medo19/otp-shield

A Laravel plug-n-play OTP/TOTP package

Maintainers

Package info

github.com/Eng-MuhammadAbdulrazek/otp-shield

pkg:composer/medo19/otp-shield

Statistics

Installs: 24

Dependents: 0

Suggesters: 0

Stars: 1

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.0.6 2025-09-09 10:53 UTC

Requires

MIT ab215124633803650f0bd3e84ad0bce28b8d5196

  • Eng. Muhammad Abdulrazek <eng.muhammadabdulrazek.woop@gmail.com>

This package is auto-updated.

Last update: 2026-03-09 12:04:27 UTC

README

OTPSHIELD is a professional, plug-n-play OTP/TOTP package for Laravel. It provides secure, time-based OTPs with:

  • Polymorphic OTP storage (supports users, admins, devices, etc.)
  • Encrypted secrets
  • Middleware for route protection
  • SVG QR code generation for Google Authenticator, Authy, etc.
  • Artisan commands for management
  • Configurable period, digits, and lockout policies

๐Ÿ“ฆ Installation

Require the package and dependencies via Composer:

composer require medo19/otp-shield

Add OTPSHIELD to your Laravel project (if not using auto-discovery):

// config/app.php
'providers' => [
    ...
    OtpShield\OtpShieldServiceProvider::class,
],
'aliases' => [
    ...
    'OtpShield' => OtpShield\Facades\OtpShield::class,
],

Publish the configuration and migrations:

php artisan vendor:publish --provider="OtpShield\OtpShieldServiceProvider" --tag="config"
php artisan migrate

โš™๏ธ Configuration

config/otp-shield.php contains:

return [
    'digits' => 6,            // Number of OTP digits
    'period' => 30,           // Validity period in seconds
    'algorithm' => 'sha1',    // Hash algorithm
    'issuer' => env('APP_NAME', 'Laravel App'),
    'max_attempts' => 5,      // Max failed attempts before lockout
    'lockout_time' => 300,    // Lockout duration in seconds
    'default_otp_type' => 'totp',  // allowed totp & hotp - Default : totp
];

๐Ÿงฉ Usage in Models

Add the trait and contract to your User model:

use OtpShield\Traits\HasOtp;
use OtpShield\Contracts\OtpAuthenticatable;

class User extends Authenticatable implements OtpAuthenticatable
{
    use HasOtp;
}

๐Ÿ”‘ Enable OTP

$otp = $user->enableOtp();

๐Ÿ–ผ Generate QR Code (SVG)

$qrSvg = $user->getOtpQrCode(); // returns SVG string

// Embed in Blade
echo '<div class="otp-qr">'.$qrSvg.'</div>';

Or via the facade directly:

use OtpShield\Facades\OtpShield;
$qrSvg = OtpShield::provisioningQr($secret, $user->email, config('otp-shield.issuer'));

โœ… Verify OTP

$isValid = $user->verifyOtp('123456'); // true/false

๐Ÿ›ก Middleware Protection

Route::middleware(['auth', \OtpShield\Middleware\EnsureOtpVerified::class])
    ->group(function () {
        Route::get('/secure-data', [SecureDataController::class, 'index']);
    });

๐Ÿ›  Artisan Commands

  • Enable OTP:
php artisan otp-shield:enable {user_id}
  • Disable OTP:
php artisan otp-shield:disable {user_id}
  • Verify OTP manually:
php artisan otp-shield:verify {user_id} {code}
  • Generate QR code for API / frontend (SVG):
php artisan otp-shield:generate-qr {user_id} --file=optional.png

๐Ÿ’ก Best Practices

  1. Always encrypt secrets โ€” OTPSHIELD handles this automatically.
  2. Use middleware to protect sensitive routes.
  3. Return QR as SVG in APIs for dynamic frontend rendering.
  4. Monitor failed attempts to prevent brute-force attacks.

๐Ÿงช Example Workflow

// 1. Enable OTP
$otp = $user->enableOtp();

// 2. Generate QR code for frontend
$qrSvg = $user->getOtpQrCode();

// 3. Display QR code for scanning in app
echo $qrSvg;

// 4. User scans QR in Google Authenticator

// 5. Verify OTP code during login
$isValid = $user->verifyOtp($inputOtp);

if ($isValid) {
    // Grant access
}

๐ŸŒ Supported Apps

  • Google Authenticator
  • Authy
  • Microsoft Authenticator
  • Any TOTP-compatible app

โšก Summary

OTPSHIELD makes adding secure, TOTP-based authentication to Laravel fast and reliable, with minimal setup, modern SVG QR codes, and robust security features.