Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/j3j5/hmac-bcrypt-laravel

A Laravel implementation of the HMAC-Bcrypt algorithm
https://github.com/j3j5/hmac-bcrypt-laravel

hashing-algorithm hmac-bcrypt laravel passwords php

Last synced: about 1 month ago
JSON representation

A Laravel implementation of the HMAC-Bcrypt algorithm

Awesome Lists containing this project

README 

          
# hmac-bcrypt



![Coverage Badge](https://gist.githubusercontent.com/j3j5/a143261dcd5d0d9456c01f854eccecd0/raw/badge.svg "PHPUnit coverage")

![PHPStan Badge, it reads "level 9"](https://img.shields.io/badge/PHPStan-level%209-brightgreen.svg?style=flat&logo=php "PHPStan Level 9")

![Build status for "main" branch](https://github.com/j3j5/hmac-bcrypt-laravel/actions/workflows/php.yml/badge.svg?branch=main "Build status")



This repository contains an implementation of the `hmac-bcrypt` password hashing function for the [Laravel Framework](https://github.com/laravel/laravel). It is based on the reference implementation created by [@epixoip]( https://github.com/epixoip ) (specifically [the PHP one](https://github.com/epixoip/hmac-bcrypt/blob/main/php/src/)).



If you are asking yourself why, you can read the [technical justification](https://github.com/epixoip/hmac-bcrypt#justification) on the original implementation.



## Installation

If you want to use it, you can use composer:



```

composer require j3j5/hmac-bcrypt-laravel

```



## Configuration

On your `config/hashing.php` you can change the driver to `hmac-bcrypt`. In order to work, you need to set a _pepper_ which should be a **unique (per project) secret string**. You have two options, either set `HMAC_BCRYPT_PEPPER` on your `.env` or as an environment variable, or add to your own `hashing.php` config file the following array:

```php

'hmac-bcrypt' => [

    'pepper' => 'black-pepper'

],

```



The amount of rounds used by bcrypt is also customizable. You can use `HMAC_BCRYPT_ROUNDS` on your `.env` (or as environment variable) or add the key `rounds` to the `hmac-bcrypt` key on your hashing config.



```php

'hmac-bcrypt' => [

    'rounds' => 15

],

```



## Use

Now you can use it like you would use the hasher on Laravel:



```php

$clearTextPass = 'supersecret';



$hash = Hash::make($clearTextPass);



// Now store it on the db

```



Later on...



```php

if (Hash::check($clearTextPass, $hash)) {

    // eccoli qua! you can log in your user!



    // Check whether your settings have changed since last time

    if (Hash::needsRehash($hash)) {

        $newHash = Hash::make($clearTextPass);

        // Store the new hash on the db

    }

}

```



## Final notes



Although I tried to be very careful and thorough on the implementation, I made this driver for fun so use at your own risk. I encourage you to take a dive into the code to make sure I did not miss anything important or into the tests so you can check for yourself what currently works. Underneath it uses the native PHP functions for SHA512 `hash_hmac()` and `crypt()` for the Bcrypt encryption (with a salt generated by `random_bytes()`), so this is not a case of building your own crypto libraries but instead, using the already available ones.