PHP Classes

File: docs/guides/storage.rst

Recommend this page to a friend!
  Packages of A. B. M. Mahmudul Hasan   OTP   docs/guides/storage.rst   Download  
File: docs/guides/storage.rst
Role: Auxiliary data
Content type: text/plain
Description: Auxiliary data
Class: OTP
Generate token to be verified during a time window
Author: By
Last change:
Date: 20 days ago
Size: 2,116 bytes
 

Contents

Class file image Download
Storage Guidance ================ Secrets ------- OTP secrets are reversible secrets. If your application must generate future codes, hashing alone is not enough. Recommended practice: - store OTP secrets encrypted at rest - keep encryption keys outside the primary application database when possible - version secret records so rotation and grace-period overlap can be tracked safely - prefer a separate secret reference in enrollment records instead of duplicating raw secrets everywhere The package includes ``Infocyph\OTP\Contracts\SecretStoreInterface`` for applications that want an explicit abstraction around secret persistence. Recovery codes -------------- Recovery codes should usually be stored hashed. Recommended practice: - hash each recovery code before storage - store one row per code or per active batch plus child rows - track ``used_at`` or equivalent consumption state atomically - revoke or replace the old active batch when issuing a new set - expose derived metadata such as total issued, remaining, and last used Replay state ------------ Replay state can live in cache or a database depending on your durability needs. Recommended practice: - use durable storage for HOTP counters and any state that must survive restarts - use token-expiry or cleanup jobs for consumed TOTP/OCRA replay tokens - index by namespace, binding, and token - keep replay data logically separate from secrets and recovery-code hashes Generic OTP ----------- Generic OTP requires a caller-provided PSR-6 cache pool implementation. Contracts --------- The package includes contracts you can implement in your own infrastructure: - ``Infocyph\OTP\Contracts\ReplayStoreInterface`` - ``Infocyph\OTP\Contracts\RecoveryCodeStoreInterface`` - ``Infocyph\OTP\Contracts\SecretStoreInterface`` Implementation examples ----------------------- See :doc:`custom-stores` for a step-by-step guide to building persistent database-backed implementations for: - recovery code tracking - replay tracking - secret storage design guidance - day-to-day metadata such as total issued, remaining, and last-used time