├── LICENSE
├── README.md
├── composer.json
├── src
    └── otp.class.php
└── test
    ├── newotp.php
    └── verifyotp.php


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Mohammad Sakib
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # PHP OTP Without Database
 2 | ## What is it?
 3 | This is a simple script written in php to verify One Time Password **(OTP)** without any database. You can read the [blog post here](https://blog.anam.co/otp-verification-without-using-a-database/) to understand the technique and motivation.
 4 | 
 5 | ## How to install
 6 | ```
 7 | git clone https://github.com/moh4mmad/php-otp-without-database.git
 8 | ```
 9 | or
10 | ```
11 | composer require moh4mmad/php-otp-without-database
12 |  ```
13 | ## Usage
14 | You need additional tool to send SMS. This module only takes care of the verification part.
15 | ## Verification process
16 | OTP verification is done in the following steps:
17 |  - A hash is created with the phone number/email address and then sent to the user.
18 |  - The user also receives the OTP via SMS, email or any other method.
19 |  - The user sends back the hash, OTP and phone/email used in the first request.
20 |  - The server verifies the information and returns true if they match.
21 | 
22 | ## Generating OTP Hash
23 | ```
24 | $otp = new Sakib\OTP;
25 | $email = "test@abc.com";
26 | $code = $otp->generateRandomString(6);
27 | $hash = $otp->CreateOTP($email, $code);
28 | ```
29 | You can then send this hash to the user as response.
30 | ```
31 | CreateOTP($email, $otp, $key = "verysecret", $min = 5, $algo = "sha256");
32 | ```
33 | ## Verifying OTP hash
34 | The user should get the hash from the HTTP request and should get the real OTP via SMS or email.
35 | Then when the user sends back the information, they can be verified with the following code:
36 | ```
37 | VerifyTOP($email, $otp, $hash, $key="verysecret", $algo = "sha256");
38 | ```
39 | This method returns a Boolean. If the verification is successful, it will return true.
40 | 
41 | ## Issues
42 | If you come across any issues please report them [here](https://github.com/moh4mmad/php-otp-without-database/issues)
43 | 


--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "moh4mmad/php-otp-without-database",
 3 |     "description": "OTP verification using cryptography without database",
 4 |     "type": "library",
 5 |     "license": "MIT",
 6 |     "authors": [
 7 |         {
 8 |             "name": "Sakib",
 9 |             "email": "sakib@sakib.info"
10 |         }
11 |     ],
12 |     "autoload": {
13 |         "psr-4": {
14 |             "Sakib\\": "src/"
15 |         }
16 |     },
17 |     "version": "1.0.0",
18 |     "require": {}
19 | }
20 | 


--------------------------------------------------------------------------------
/src/otp.class.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | namespace Sakib;
 3 | 
 4 | class OTP
 5 | {
 6 | 	/**
 7 | 	 * Create OTP function
 8 | 	 *
 9 | 	 * @param string $email
10 | 	 * @param string $otp
11 | 	 * @param string $key
12 | 	 * @param integer $min
13 | 	 * @param string $algo
14 | 	 * @return string
15 | 	 */	
16 | 	public function CreateOTP($email, $otp, $key = "verysecret", $min = 5, $algo = "sha256")
17 | 	{
18 | 		$expireAfter = time() + $min * 60 * 1000; //Expires after in Minutes, converteed to miliseconds
19 | 		$data = $email . $otp . $expireAfter;
20 | 		 
21 | 		// creating SHA256 hash of the data
22 | 		$hash = hash_hmac($algo, $data, $key);
23 | 		
24 | 		// send email mail("someone@example.com","OTP", "OTP: ".$otp);
25 | 		return $hash . "." . $expireAfter;
26 | 	}
27 | 	
28 | 	/**
29 | 	 * Verify OTP
30 | 	 *
31 | 	 * @param string $email
32 | 	 * @param string $otp
33 | 	 * @param string $hash
34 | 	 * @param string $key
35 | 	 * @param string $algo
36 | 	 * @return boolean
37 | 	 */
38 | 	public function VerifyOTP($email, $otp, $hash, $key = "verysecret", $algo = "sha256")
39 | 	{
40 | 		// Hash should have at least one dot
41 | 		if (strpos($hash, '.') !== false) {
42 | 			// Seperate Hash value and expires from the hash returned from the user
43 | 			$hashdata = explode (".", $hash); 
44 | 			
45 | 			// Check if expiry time has passed
46 | 			if (time() > $hashdata[1] ) {
47 | 				return false;
48 | 			}
49 | 			
50 | 			// Calculate new hash with the same key and the same algorithm
51 | 			$data = $email . $otp . $hashdata[1];
52 | 			$newHash = hash_hmac($algo, $data, $key); 
53 | 			
54 | 			// Match the hashes
55 | 			if ($newHash == $hashdata[0]) {
56 | 				return true;
57 | 			}
58 | 		} else {
59 | 			return false;
60 | 		}
61 | 	}
62 | 	
63 | 	/**
64 | 	 * Generate Random String
65 | 	 *
66 | 	 * @param integer $length
67 | 	 * @return string
68 | 	 */
69 | 	public function generateRandomString($length = 6)
70 | 	{
71 | 		$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
72 | 		$charactersLength = strlen($characters);
73 | 		$randomString = '';
74 | 		
75 | 		for ($i = 0; $i < $length; $i++) {
76 | 			$randomString .= $characters[rand(0, $charactersLength - 1)];
77 | 		}
78 | 		
79 | 		return $randomString;
80 | 	}
81 | 	
82 | }
83 | 


--------------------------------------------------------------------------------
/test/newotp.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | require_once '../src/otp.class.php';
 4 | session_start();
 5 | 
 6 | if (isset($_POST["email"])) {
 7 | $otp = new Sakib\OTP;
 8 | $code = $otp->generateRandomString(6);
 9 | $email = $_POST['email'];
10 | $hash = $otp->CreateOTP($email,$code);
11 | $_SESSION['email'] = $email;
12 | $_SESSION['hash'] = $hash;
13 | header("Location: verifyotp.php"); 
14 | }
15 | ?>
16 | 
17 | <!DOCTYPE html>
18 | <html lang="en">
19 | <head>
20 | <meta charset="utf-8">
21 | <meta http-equiv="X-UA-Compatible" content="IE=edge">
22 | <meta name="viewport" content="width=device-width, initial-scale=1">
23 | <title>OTP Verification without Database</title>
24 | <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
25 | <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
26 | <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> 
27 | <style type="text/css">
28 | 	.login-form {
29 | 		width: 340px;
30 |     	margin: 50px auto;
31 | 	}
32 |     .login-form form {
33 |     	margin-bottom: 15px;
34 |         background: #f7f7f7;
35 |         box-shadow: 0px 2px 2px rgba(0, 0, 0, 0.3);
36 |         padding: 30px;
37 |     }
38 |     .login-form h2 {
39 |         margin: 0 0 15px;
40 |     }
41 |     .form-control, .btn {
42 |         min-height: 38px;
43 |         border-radius: 2px;
44 |     }
45 |     .btn {        
46 |         font-size: 15px;
47 |         font-weight: bold;
48 |     }
49 | </style>
50 | </head>
51 | <body>
52 | <div class="login-form">
53 |     <form action="" method="post">
54 |         <h3 style="font-size: 20px;" class="text-center">OTP Verification without DB</h3>       
55 |         <div class="form-group">
56 |             <input type="email" name="email" class="form-control" placeholder="Email" required="required">
57 |         </div>
58 |         <div class="form-group">
59 |             <button type="submit" class="btn btn-primary btn-block">Submit</button>
60 |         </div>
61 |     </form>
62 | </div>
63 | </body>
64 | </html>       
65 | 


--------------------------------------------------------------------------------
/test/verifyotp.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | require_once '../src/otp.class.php';
 4 | session_start();
 5 | if (empty($_SESSION['hash']))
 6 | {
 7 |     header("Location: index.php"); 
 8 |     exit();
 9 | }
10 | if (isset($_POST["otp"])) {
11 |     $otp = new Sakib\OTP;
12 |     $email = $_SESSION['email'];
13 |     $hash = $_SESSION['hash'];
14 |     $code = $_POST['otp'];
15 |     
16 |     $hash = $otp->VerifyTOP($email,$code,$hash);
17 |     
18 |     if($hash == TRUE)
19 |     {
20 |         $success = true;
21 |         session_destroy();
22 |     }
23 |     else
24 |     {
25 |         $error = true;
26 |     }
27 | }
28 | ?>
29 | 
30 | <!DOCTYPE html>
31 | <html lang="en">
32 | <head>
33 | <meta charset="utf-8">
34 | <meta http-equiv="X-UA-Compatible" content="IE=edge">
35 | <meta name="viewport" content="width=device-width, initial-scale=1">
36 | <title>OTP Verification without Database</title>
37 | <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
38 | <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
39 | <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> 
40 | <style type="text/css">
41 | 	.login-form {
42 | 		width: 340px;
43 |     	margin: 50px auto;
44 | 	}
45 |     .login-form form {
46 |     	margin-bottom: 15px;
47 |         background: #f7f7f7;
48 |         box-shadow: 0px 2px 2px rgba(0, 0, 0, 0.3);
49 |         padding: 30px;
50 |     }
51 |     .login-form h2 {
52 |         margin: 0 0 15px;
53 |     }
54 |     .form-control, .btn {
55 |         min-height: 38px;
56 |         border-radius: 2px;
57 |     }
58 |     .btn {        
59 |         font-size: 15px;
60 |         font-weight: bold;
61 |     }
62 | </style>
63 | </head>
64 | <body>
65 | <div class="login-form">
66 |     <form action="" method="post">
67 |         <h3 style="font-size: 20px;" class="text-center">OTP Verification without DB</h3> 
68 |         <?php if(isset($error)) {?>
69 |         <div class="alert alert-danger" role="alert"> Verification failed! </div>
70 |         <?php } ?>
71 |         
72 |         <?php if(isset($success)) {?>
73 |         <div class="alert alert-success" role="alert"> Verification success! </div>
74 |         <?php } ?>
75 |         
76 |         <div class="form-group">
77 |             <input type="text" name="otp" class="form-control" placeholder="OTP" required="required">
78 |         </div>
79 |         <div class="form-group">
80 |             <button type="submit" class="btn btn-primary btn-block">Submit</button>
81 |         </div>
82 |     </form>
83 | </div>
84 | </body>
85 | </html>
86 | 


--------------------------------------------------------------------------------