chillerlan
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 46 additions & 3 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 46 additions & 3 deletions
diff --git a/‎.phan/config.php‎
Lines changed: 58 additions & 0 deletions b/‎.phan/config.php‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 49 additions & 27 deletions b/‎README.md‎
Lines changed: 49 additions & 27 deletions
diff --git a/‎composer.json‎
Lines changed: 11 additions & 4 deletions b/‎composer.json‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎examples/battlenet.php‎
Lines changed: 46 additions & 0 deletions b/‎examples/battlenet.php‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎examples/hotp.php‎
Lines changed: 3 additions & 3 deletions b/‎examples/hotp.php‎
Lines changed: 3 additions & 3 deletions
@@ -13,8 +13,49 @@ name: "Continuous Integration"
 
 jobs:
 
+  static-code-analysis:
+    name: "Static Code Analysis"
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: true
+      matrix:
+        php-version:
+          - "7.2"
+          - "7.3"
+          - "7.4"
+          - "8.0"
+          - "8.1"
+          - "8.2"
+          - "8.3"
+
+    env:
+      PHAN_ALLOW_XDEBUG: 0
+      PHAN_DISABLE_XDEBUG_WARN: 1
+
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v3
+
+      - name: "Install PHP"
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-version }}
+          tools: pecl
+          coverage: none
+          extensions: ast, curl, gmp, json, sodium
+
+      - name: "Install dependencies with composer"
+        uses: ramsey/composer-install@v2
+
+      - name: "Run phan"
+        run: php vendor/bin/phan
+
+
   tests:
     name: "Unit Tests"
+    needs: static-code-analysis
     runs-on: ${{ matrix.os }}
 
     strategy:
@@ -24,11 +65,13 @@ jobs:
           - ubuntu-latest
           - windows-latest
         php-version:
-          - "7.0"
-          - "7.1"
           - "7.2"
           - "7.3"
           - "7.4"
+          - "8.0"
+          - "8.1"
+          - "8.2"
+          - "8.3"
 
     steps:
       - name: "Checkout"
@@ -39,7 +82,7 @@ jobs:
         with:
           php-version: ${{ matrix.php-version }}
           coverage: xdebug
-          extensions: ast
+          extensions: curl, gmp, json, sodium
 
       - name: "Install dependencies with composer"
         uses: ramsey/composer-install@v2
 
@@ -0,0 +1,58 @@
+<?php
+/**
+ * This configuration will be read and overlaid on top of the
+ * default configuration. Command-line arguments will be applied
+ * after this file is read.
+ */
+return [
+	// Supported values: `'5.6'`, `'7.0'`, `'7.1'`, `'7.2'`, `'7.3'`,
+	// `'7.4'`, `null`.
+	// If this is set to `null`,
+	// then Phan assumes the PHP version which is closest to the minor version
+	// of the php executable used to execute Phan.
+	//
+	// Note that the **only** effect of choosing `'5.6'` is to infer
+	// that functions removed in php 7.0 exist.
+	// (See `backward_compatibility_checks` for additional options)
+	'target_php_version' => null,
+	'minimum_target_php_version' => '7.2',
+
+	// A list of directories that should be parsed for class and
+	// method information. After excluding the directories
+	// defined in exclude_analysis_directory_list, the remaining
+	// files will be statically analyzed for errors.
+	//
+	// Thus, both first-party and third-party code being used by
+	// your application should be included in this list.
+	'directory_list' => [
+		'examples',
+		'src',
+		'tests',
+		'vendor',
+	],
+
+	// A regex used to match every file name that you want to
+	// exclude from parsing. Actual value will exclude every
+	// "test", "tests", "Test" and "Tests" folders found in
+	// "vendor/" directory.
+	'exclude_file_regex' => '@^vendor/.*/(tests?|Tests?)/@',
+
+	// A directory list that defines files that will be excluded
+	// from static analysis, but whose class and method
+	// information should be included.
+	//
+	// Generally, you'll want to include the directories for
+	// third-party code (such as "vendor/") in this list.
+	//
+	// n.b.: If you'd like to parse but not analyze 3rd
+	//       party code, directories containing that code
+	//       should be added to both the `directory_list`
+	//       and `exclude_analysis_directory_list` arrays.
+	'exclude_analysis_directory_list' => [
+		'vendor/',
+	],
+	'suppress_issue_types' => [
+		'PhanAccessMethodInternal',
+		'PhanDeprecatedFunction',
+	],
+];
@@ -18,18 +18,22 @@ A generator for counter based ([RFC 4226](https://tools.ietf.org/html/rfc4226))
 
 # Documentation
 ## Requirements
-- PHP 7.0+
+- PHP 7.2+
+  - [`ext-curl`](https://www.php.net/manual/book.curl) for Battle.net and Steam Guard server time synchronization
+  - [`ext-gmp`](https://www.php.net/manual/book.gmp) for Battle.net authenticator secret retrieval (RSA encryption)
+  - [`ext-sodium`](https://www.php.net/manual/book.sodium) for constant time implementations of base64 encode/decode and hex2bin/bin2hex
+    ([`paragonie/constant_time_encoding`](https://github.com/paragonie/constant_time_encoding) is used as fallback)
 
 ## Installation
 **requires [composer](https://getcomposer.org)**
 
 via terminal: `composer require chillerlan/php-authenticator`
 
-*composer.json* (note: replace `dev-main` with a [version constraint](https://getcomposer.org/doc/articles/versions.md#writing-version-constraints), e.g. `^2.1` - see [releases](https://github.com/chillerlan/php-authenticator/releases) for valid versions)
+*composer.json* (note: replace `dev-main` with a [version constraint](https://getcomposer.org/doc/articles/versions.md#writing-version-constraints), e.g. `^3.1` - see [releases](https://github.com/chillerlan/php-authenticator/releases) for valid versions)
 ```json
 {
 	"require": {
-		"php": "^7.0",
+		"php": "^7.2 || ^8.0",
 		"chillerlan/php-authenticator": "dev-main"
 	}
 }
@@ -43,12 +47,15 @@ The secret is usually being created once during the activation process in a user
 So all you need to do there is to display it to the user in a convenient way -
 as a text string and QR code for example - and save it somewhere with the user data.
 ```php
-use chillerlan\Authenticator\Authenticator;
+use chillerlan\Authenticator\{Authenticator, AuthenticatorOptions};
 
-$authenticator = new Authenticator;
+$options = new AuthenticatorOptions;
+$options->secret_length = 32;
+
+$authenticator = new Authenticator($options);
 // create a secret (stored somewhere in a *safe* place on the server. safe... hahaha jk)
 $secret = $authenticator->createSecret();
-// you can also specify the length of the secret key
+// you can also specify the length of the secret key, which overrides the options setting
 $secret = $authenticator->createSecret(20);
 // set an existing secret
 $authenticator->setSecret($secret);
@@ -71,25 +78,23 @@ if($authenticator->verify($otp)){
 #### time based (TOTP)
 Verify adjacent codes
 ```php
- // $period value from options
-$period = 30;
 // try the first adjacent
-$authenticator->verify($otp, time() - $period); // -> true
+$authenticator->verify($otp, time() - $options->period); // -> true
 // try the second adjacent, default is 1
-$authenticator->verify($otp, time() + 2 * $period); // -> false
+$authenticator->verify($otp, time() + 2 * $options->period); // -> false
 // allow 2 adjacent codes
-$authenticator->setOptions(['adjacent' => 2]);
-$authenticator->verify($otp, time() + 2 * $period); // -> true
+$options->adjacent = 2;
+$authenticator->verify($otp, time() + 2 * $options->period); // -> true
 ```
 
 #### counter based (HOTP)
 ```php
 // switch mode to HOTP
-$authenticator->setOptions(['mode' => AuthenticatorInterface::HOTP]);
+$options->mode = AuthenticatorInterface::HOTP;
 // user sends the OTP for code #42, which is equivalent to
 $otp = $authenticator->code(42); // -> 123456
 // verify [123456, 42]
-$authenticator->verify($otp, $counterValueFromUserDatabase); // -> true
+$authenticator->verify($otp, $counterValueFromUserDatabase) // -> true
 ```
 
 ### URI creation
@@ -107,25 +112,39 @@ Keep in mind that several URI settings are not (yet) recognized by all authentic
 
 ```php
 // code length, currently 6 or 8
-$authenticator->setOptions(['digits' => 8]);
+$options->digits = 8;
 // valid period between 15 and 60 seconds
-$authenticator->setOptions(['period' => 45]);
+$options->period = 45;
 // set the HMAC hash algorithm
-$authenticator->setOptions(['algorithm' => AuthenticatorInterface::ALGO_SHA512]);
+$options->algorithm = AuthenticatorInterface::ALGO_SHA512;
 ```
 
 ## API
 ### `Authenticator`
-| method                                                                                      | return           | description                                                      |
-|---------------------------------------------------------------------------------------------|------------------|------------------------------------------------------------------|
-| `__construct(array $options = null, string $secret = null)`                                 | -                |                                                                  |
-| `setOptions(array $options)`                                                                | `Authenticator`  | called internally by `__construct()`                             |
-| `setSecret(string $secret)`                                                                 | `Authenticator`  | called internally by `__construct()`                             |
-| `getSecret()`                                                                               | `string`         |                                                                  |
-| `createSecret(int $length = null)`                                                          | `string`         | `$length` overrides `$options` setting                           |
-| `code(int $data = null)`                                                                    | `string`         | `$data` may be a UNIX timestamp (TOTP) or a counter value (HOTP) |
-| `verify(string $otp, int $data = null)`                                                     | `bool`           | for `$data` see `Authenticator::code()`                          |
-| `getUri(string $label, string $issuer, int $hotpCounter = null, bool $omitSettings = null)` | `string`         |                                                                  |
+| method                                                                                      | return          | description                                                      |
+|---------------------------------------------------------------------------------------------|-----------------|------------------------------------------------------------------|
+| `__construct(SettingsContainerInterface $options = null, string $secret = null)`            | -               |                                                                  |
+| `setOptions(SettingsContainerInterface $options)`                                           | `Authenticator` | called internally by `__construct()`                             |
+| `setSecret(string $secret)`                                                                 | `Authenticator` | called internally by `__construct()`                             |
+| `getSecret()`                                                                               | `string`        |                                                                  |
+| `createSecret(int $length = null)`                                                          | `string`        | `$length` overrides `AuthenticatorOptions` setting               |
+| `code(int $data = null)`                                                                    | `string`        | `$data` may be a UNIX timestamp (TOTP) or a counter value (HOTP) |
+| `verify(string $otp, int $data = null)`                                                     | `bool`          | for `$data` see `Authenticator::code()`                          |
+| `getUri(string $label, string $issuer, int $hotpCounter = null, bool $omitSettings = null)` | `string`        |                                                                  |
+
+### `AuthenticatorOptions`
+#### Properties
+| property            | type     | default | allowed                                | description                                                                     |
+|---------------------|----------|---------|----------------------------------------|---------------------------------------------------------------------------------|
+| `$digits`           | `int`    | 6       | 6 or 8                                 | auth code length                                                                |
+| `$period`           | `int`    | 30      | 15 - 60                                | validation period (seconds)                                                     |
+| `$secret_length`    | `int`    | 20      | &gt;= 16                               | length of the secret phrase (bytes, unencoded binary)                           |
+| `$algorithm`        | `string` | `SHA1`  | `SHA1`, `SHA256` or `SHA512`           | HMAC hash algorithm, see `AuthenticatorInterface::HASH_ALGOS`                   |
+| `$mode`             | `string` | `totp`  | `totp`, `hotp`, `battlenet` or `steam` | authenticator mode: time- or counter based, see `AuthenticatorInterface::MODES` |
+| `$adjacent`         | `int`    | 1       | &gt;= 0                                | number of allowed adjacent codes                                                |
+| `$time_offset`      | `int`    | 0       | *                                      | fixed time offset that will be added to the current time value                  |
+| `$useLocalTime`     | `bool`   | true    | *                                      | whether to use local time or request server time                                |
+| `$forceTimeRefresh` | `bool`   | false   | *                                      | whether to force refreshing server time on each call                            |
 
 ### `AuthenticatorInterface`
 #### Methods
@@ -135,6 +154,7 @@ $authenticator->setOptions(['algorithm' => AuthenticatorInterface::ALGO_SHA512])
 | `setSecret(string $encodedSecret)`                | `AuthenticatorInterface` |             |
 | `getSecret()`                                     | `string`                 |             |
 | `createSecret(int $length = null)`                | `string`                 |             |
+| `getServertime()`                                 | `int`                    |             |
 | `getCounter(int $data = null)`                    | `int`                    | internal    |
 | `getHMAC(int $counter)`                           | `string`                 | internal    |
 | `getCode(string $hmac)`                           | `int`                    | internal    |
@@ -147,6 +167,8 @@ $authenticator->setOptions(['algorithm' => AuthenticatorInterface::ALGO_SHA512])
 |---------------|----------|-----------------------------------|
 | `TOTP`        | `string` |                                   |
 | `HOTP`        | `string` |                                   |
+| `STEAM_GUARD` | `string` |                                   |
+| `BATTLE_NET`  | `string` |                                   |
 | `ALGO_SHA1`   | `string` |                                   |
 | `ALGO_SHA256` | `string` |                                   |
 | `ALGO_SHA512` | `string` |                                   |
 
@@ -1,6 +1,6 @@
 {
 	"name": "chillerlan/php-authenticator",
-	"description": "A generator for counter- and time based 2-factor authentication codes (Google Authenticator). PHP 7.0+",
+	"description": "A generator for counter- and time based 2-factor authentication codes (Google Authenticator). PHP 7.2+",
 	"homepage": "https://github.com/chillerlan/php-authenticator",
 	"license": "MIT",
 	"type": "library",
@@ -21,12 +21,18 @@
 	"minimum-stability": "stable",
 	"prefer-stable": true,
 	"require": {
-		"php": "^7.0",
+		"php": "^7.2 || ^8.0",
+		"chillerlan/php-settings-container": "^1.2.2 || ^2.1.4 || ^3.0",
 		"paragonie/constant_time_encoding": "^2.6"
 	},
 	"require-dev": {
+		"ext-curl": "*",
+		"ext-gmp": "*",
+		"ext-json": "*",
+		"ext-sodium": "*",
+		"phan/phan": "^5.4",
 		"phpmd/phpmd": "^2.13",
-		"phpunit/phpunit": "^6.5 || ^7.5",
+		"phpunit/phpunit": "^8.5 || ^9.6",
 		"squizlabs/php_codesniffer": "^3.7"
 	},
 	"suggest": {
@@ -43,7 +49,8 @@
 		}
 	},
 	"scripts": {
-		"phpunit": "@php vendor/bin/phpunit"
+		"phpunit": "@php vendor/bin/phpunit",
+		"phan": "@php vendor/bin/phan --allow-polyfill-parser"
 	},
 	"config": {
 		"lock": false,
 
@@ -0,0 +1,46 @@
+<?php
+/**
+ * Battle.net example
+ *
+ * @created      28.06.2023
+ * @author       Smiley <smiley@chillerlan.net>
+ * @copyright    2023 Smiley
+ * @license      MIT
+ */
+
+use chillerlan\Authenticator\{Authenticator, AuthenticatorOptions, Authenticators\BattleNet};
+use chillerlan\Authenticator\Authenticators\AuthenticatorInterface;
+
+require_once '../vendor/autoload.php';
+
+$options = new AuthenticatorOptions([
+	// switch mode to BATTLE_NET
+	'mode' => AuthenticatorInterface::BATTLE_NET,
+]);
+
+$auth = new Authenticator($options);
+
+// set a secret - Battle.net secrets come as hex strings (20 byte, 40 chars)
+$secret = $auth->setSecret('3132333435363738393031323334353637383930');
+// get a one time code
+$code = $auth->code();
+var_dump($code);
+// verify the current code
+var_dump($auth->verify($code)); // -> true
+// previous code
+var_dump($auth->verify($code, time() - $options->period)); // -> true
+// 2nd adjacent is invalid
+var_dump($auth->verify($code, time() + 2 * $options->period)); // -> false
+// allow 2 adjacent codes
+$options->adjacent = 2;
+var_dump($auth->verify($code, time() + 2 * $options->period)); // -> true
+
+// request a new authenticator from the Battle.net API
+// this requires the BattleNet class to be invoked directly as we're using non-interface methods for this
+$auth = new BattleNet;
+$data = $auth->createAuthenticator('EU');
+// the serial can be used to attach this authenticator to an existing Battle.net account
+var_dump($data);
+// it's also possible to retreive an authenticator secret from an existing serial and restore code, e.g. from WinAuth
+$data = $auth->restoreSecret($data['serial'], $data['restore_code']);
+var_dump($data);
@@ -8,19 +8,19 @@
  * @license      MIT
  */
 
-use chillerlan\Authenticator\Authenticator;
+use chillerlan\Authenticator\{Authenticator, AuthenticatorOptions};
 use chillerlan\Authenticator\Authenticators\AuthenticatorInterface;
 
 require_once '../vendor/autoload.php';
 
-$options = [
+$options = new AuthenticatorOptions([
 	// switch mode to HOTP
 	'mode'      => AuthenticatorInterface::HOTP,
 	// change the code length
 	'digits'    => 8,
 	// set the HMAC hash algo
 	'algorithm' => AuthenticatorInterface::ALGO_SHA256,
-];
+]);
 
 $auth = new Authenticator($options);