hengeb/token

A small webtoken

Maintainers

Details

github.com/hengeb/token

Source

Issues

Installs: 168

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 1

Forks: 0

Open Issues: 0

v0.0.1 2021-10-17 22:40 UTC

Requires

  • php: >=7.4.0

MIT fdcc9be815715bea4f35c7acd05e3ba100ea4af0

This package is auto-updated.

Last update: 2025-06-18 07:31:00 UTC

README

A small webtoken library for PHP

Installation

Install the latest version with

$ composer require hengeb/token

Example

<?php

use Hengeb\Token\Token;

// generate token for an email change. The token payload includes the new address so it has not to be stored on the server until it is confirmed.
// to verify the token was not used before, the user's old address is used as additional information to sign the token but not stored in the token
// (along with the key "very-secret" which obviously should be something more secret)
$token = Token::encode([$user->id, $newEmail, time()], $user->email, "very-secret");

// it is save to use the token in a URL or database query, there is no need for escaping like urlencode()
mail($user->email, "confirm email", "Go to https://example.com/change-email.php?t=$token within 30 minutes to confirm your new email address.");

echo "Please check you postbox to confirm your new address.";
exit;

// [...]

// in change-email.php
try {
    // the callback function shall return the info that was used to create the token (in this case: the old email address)
    // it can also perform other checks to see if the token is valid
    $payload = Token::decode($_GET['t'], function ($payload) use (&$user) {
        list($userId, $email, $time) = $payload;
        if ($time < time() - 1800) {
            throw new \Exception("expired");
        }
        $user = loadUserFromDatabase($userId);
        // Return the information that was used to create the token.
        // this will also throw an exception if the user entry does not exist.
        return $user->email;
    }, "very-secret");
} catch (\RuntimeException $e) {
    die($e->getMessage() === "Invalid token: expired" ? "The confirmation link has expired, please request a new one." : "The confirmation link is invalid. Maybe you have already used it.");
}

$oldEmail = $user->email;
$user->email = $payload[1];
saveUser($user);
mail($oldEmail, "email changed", "You have successfully updated your email address to {$user->email}. This is our last mail to your old address.");

Author

Henrik Gebauer - code@henrik-gebauer.de - https://www.henrik-gebauer.de

License

This software is licensed under the MIT License - see the LICENSE file for details