felixsand/phpsst

A PHP library for distributing (one time) passwords/secrets in a more secure way

PhPsst

, _(*1)

A PHP library for distributing (one time) passwords/secrets in a more secure way, _(*2)

Installation

Add the package as a requirement to your composer.json:, _(*3)

$ composer require felixsand/phpsst

Usage

<?php
use PhPsst\PhPsst;
use PhPsst\Storage\FileStorage;

$phPsst = new PhPsst(new FileStorage('data/passwords', 10));
$secret = $phPsst->store('my secret password');
echo "Retrieve the password from: https://example.net/get-password?secret={$secret}";

```php <?php use PhPsst\PhPsst; use PhPsst\Storage\FileStorage;, <sub>(*4)</sub>

$phPsst = new PhPsst(new FileStorage('data/passwords', 10)); $decryptedPassword = $phPsst->retrieve($_GET['secret']); echo "The password stored: {$decryptedPassword}";, <sub>(*5)</sub>

## Storage Classes
### FileStorage
The most basic of the storage classes is the FileStorage. It's also (generally) the most insecure and if you store a lot
of passwords there's a performance issue due to the garbage collector being very crude. It is however the easiest way
to try out the library and useful during development. The constructor parameter $gcProbability is a value from 0 and up,
where 0 disables the GC; 1 means it's run for every file write; 10 means it got a 10% probability of running; etc. It's
not recommended to turn it off.

```php
$phPsst = new PhPsst(new FileStorage('data/passwords', 10));

RedisStorage

The recommended production storage class is the RedisStorage. It has great performance even during heavy use and since it removes the passwords with expired TTL automatically, it's more secure than the other options. It's important to note that if you're not reviewing the Redis configuration, it might purge entries even before the item's TTL has expired (if it's memory limit is reached) and the items will only live for as long as the server is running. This might be desired properties in certain cases, but you need to be aware of it when setting up the solution., <sub>(*6)</sub>

$redis = new \Predis\Client(array(
    'host' => '10.0.0.1',
    'port' => 6380,
));
$phPsst = new PhPsst(new RedisStorage($redis));

SqLiteStorage

If you don't have access to Redis, another storage engine that is suitable for production use is the SqLiteStorage. It's not as secure as the RedisStorage, mainly because of it's dependency on a garbage collector; as well as the possibility that the SqLite DB file might be included in backups, etc. It's also not suitable for setups with several webservers without access to a shared filesystem. The constructor parameter $gcProbability is the same as for the FileStorage., <sub>(*7)</sub>

$db = new \SQLite3('path/to/sqlite.db');
$phPsst = new PhPsst(new SqLiteStorage($db, 10));

Requirements

• PHP 8.1 or above.
• Redis (for the Redis Storage)

Demo

• Docker docker run -p 80:80 felixsand/phpsst
• See: github.com/felixsand/phpsst-demo

Author

Felix Sandström http://github.com/felixsand, <sub>(*8)</sub>

Special thanks

• Andreas http://github.com/jandreasn for peer review
• Chris Wolf https://github.com/crslp for bumping the library to PHP 8.1

License

Licensed under the MIT License - see the LICENSE file for details., <sub>(*9)</sub>