felixsand/phpsst

A PHP library for distributing (one time) passwords/secrets in a more secure way

v2.0.0 2022-08-07 20:26 UTC

This package is auto-updated.

Last update: 2024-11-08 01:17:17 UTC


README

Latest Stable Version Build Status License Scrutinizer Code Quality Code Coverage

A PHP library for distributing (one time) passwords/secrets in a more secure way

Installation

Add the package as a requirement to your composer.json:

$ composer require felixsand/phpsst

Usage

<?php
use PhPsst\PhPsst;
use PhPsst\Storage\FileStorage;

$phPsst = new PhPsst(new FileStorage('data/passwords', 10));
$secret = $phPsst->store('my secret password');
echo "Retrieve the password from: https://example.net/get-password?secret={$secret}";
<?php
use PhPsst\PhPsst;
use PhPsst\Storage\FileStorage;

$phPsst = new PhPsst(new FileStorage('data/passwords', 10));
$decryptedPassword = $phPsst->retrieve($_GET['secret']);
echo "The password stored: {$decryptedPassword}";

Storage Classes

FileStorage

The most basic of the storage classes is the FileStorage. It's also (generally) the most insecure and if you store a lot of passwords there's a performance issue due to the garbage collector being very crude. It is however the easiest way to try out the library and useful during development. The constructor parameter $gcProbability is a value from 0 and up, where 0 disables the GC; 1 means it's run for every file write; 10 means it got a 10% probability of running; etc. It's not recommended to turn it off.

$phPsst = new PhPsst(new FileStorage('data/passwords', 10));

RedisStorage

The recommended production storage class is the RedisStorage. It has great performance even during heavy use and since it removes the passwords with expired TTL automatically, it's more secure than the other options. It's important to note that if you're not reviewing the Redis configuration, it might purge entries even before the item's TTL has expired (if it's memory limit is reached) and the items will only live for as long as the server is running. This might be desired properties in certain cases, but you need to be aware of it when setting up the solution.

$redis = new \Predis\Client(array(
    'host' => '10.0.0.1',
    'port' => 6380,
));
$phPsst = new PhPsst(new RedisStorage($redis));

SqLiteStorage

If you don't have access to Redis, another storage engine that is suitable for production use is the SqLiteStorage. It's not as secure as the RedisStorage, mainly because of it's dependency on a garbage collector; as well as the possibility that the SqLite DB file might be included in backups, etc. It's also not suitable for setups with several webservers without access to a shared filesystem. The constructor parameter $gcProbability is the same as for the FileStorage.

$db = new \SQLite3('path/to/sqlite.db');
$phPsst = new PhPsst(new SqLiteStorage($db, 10));

Requirements

  • PHP 8.1 or above.
  • Redis (for the Redis Storage)

Demo

Author

Felix Sandström http://github.com/felixsand

Special thanks

License

Licensed under the MIT License - see the LICENSE file for details.