Enforcing origin | laravel-one-time-passwords | Spatie

 SPATIE

  Laravel One-Time Passwords
=============================

spatie.be/open-source

  [Docs](https://spatie.be/docs)  [Laravel-one-time-passwords](https://spatie.be/docs/laravel-one-time-passwords/v1)  Configuring-security  Enforcing origin

 Version   v2   v1

 Other versions for crawler [v2](https://spatie.be/docs/laravel-one-time-passwords/v2) [v1](https://spatie.be/docs/laravel-one-time-passwords/v1)

- [ Introduction ](https://spatie.be/docs/laravel-one-time-passwords/v1/introduction)
- [ Support us ](https://spatie.be/docs/laravel-one-time-passwords/v1/support-us)
- [ Installation &amp; setup ](https://spatie.be/docs/laravel-one-time-passwords/v1/installation-setup)
- [ Questions and issues ](https://spatie.be/docs/laravel-one-time-passwords/v1/questions-issues)
- [ Changelog ](https://spatie.be/docs/laravel-one-time-passwords/v1/changelog)
- [ About us ](https://spatie.be/docs/laravel-one-time-passwords/v1/about-us)

Basic usage
-----------

- [ Introducing one-time-passwords ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/introducing-one-time-passwords)
- [ Creating one-time passwords ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/creating-one-time-passwords)
- [ Configuring notifications ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/configuring-notifications)
- [ Consuming one-time passwords ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/consuming-one-time-passwords)
- [ Using the Livewire component ](https://spatie.be/docs/laravel-one-time-passwords/v1/basic-usage/using-the-livewire-component)

Configuring security
--------------------

- [ Introduction ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/introduction)
- [ Enforcing origin ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/enforcing-origin)
- [ Configuring password format ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/configuring-password-format)
- [ Allowing multiple passwords ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/allowing-multiple-passwords)
- [ Setting default expiration time ](https://spatie.be/docs/laravel-one-time-passwords/v1/configuring-security/setting-default-expiration-time)

Advanced usage
--------------

- [ Customizing actions ](https://spatie.be/docs/laravel-one-time-passwords/v1/advanced-usage/customizing-actions)
- [ Using your own model ](https://spatie.be/docs/laravel-one-time-passwords/v1/advanced-usage/using-your-own-model)
- [ Handling events ](https://spatie.be/docs/laravel-one-time-passwords/v1/advanced-usage/handling-events)

      You are viewing the documentation for **an older version** of this package. You can check the version you are using with the following command:

 `                                    composer show spatie/laravel-one-time-passwords                                                                                                                                                                                                                                    `

Enforcing origin
================

###  On this page

1. [ Customizing the origin enforcement ](#content-customizing-the-origin-enforcement)
2. [ Disabling the origin enforcement ](#content-disabling-the-origin-enforcement)

By default, the package will only accept a one-time password if the request is coming from the same origin as the page that generated it.

The origin is determined by looking at the IP address of the request and the user agent. This is implemented in the `Spatie\OneTimePasswords\Support\OriginInspector\DefaultOriginEnforcer` class.

Customizing the origin enforcement
--------------------------------------------------------------------------------------------------------------------------------------------------------------

You can override this behavior by implementing your own `OriginEnforcer` class. This class should implement the `Spatie\OneTimePasswords\Support\OriginInspector\OriginEnforcer` interface.

This is how that interface looks like:

```
use Illuminate\Http\Request;
use Spatie\OneTimePasswords\Models\OneTimePassword;

interface OriginEnforcer
{
    /** @return array */
    public function gatherProperties(Request $request): array;

    public function verifyProperties(OneTimePassword $oneTimePassword, Request $request): bool;
}
```

The `gatherProperties` method should return an array of properties that will be used to identify the origin of the request. The `verifyProperties` method should return `true` if the properties match, and `false` otherwise.

To see an example, take a look at the `Spatie\OneTimePasswords\Support\OriginInspector\DefaultOriginEnforcer` class in the package's source code.

Disabling the origin enforcement
--------------------------------------------------------------------------------------------------------------------------------------------------------

If you want to disable the origin enforcement, you can do so by setting the `origin_enforcer` config option to `Spatie\OneTimePasswords\Support\OriginInspector\DoNotEnforceOrigin` in the `one-time-passwords.php` file:

```
// config/one-time-passwords.php

return [
    // ...

    'origin_enforcer' => Spatie\OneTimePasswords\Support\OriginInspector\DoNotEnforceOrigin::class,
];
```