Consuming one-time passwords | laravel-one-time-passwords | Spatie

 SPATIE

  Laravel One-Time Passwords
=============================

spatie.be/open-source

  [Docs](https://spatie.be/docs)  [Laravel-one-time-passwords](https://spatie.be/docs/laravel-one-time-passwords/v1)  Basic-usage  Consuming one-time passwords

 Version   v2   v1

 Other versions for crawler [v2](https://spatie.be/docs/laravel-one-time-passwords/v2) [v1](https://spatie.be/docs/laravel-one-time-passwords/v1)

- [ Introduction ](https://spatie.be/docs/laravel-one-time-passwords/v1/introduction)
- [ Support us ](https://spatie.be/docs/laravel-one-time-passwords/v1/support-us)
- [ Installation &amp; setup ](https://spatie.be/docs/laravel-one-time-passwords/v1/installation-setup)
- [ Questions and issues ](https://spatie.be/docs/laravel-one-time-passwords/v1/questions-issues)
- [ Changelog ](https://spatie.be/docs/laravel-one-time-passwords/v1/changelog)
- [ About us ](https://spatie.be/docs/laravel-one-time-passwords/v1/about-us)

Basic usage
-----------

- [ Introducing one-time-passwords ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/introducing-one-time-passwords)
- [ Creating one-time passwords ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/creating-one-time-passwords)
- [ Configuring notifications ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/configuring-notifications)
- [ Consuming one-time passwords ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/consuming-one-time-passwords)
- [ Using the Livewire component ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/using-the-livewire-component)

Configuring security
--------------------

- [ Introduction ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/introduction)
- [ Enforcing origin ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/enforcing-origin)
- [ Configuring password format ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/configuring-password-format)
- [ Allowing multiple passwords ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/allowing-multiple-passwords)
- [ Setting default expiration time ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/setting-default-expiration-time)

Advanced usage
--------------

- [ Customizing actions ](https://spatie.be/docs/laravel-one-time-passwords/v1/advanced-usage/customizing-actions)
- [ Using your own model ](https://spatie.be/docs/laravel-one-time-passwords/v1/advanced-usage/using-your-own-model)
- [ Handling events ](https://spatie.be/docs/laravel-one-time-passwords/v1/advanced-usage/handling-events)

      You are viewing the documentation for **an older version** of this package. You can check the version you are using with the following command:

 `                                    composer show spatie/laravel-one-time-passwords                                                                                                                                                                                                                                    `

Consuming one-time passwords
============================

###  On this page

1. [ Consuming one-time passwords ](#content-consuming-one-time-passwords)
2. [ Inspecting the result ](#content-inspecting-the-result)

The package provides two methods to consume one-time passwords: `attemptLoginUsingOneTimePassword` and `consumeOneTimePassword`. Both of them will verify the given one-time password and return an instance of the `ConsumeOneTimePasswordResult` enum. If the one-time password is correct, the underlying `OneTimePassword` model for that password will be deleted, ensure that a one-time password can only be used once.

By default, a one-time password can only be used on the same origin it was created on. This is to prevent a one-time password from being used on a different device or browser. You can read more about this in the [Enforcing Origin](/docs/laravel-one-time-passwords/v1/configuring-security/enforcing-origin) section.

Consuming one-time passwords
--------------------------------------------------------------------------------------------------------------------------------------------

When implementing your login flow using one-time passwords, you can use the `attemptLoginUsingOneTimePassword` method which will verify the given one-time password and log in the user.

Here's an example:

```
use Spatie\OneTimePasswords\Enums\ConsumeOneTimePasswordResult;

// $result is an instance of the ConsumeOneTimePasswordResult enum.
$result = $user->attemptLoginUsingOneTimePassword($oneTimePassword, remember: false);

if ($result->isOk()) {
     // it is best practice to regenerate the session id after a login
     $request->session()->regenerate();

     return redirect()->intended('dashboard');
}

return back()->withErrors([
    'one_time_password' => $result->validationMessage(),
])->onlyInput('one_time_password');
```

Alternatively, you can use the `consumeOneTimePassword`. Which will do the same as `attemptLoginUsingOneTimePassword` except it won't log in the user.

```
$result = $user->consumeOneTimePassword($oneTimePassword);
```

Inspecting the result
-----------------------------------------------------------------------------------------------------------------------

Both `attemptLoginUsingOneTimePassword` and `consumeOneTimePassword` will return an instance of the `ConsumeOneTimePasswordResult` enum which has these cases:

- `Ok`: The one-time password was correct.
- `NoOneTimePasswordsFound`: The user has no one-time passwords.
- `IncorrectOneTimePassword`: The one-time password was incorrect.
- `DifferentOrigin`: The one-time password was created from a different origin.
- `OneTimePasswordExpired`: The one-time password has expired.
- `RateLimitExceeded`: The user has exceeded the rate limit for one-time passwords.