Misterzym
/
CodeIgniter-Aauth
mirror of https://github.com/misterzym/CodeIgniter-Aauth.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

added Time-Based One-Time Password

develop
Raphael Jackstadt 10 years ago
parent
f0f781dfca
commit
98f0a74457
5 changed files with 254 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      application/config/aauth.php
  2. 208
      application/helpers/googleauthenticator_helper.php
  3. 4
      application/language/english/aauth_lang.php
  4. 41
      application/libraries/Aauth.php
  5. 1
      sql/Aauth_v2.sql

1
application/config/aauth.php
Unescape View File

@ -57,6 +57,7 @@ $config['aauth']['recaptcha_login_attempts'] = 4;
$config['aauth']['recaptcha_siteKey'] = ''; $config['aauth']['recaptcha_siteKey'] = '';
$config['aauth']['recaptcha_secret'] = ''; $config['aauth']['recaptcha_secret'] = '';
$config['aauth']['totp_active'] = true;
// login attempts time interval // login attempts time interval
// default 20 times in one hour // default 20 times in one hour
$config['aauth']['max_login_attempt'] = 10; $config['aauth']['max_login_attempt'] = 10;

208
application/helpers/googleauthenticator_helper.php
Unescape View File

@ -0,0 +1,208 @@
<?php
/**
* PHP Class for handling Google Authenticator 2-factor authentication
*
* @author Michael Kliewe
* @copyright 2012 Michael Kliewe
* @license http://www.opensource.org/licenses/bsd-license.php BSD License
* @link http://www.phpgangsta.de/
*/
class PHPGangsta_GoogleAuthenticator
{
protected $_codeLength = 6;
/**
* Create new secret.
* 16 characters, randomly chosen from the allowed base32 characters.
*
* @param int $secretLength
* @return string
*/
public function createSecret($secretLength = 16)
{
$validChars = $this->_getBase32LookupTable();
unset($validChars[32]);
$secret = '';
for ($i = 0; $i < $secretLength; $i++) {
$secret .= $validChars[array_rand($validChars)];
}
return $secret;
}
/**
* Calculate the code, with given secret and point in time
*
* @param string $secret
* @param int|null $timeSlice
* @return string
*/
public function getCode($secret, $timeSlice = null)
{
if ($timeSlice === null) {
$timeSlice = floor(time() / 30);
}
$secretkey = $this->_base32Decode($secret);
// Pack time into binary string
$time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice);
// Hash it with users secret key
$hm = hash_hmac('SHA1', $time, $secretkey, true);
// Use last nipple of result as index/offset
$offset = ord(substr($hm, -1)) & 0x0F;
// grab 4 bytes of the result
$hashpart = substr($hm, $offset, 4);
// Unpak binary value
$value = unpack('N', $hashpart);
$value = $value[1];
// Only 32 bits
$value = $value & 0x7FFFFFFF;
$modulo = pow(10, $this->_codeLength);
return str_pad($value % $modulo, $this->_codeLength, '0', STR_PAD_LEFT);
}
/**
* Get QR-Code URL for image, from google charts
*
* @param string $name
* @param string $secret
* @param string $title
* @return string
*/
public function getQRCodeGoogleUrl($name, $secret, $title = null) {
$urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');
if(isset($title)) {
$urlencoded .= urlencode('&issuer='.urlencode($title));
}
return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl='.$urlencoded.'';
}
/**
* Check if the code is correct. This will accept codes starting from $discrepancy*30sec ago to $discrepancy*30sec from now
*
* @param string $secret
* @param string $code
* @param int $discrepancy This is the allowed time drift in 30 second units (8 means 4 minutes before or after)
* @param int|null $currentTimeSlice time slice if we want use other that time()
* @return bool
*/
public function verifyCode($secret, $code, $discrepancy = 1, $currentTimeSlice = null)
{
if ($currentTimeSlice === null) {
$currentTimeSlice = floor(time() / 30);
}
for ($i = -$discrepancy; $i <= $discrepancy; $i++) {
$calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);
if ($calculatedCode == $code ) {
return true;
}
}
return false;
}
/**
* Set the code length, should be >=6
*
* @param int $length
* @return PHPGangsta_GoogleAuthenticator
*/
public function setCodeLength($length)
{
$this->_codeLength = $length;
return $this;
}
/**
* Helper class to decode base32
*
* @param $secret
* @return bool|string
*/
protected function _base32Decode($secret)
{
if (empty($secret)) return '';
$base32chars = $this->_getBase32LookupTable();
$base32charsFlipped = array_flip($base32chars);
$paddingCharCount = substr_count($secret, $base32chars[32]);
$allowedValues = array(6, 4, 3, 1, 0);
if (!in_array($paddingCharCount, $allowedValues)) return false;
for ($i = 0; $i < 4; $i++){
if ($paddingCharCount == $allowedValues[$i] &&
substr($secret, -($allowedValues[$i])) != str_repeat($base32chars[32], $allowedValues[$i])) return false;
}
$secret = str_replace('=','', $secret);
$secret = str_split($secret);
$binaryString = "";
for ($i = 0; $i < count($secret); $i = $i+8) {
$x = "";
if (!in_array($secret[$i], $base32chars)) return false;
for ($j = 0; $j < 8; $j++) {
$x .= str_pad(base_convert(@$base32charsFlipped[@$secret[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT);
}
$eightBits = str_split($x, 8);
for ($z = 0; $z < count($eightBits); $z++) {
$binaryString .= ( ($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48 ) ? $y:"";
}
}
return $binaryString;
}
/**
* Helper class to encode base32
*
* @param string $secret
* @param bool $padding
* @return string
*/
protected function _base32Encode($secret, $padding = true)
{
if (empty($secret)) return '';
$base32chars = $this->_getBase32LookupTable();
$secret = str_split($secret);
$binaryString = "";
for ($i = 0; $i < count($secret); $i++) {
$binaryString .= str_pad(base_convert(ord($secret[$i]), 10, 2), 8, '0', STR_PAD_LEFT);
}
$fiveBitBinaryArray = str_split($binaryString, 5);
$base32 = "";
$i = 0;
while ($i < count($fiveBitBinaryArray)) {
$base32 .= $base32chars[base_convert(str_pad($fiveBitBinaryArray[$i], 5, '0'), 2, 10)];
$i++;
}
if ($padding && ($x = strlen($binaryString) % 40) != 0) {
if ($x == 8) $base32 .= str_repeat($base32chars[32], 6);
elseif ($x == 16) $base32 .= str_repeat($base32chars[32], 4);
elseif ($x == 24) $base32 .= str_repeat($base32chars[32], 3);
elseif ($x == 32) $base32 .= $base32chars[32];
}
return $base32;
}
/**
* Get array with all 32 characters for decoding from/encoding to base32
*
* @return array
*/
protected function _getBase32LookupTable()
{
return array(
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', // 7
'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23
'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31
'=' // padding char
);
}
}

4
application/language/english/aauth_lang.php
Unescape View File

@ -25,6 +25,9 @@ $lang['aauth_error_email_invalid'] = 'Invalid e-mail address';
$lang['aauth_error_password_invalid'] = 'Invalid password'; $lang['aauth_error_password_invalid'] = 'Invalid password';
$lang['aauth_error_username_invalid'] = 'Invalid Username'; $lang['aauth_error_username_invalid'] = 'Invalid Username';
$lang['aauth_error_username_required'] = 'Username required'; $lang['aauth_error_username_required'] = 'Username required';
$lang['aauth_error_totp_code_required'] = 'TOTP Code required';
$lang['aauth_error_totp_code_invalid'] = 'Invalid TOTP Code';
// Access errors // Access errors
$lang['aauth_error_no_access'] = 'Sorry, you do not have access to the resource you requested.'; $lang['aauth_error_no_access'] = 'Sorry, you do not have access to the resource you requested.';
@ -33,7 +36,6 @@ $lang['aauth_error_login_failed_name'] = 'Username and Password do not match.';
$lang['aauth_error_login_attempts_exceeded'] = 'You have exceeded your login attempts, your account has now been locked.'; $lang['aauth_error_login_attempts_exceeded'] = 'You have exceeded your login attempts, your account has now been locked.';
$lang['aauth_error_recaptcha_not_correct'] = 'Sorry, the reCAPTCHA text entered was incorrect.'; $lang['aauth_error_recaptcha_not_correct'] = 'Sorry, the reCAPTCHA text entered was incorrect.';
// Misc. errors // Misc. errors
$lang['aauth_error_no_user'] = 'User does not exist'; $lang['aauth_error_no_user'] = 'User does not exist';
$lang['aauth_error_account_not_verified'] = 'Your account has not been verified. Please check your e-mail and verify your account.'; $lang['aauth_error_account_not_verified'] = 'Your account has not been verified. Please check your e-mail and verify your account.';

41
application/libraries/Aauth.php
Unescape View File

@ -102,6 +102,7 @@ class Aauth {
$this->CI->load->helper('email'); $this->CI->load->helper('email');
$this->CI->load->helper('language'); $this->CI->load->helper('language');
$this->CI->load->helper('recaptchalib'); $this->CI->load->helper('recaptchalib');
$this->CI->load->helper('googleauthenticator_helper');
$this->CI->lang->load('aauth'); $this->CI->lang->load('aauth');
// config/aauth.php // config/aauth.php
@ -129,7 +130,7 @@ class Aauth {
* @param bool $remember * @param bool $remember
* @return bool Indicates successful login. * @return bool Indicates successful login.
*/ */
public function login($identifier, $pass, $remember = FALSE) { public function login($identifier, $pass, $remember = FALSE, $totp_code = NULL) {
// Remove cookies first // Remove cookies first
$cookie = array( $cookie = array(
@ -235,6 +236,25 @@ class Aauth {
} }
} }
if($this->config_vars['totp_active'] == TRUE){
$query = null;
$query = $this->aauth_db->where($db_identifier, $identifier);
$query = $this->aauth_db->where('totp_secret !=', '');
$query = $this->aauth_db->get($this->config_vars['users']);
$totp_secret = $query->row()->totp_secret;
if ($query->num_rows() > 0 AND !$totp_code) {
$this->error($this->CI->lang->line('aauth_error_totp_code_required'));
return FALSE;
}else if ($query->num_rows() > 0 AND $totp_code) {
$ga = new PHPGangsta_GoogleAuthenticator();
$checkResult = $ga->verifyCode($totp_secret, $totp_code, 0);
if (!$checkResult) {
$this->error($this->CI->lang->line('aauth_error_totp_code_invalid'));
return FALSE;
}
}
}
// if email and pass matches and not banned // if email and pass matches and not banned
if ( $query->num_rows() > 0 ) { if ( $query->num_rows() > 0 ) {
@ -2111,6 +2131,25 @@ class Aauth {
return $content; return $content;
} }
public function generate_totp_secret(){
$ga = new PHPGangsta_GoogleAuthenticator();
$stop = false;
while (!$stop) {
$secret = $ga->createSecret();
$query = $this->aauth_db->where('totp_secret', $secret);
$query = $this->aauth_db->get($this->config_vars['users']);
if ($query->num_rows() == 0) {
return $secret;
$stop = true;
}
}
}
public function generate_totp_qrcode($secret){
$ga = new PHPGangsta_GoogleAuthenticator();
return $ga->getQRCodeGoogleUrl($this->config_vars['name'], $secret);
}
} // end class } // end class
// $this->CI->session->userdata('id') // $this->CI->session->userdata('id')

1
sql/Aauth_v2.sql
Unescape View File

@ -117,6 +117,7 @@ CREATE TABLE `aauth_users` (
`remember_time` datetime DEFAULT NULL, `remember_time` datetime DEFAULT NULL,
`remember_exp` text COLLATE utf8_general_ci, `remember_exp` text COLLATE utf8_general_ci,
`verification_code` text COLLATE utf8_general_ci, `verification_code` text COLLATE utf8_general_ci,
`totp_secret` varchar(16) COLLATE utf8_general_ci DEFAULT NULL,
`ip_address` text COLLATE utf8_general_ci, `ip_address` text COLLATE utf8_general_ci,
`login_attempts` int(11) DEFAULT '0', `login_attempts` int(11) DEFAULT '0',
PRIMARY KEY (`id`) PRIMARY KEY (`id`)

Write Preview
Loading…
Cancel
Save