@@ -242,32 +242,82 @@ Now when users visit `/login` or are redirected to the login page, they'll see t
242242php artisan vendor:publish --tag=" otpz-config"
243243```
244244
245- Available options:
246-
245+ This is the contents of the published config file:
247246``` php
247+ <?php
248+
248249return [
249- // OTP expiration time in minutes (default: 5)
250- 'expiration' => 5,
250+ /*
251+ |--------------------------------------------------------------------------
252+ | Expiration and Throttling
253+ |--------------------------------------------------------------------------
254+ |
255+ | These settings control the security aspects of the generated codes,
256+ | including their expiration time and the throttling mechanism to prevent
257+ | abuse.
258+ |
259+ */
260+
261+ 'expiration' => 5, // Minutes
251262
252- // Multi-tier rate limiting
253263 'limits' => [
254- ['limit' => 1, 'minutes' => 1], // 1 request per minute
255- ['limit' => 3, 'minutes' => 5], // 3 requests per 5 minutes
256- ['limit' => 5, 'minutes' => 30], // 5 requests per 30 minutes
264+ ['limit' => 1, 'minutes' => 1],
265+ ['limit' => 3, 'minutes' => 5],
266+ ['limit' => 5, 'minutes' => 30],
257267 ],
258268
259- // User model
269+ /*
270+ |--------------------------------------------------------------------------
271+ | Model Configuration
272+ |--------------------------------------------------------------------------
273+ |
274+ | This setting determines the model used by Otpz to store and retrieve
275+ | one-time passwords. By default, it uses the 'App\Models\User' model.
276+ |
277+ */
278+
260279 'models' => [
261280 'authenticatable' => App\Models\User::class,
262281 ],
263282
264- // Custom mailable class
283+ /*
284+ |--------------------------------------------------------------------------
285+ | Mailable Configuration
286+ |--------------------------------------------------------------------------
287+ |
288+ | This setting determines the Mailable class used by Otpz to send emails.
289+ | Change this to your own Mailable class if you want to customize the email
290+ | sending behavior.
291+ |
292+ */
293+
265294 'mailable' => BenBjurstrom\Otpz\Mail\OtpzMail::class,
266295
267- // Email template
296+ /*
297+ |--------------------------------------------------------------------------
298+ | Template Configuration
299+ |--------------------------------------------------------------------------
300+ |
301+ | This setting determines the email template used by Otpz to send emails.
302+ | Switch to 'otpz::mail.notification' if you prefer to use the default
303+ | Laravel notification template.
304+ |
305+ */
306+
268307 'template' => 'otpz::mail.otpz',
308+ // 'template' => 'otpz::mail.notification',
309+
310+ /*
311+ |--------------------------------------------------------------------------
312+ | User Resolver
313+ |--------------------------------------------------------------------------
314+ |
315+ | Defines the class responsible for finding or creating users by email address.
316+ | The default implementation will create a new user when an email doesn't exist.
317+ | Replace with your own implementation for custom user resolution logic.
318+ |
319+ */
269320
270- // User resolver (for finding/creating users by email)
271321 'user_resolver' => BenBjurstrom\Otpz\Actions\GetUserFromEmail::class,
272322];
273323```
@@ -334,50 +384,6 @@ Update `config/otpz.php`:
334384
335385---
336386
337- ## How It Works
338-
339- ### Security Features
340-
341- 1 . ** Session Locking**
342- - OTPs are tied to the browser session that requested them
343- - Prevents OTP reuse across different browsers/devices
344-
345- 2 . ** Rate Limiting**
346- - Multi-tier throttling prevents abuse
347- - Default: 1/min, 3/5min, 5/30min
348-
349- 3 . ** Signed URLs**
350- - All OTP entry URLs are cryptographically signed
351- - Invalid signatures are rejected
352-
353- 4 . ** Automatic Invalidation**
354- - Used after first successful authentication
355- - Expired after configured time (default: 5 minutes)
356- - Invalidated after 3 failed attempts
357- - Superseded when new OTP is requested
358-
359- ### Architecture
360-
361- ```
362- SendOtp Action
363- ↓
364- Creates OTP → Sends Email
365- ↓
366- User Clicks Link (Signed URL)
367- ↓
368- AttemptOtp Action → Validates:
369- - URL signature
370- - Session ID match
371- - Status (ACTIVE)
372- - Expiration
373- - Attempt count
374- - Code hash
375- ↓
376- Success → User Authenticated
377- ```
378-
379- ---
380-
381387## Testing
382388
383389``` bash
0 commit comments