.
In the case of an error the memory allocation of the verifier and full token is zeroed to prevent leakage during a core dump or unhandled exception.
Versioning
For transparency and insight into the release cycle, and for striving to maintain backward compatibility, this package is maintained under the Semantic Versioning guidelines as much as possible.
Releases will be numbered with the following format:
<major>.<minor>.<patch>
And constructed with the following guidelines:
- Breaking backward compatibility bumps the major (and resets the minor and patch)
- New additions without breaking backward compatibility bumps the minor (and resets the patch)
- Bug fixes and misc changes bumps the patch
For more information on SemVer, please visit http://semver.org/.
Who is behind this library?
This library is brought to you by Sebastiaan Stok.
The Split Token idea was first proposed by Paragon Initiative Enterprises.
License
The Source Code of this package is subject to the terms of the Mozilla Public License, version 2.0 (MPLv2.0 License).
Which can be safely used with any other license including MIT and GNU GPL.
All versions of split-token with dependencies
paragonie/constant_time_encoding Version ^2.6
paragonie/hidden-string Version ^2.0
psr/clock Version ^1.0