Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Recovery
Assessments

Recovery Laravel Package

pragmarx/recovery

Generate customizable recovery/backup codes for 2FA account recovery. Create arrays, JSON, or (Laravel) Collections, and tune how many codes to make plus blocks and characters per block for your preferred format and length.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Use Case Alignment: The pragmarx/recovery package is a lightweight solution for generating TOTP (Time-Based One-Time Password) recovery codes (e.g., backup codes for 2FA). It fits well in systems requiring fallback authentication (e.g., password managers, banking apps, or SaaS platforms with MFA).
  • Laravel Ecosystem Synergy: Integrates seamlessly with Laravel’s built-in authentication stack (e.g., Illuminate\Auth, Laravel\Fortify, or Laravel\Jetstream). Can complement existing MFA solutions like pragmarx/totp-laravel or bacon/bacon-qr-code.
  • Stateless Design: Recovery codes are pre-generated and stored (e.g., in the user’s DB record), avoiding runtime dependencies on external services (unlike SMS/email-based recovery).

Integration Feasibility

  • Minimal Boilerplate: The package provides a RecoveryCodeGenerator class with a single method (generate()), reducing custom implementation effort.
  • Database Schema: Requires a recovery_codes table (or column) in the users table. Laravel’s migrations can handle this with minimal effort.
  • Dependency Lightweight: Only requires PHP 7.4+ and no heavy frameworks (e.g., no Symfony components). Works alongside Laravel’s service container.

Technical Risk

  • Security Risks:
    • Code Storage: Recovery codes must be hashed or encrypted (e.g., using Laravel’s Hash facade or encrypt()) to prevent exposure in DB dumps.
    • Exposure Surface: If codes are leaked (e.g., via SQLi or misconfigured logs), they grant permanent account access. Mitigate with:
      • Rate-limiting on recovery code usage (e.g., via Laravel’s throttle middleware).
      • Auto-revocation after first use (or after N uses).
    • Deprecated Package: Last release in 2021 raises concerns about:
      • Unpatched vulnerabilities (e.g., if underlying paragonie/random_compat is outdated).
      • Lack of PHP 8.2+ compatibility (though likely works, untested).
  • Functional Gaps:
    • No built-in UI components for code display/input (must integrate with Blade/Livewire/Inertia).
    • No audit logging for recovery code usage (requires custom middleware).

Key Questions

  1. Security Hardening:
    • How will recovery codes be stored (hashed? encrypted?) and who has access to the decryption key?
    • What’s the revocation strategy (e.g., single-use, time-based expiry)?
  2. User Experience:
    • How will codes be delivered to users (e.g., email, in-app display)?
    • Is there a self-service recovery code regeneration flow?
  3. Compliance:
    • Does the system require GDPR/CCPA compliance for recovery code storage? (Codes may be considered PII.)
  4. Testing:
    • Are there fuzz tests for code generation (e.g., collision resistance)?
    • How will failed recovery attempts be logged/blocked?

Integration Approach

Stack Fit

  • Laravel Native: Works out-of-the-box with Laravel’s:
    • Authentication: Integrate with AuthenticatesUsers trait or custom guards.
    • Migrations: Add a recovery_codes JSON column to the users table.
    • Events: Trigger recovery-codes-generated events for logging/notifications.
  • Frontend Agnostic: Compatible with:
    • Blade: Render codes in a modal (e.g., after MFA setup).
    • Livewire/Inertia: Dynamic code display/input.
    • APIs: Return codes as JSON for mobile apps.

Migration Path

  1. Phase 1: Proof of Concept
    • Add the package via Composer: 
      composer require pragmarx/recovery
    • Create a migration to store codes (e.g., as a JSON array): 
      Schema::table('users', function (Blueprint $table) {
    $table->json('recovery_codes')->nullable();
});
    • Generate codes in a RegisterUser or UpdateProfile command: 
      $generator = new \Pragmarx\Recovery\RecoveryCodeGenerator();
$user->recovery_codes = $generator->generate(10); // 10 codes
$user->save();
  2. Phase 2: Security Layer
    • Encrypt codes before storage: 
      $user->recovery_codes = array_map(
    fn($code) => \Illuminate\Support\Facades\Crypt::encrypt($code),
    $generator->generate(10)
);
    • Add middleware to validate/revoke codes: 
      Route::post('/recover', function (Request $request) {
    $valid = $this->validateRecoveryCode($request->code);
    if (!$valid) abort(403);
    // Proceed with recovery...
});
  3. Phase 3: UI/UX
    • Display codes in a secure modal (e.g., after MFA setup).
    • Add a "regenerate codes" endpoint (with rate-limiting).

Compatibility

  • Laravel Versions: Tested with Laravel 7/8 (2021 release). May need minor adjustments for Laravel 10+ (e.g., PHP 8.2 syntax).
  • Database: Works with MySQL, PostgreSQL, SQLite (JSON support required).
  • Alternatives: If risks are prohibitive, consider:
    • Custom Implementation: Use random_bytes() + bcrypt for code generation.
    • Existing Packages: spatie/laravel-2fa (includes recovery codes).

Sequencing

  1. Pre-requisite: Ensure TOTP/MFA is already implemented (e.g., pragmarx/totp-laravel).
  2. Parallel Work:
    • Develop recovery code storage logic.
    • Build the recovery flow (e.g., /recover route).
  3. Post-Integration:
    • Write tests for code generation/validation.
    • Audit logs for recovery usage.

Operational Impact

Maintenance

  • Low Overhead: Package requires no updates (abandonware risk mitigated by custom logic).
  • Custom Logic: Most maintenance will be in:
    • Code Storage: Encryption/decryption logic.
    • Validation: Middleware for rate-limiting/revocation.
  • Deprecation Risk: Monitor for forks or alternative packages (e.g., spatie/laravel-2fa).

Support

  • Debugging:
    • Code Leaks: Monitor for exposed codes in logs/DB backups.
    • Generation Failures: Ensure random_bytes() isn’t blocked by PHP policies.
  • User Support:
    • Document recovery code safety (e.g., "never share these codes").
    • Provide clear instructions for regeneration (e.g., "lost codes? Contact support").

Scaling

  • Performance: Code generation is O(1); storage is DB-dependent.
    • For high-scale systems, consider:
      • Caching: Cache encrypted codes in Redis (if regeneration is rare).
      • Sharding: Distribute recovery code storage if using a microservice architecture.
  • Database Load: Minimal; only affected by code storage/retrieval.

Failure Modes

Failure Scenario Impact Mitigation
Database corruption Lost recovery codes Regular backups + encrypted storage
Code exposure (e.g., SQLi) Account compromise Input sanitization + rate-limiting
Package vulnerabilities Predictable codes Custom implementation or fork
User loses all recovery codes Account lockout Admin recovery flow (with MFA)

Ramp-Up

  • Developer Onboarding:
    • 1–2 hours: Understand code generation/storage logic.
    • 4–8 hours: Implement UI flow + security layers.
  • Testing Checklist:
    • Codes are unpredictable (test with entropy checks).
    • Codes expire/revoke after use.
    • UI hides codes securely (e.g., no screenshot leakage).
  • Rollout Strategy:
    • Pilot: Enable for a subset of users (e.g., admins).
    • Monitor: Track recovery usage rates and failures.
    • Iterate: Add features like email-based recovery if needed.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport
twbs/bootstrap4
php-http/client-implementation
phpcr/phpcr-implementation
cucumber/gherkin-monorepo
haydenpierce/class-finder
psr/simple-cache-implementation
uri-template/tests