allow passing a $secretSize when generating a secret#204
Closed
browner12 wants to merge 1 commit intoSpomky-Labs:11.3.xfrom
Closed
allow passing a $secretSize when generating a secret#204browner12 wants to merge 1 commit intoSpomky-Labs:11.3.xfrom
$secretSize when generating a secret#204browner12 wants to merge 1 commit intoSpomky-Labs:11.3.xfrom
Conversation
this will allow the user to set their own secret length, but allow the package to still handle the creation of the string. I think this is a better interface for the user, as this is most likely a large chunk of the reasons someone would want to have a custom secret over the default. It also helps avoid a (likely) implicit dependency in user code. We are currently using `TOTP::createFromSecret(Base32::encode(Str::random(16)))->getSecret()` to generate a shorter random secret than the default. Here we are using the `Base32` class from `ParagonIE`, even though it is not an explicit dependency in our code. We probably should be, rather than implicitly depend on it. I'm guessing other people may make this mistake as well.
Member
|
Hi, Many thanks for the suggestion. |
Contributor
Author
|
the benefit is the user is not responsible for how the string is generated, only the string length they desire. in the example you give you are passing |
Spomky
added a commit
that referenced
this pull request
Jan 3, 2026
This change allows users to specify a custom secret size when generating OTP instances, addressing the limitation mentioned in #204. Changes: - Add optional `secretSize` parameter to `OTP::generateSecret()` with validation (must be > 0) - Update `HOTP::generate()` and `HOTP::create()` to accept and pass through `secretSize` - Update `TOTP::generate()` and `TOTP::create()` to accept and pass through `secretSize` - Add comprehensive tests for both HOTP and TOTP covering: - Default secret size generation - Custom secret size generation - Invalid secret size validation (0 and negative values) - Both `generate()` and `create()` methods The parameter is optional and defaults to 64 bytes (103 base32 chars) to maintain backward compatibility. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Spomky
pushed a commit
that referenced
this pull request
Jan 3, 2026
This allows users to set their own secret length while letting the package handle the creation of the string. This provides a better interface for users and avoids requiring them to know about Base32 encoding. Changes: - Add optional `secretSize` parameter to `OTP::generateSecret()` with proper validation (must be > 0) - Update `HOTP::generate()` and `HOTP::create()` to accept and pass through `secretSize` - Update `TOTP::generate()` and `TOTP::create()` to accept and pass through `secretSize` - Use correct type hint `?int $secretSize = null` instead of `int $secretSize = null` - Add comprehensive tests for both HOTP and TOTP covering: - Default secret size generation - Custom secret size generation - Invalid secret size validation (0 and negative values) - Both `generate()` and `create()` methods The parameter is optional and defaults to 64 bytes (103 base32 chars) to maintain full backward compatibility. Closes #204
Member
|
Thank you for this contribution! Your feature has been implemented and merged in #249. The PR includes:
The feature is now available in the 11.4.x branch. Thanks again for identifying this need and providing the initial implementation! |
anthonyryan1
pushed a commit
to anthonyryan1/otphp
that referenced
this pull request
Jan 8, 2026
* Allow passing a custom secret size when generating OTP This allows users to set their own secret length while letting the package handle the creation of the string. This provides a better interface for users and avoids requiring them to know about Base32 encoding. Changes: - Add optional `secretSize` parameter to `OTP::generateSecret()` with proper validation (must be > 0) - Update `HOTP::generate()` and `HOTP::create()` to accept and pass through `secretSize` - Update `TOTP::generate()` and `TOTP::create()` to accept and pass through `secretSize` - Use correct type hint `?int $secretSize = null` instead of `int $secretSize = null` - Add comprehensive tests for both HOTP and TOTP covering: - Default secret size generation - Custom secret size generation - Invalid secret size validation (0 and negative values) - Both `generate()` and `create()` methods The parameter is optional and defaults to 64 bytes (103 base32 chars) to maintain full backward compatibility. Closes Spomky-Labs#204 * Update PHPStan baseline --------- Co-authored-by: Andrew Brown <browner12@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Target branch: 11.3.x
Resolves issue: none
this will allow the user to set their own secret length, but allow the package to still handle the creation of the string. I think this is a better interface for the user, as this is most likely a large chunk of the reasons someone would want to have a custom secret over the default.
It also helps avoid a (likely) implicit dependency in user code. We are currently using
TOTP::createFromSecret(Base32::encode(Str::random(16)))->getSecret()to generate a shorter random secret than the default. Here we are using theBase32class fromParagonIE, even though it is not an explicit dependency in our code. We probably should be, rather than implicitly depend on it. I'm guessing other people may make this mistake as well.If there's a better architecture way to handle this, open to suggestions.