otphp
otphp copied to clipboard
Spomky-Labs
Add option to only accept otp codes after a given timestamp
| Q | A |
|---|---|
| Branch? | v10.0 |
| Bug fix? | no |
| New feature? | yes |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | related to https://github.com/Spomky-Labs/otphp/issues/113 |
| License | MIT |
| Tests added | :ballot_box_with_check: |
| Doc PR |
this PR allows users to prevent token re-use.
Hi,
Thanks for submitting this PR. As I said in the previous one, I do not see any reason for adding this here.
You can simply do it on your application (not tested):
$otp = TOTP::create($user->getOtpSecret());
$currentOtp = $otp->now();
$currentTimecode = (int) floor((time() - $otp->getEpoch()) / $otp->getPeriod());
$lastValidOtp = $this->getLastValidOtpSubmittedByUserWithinTheCurrentTimecode($user, $currentTimecode); //Application specific function
if ($lastValidOtp === $currentOtp) {
throw new \InvalidArgumentException('This current OTP has already been used a few seconds ago');
}
if (!$otp->verify($userInput)) {
throw new \InvalidArgumentException('This OTP is invalid');
}
$this->setLastValidOtpSubmittedByUserWithinTheCurrentTimecode($user, $currentTimecode, $currentOtp); //Application specific function
Ce problème a été automatiquement marqué comme périmé car il n'a pas eu d’activité récente. Il sera fermé dans 7 jours si aucune autre activité ne se produit. Merci pour votre contribution.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}