From 98f0a74457b31f5cc117ee4a388c51da7f99c232 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Wed, 20 May 2015 05:21:29 +0200 Subject: [PATCH 01/19] added Time-Based One-Time Password --- application/config/aauth.php | 1 + .../helpers/googleauthenticator_helper.php | 208 ++++++++++++++++++ application/language/english/aauth_lang.php | 4 +- application/libraries/Aauth.php | 43 +++- sql/Aauth_v2.sql | 1 + 5 files changed, 254 insertions(+), 3 deletions(-) create mode 100644 application/helpers/googleauthenticator_helper.php diff --git a/application/config/aauth.php b/application/config/aauth.php index c1061be..9ec712c 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -57,6 +57,7 @@ $config['aauth']['recaptcha_login_attempts'] = 4; $config['aauth']['recaptcha_siteKey'] = ''; $config['aauth']['recaptcha_secret'] = ''; +$config['aauth']['totp_active'] = true; // login attempts time interval // default 20 times in one hour $config['aauth']['max_login_attempt'] = 10; diff --git a/application/helpers/googleauthenticator_helper.php b/application/helpers/googleauthenticator_helper.php new file mode 100644 index 0000000..7424d0b --- /dev/null +++ b/application/helpers/googleauthenticator_helper.php @@ -0,0 +1,208 @@ +_getBase32LookupTable(); + unset($validChars[32]); + + $secret = ''; + for ($i = 0; $i < $secretLength; $i++) { + $secret .= $validChars[array_rand($validChars)]; + } + return $secret; + } + + /** + * Calculate the code, with given secret and point in time + * + * @param string $secret + * @param int|null $timeSlice + * @return string + */ + public function getCode($secret, $timeSlice = null) + { + if ($timeSlice === null) { + $timeSlice = floor(time() / 30); + } + + $secretkey = $this->_base32Decode($secret); + + // Pack time into binary string + $time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice); + // Hash it with users secret key + $hm = hash_hmac('SHA1', $time, $secretkey, true); + // Use last nipple of result as index/offset + $offset = ord(substr($hm, -1)) & 0x0F; + // grab 4 bytes of the result + $hashpart = substr($hm, $offset, 4); + + // Unpak binary value + $value = unpack('N', $hashpart); + $value = $value[1]; + // Only 32 bits + $value = $value & 0x7FFFFFFF; + + $modulo = pow(10, $this->_codeLength); + return str_pad($value % $modulo, $this->_codeLength, '0', STR_PAD_LEFT); + } + + /** + * Get QR-Code URL for image, from google charts + * + * @param string $name + * @param string $secret + * @param string $title + * @return string + */ + public function getQRCodeGoogleUrl($name, $secret, $title = null) { + $urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.''); + if(isset($title)) { + $urlencoded .= urlencode('&issuer='.urlencode($title)); + } + return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl='.$urlencoded.''; + } + + /** + * Check if the code is correct. This will accept codes starting from $discrepancy*30sec ago to $discrepancy*30sec from now + * + * @param string $secret + * @param string $code + * @param int $discrepancy This is the allowed time drift in 30 second units (8 means 4 minutes before or after) + * @param int|null $currentTimeSlice time slice if we want use other that time() + * @return bool + */ + public function verifyCode($secret, $code, $discrepancy = 1, $currentTimeSlice = null) + { + if ($currentTimeSlice === null) { + $currentTimeSlice = floor(time() / 30); + } + + for ($i = -$discrepancy; $i <= $discrepancy; $i++) { + $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i); + if ($calculatedCode == $code ) { + return true; + } + } + + return false; + } + + /** + * Set the code length, should be >=6 + * + * @param int $length + * @return PHPGangsta_GoogleAuthenticator + */ + public function setCodeLength($length) + { + $this->_codeLength = $length; + return $this; + } + + /** + * Helper class to decode base32 + * + * @param $secret + * @return bool|string + */ + protected function _base32Decode($secret) + { + if (empty($secret)) return ''; + + $base32chars = $this->_getBase32LookupTable(); + $base32charsFlipped = array_flip($base32chars); + + $paddingCharCount = substr_count($secret, $base32chars[32]); + $allowedValues = array(6, 4, 3, 1, 0); + if (!in_array($paddingCharCount, $allowedValues)) return false; + for ($i = 0; $i < 4; $i++){ + if ($paddingCharCount == $allowedValues[$i] && + substr($secret, -($allowedValues[$i])) != str_repeat($base32chars[32], $allowedValues[$i])) return false; + } + $secret = str_replace('=','', $secret); + $secret = str_split($secret); + $binaryString = ""; + for ($i = 0; $i < count($secret); $i = $i+8) { + $x = ""; + if (!in_array($secret[$i], $base32chars)) return false; + for ($j = 0; $j < 8; $j++) { + $x .= str_pad(base_convert(@$base32charsFlipped[@$secret[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT); + } + $eightBits = str_split($x, 8); + for ($z = 0; $z < count($eightBits); $z++) { + $binaryString .= ( ($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48 ) ? $y:""; + } + } + return $binaryString; + } + + /** + * Helper class to encode base32 + * + * @param string $secret + * @param bool $padding + * @return string + */ + protected function _base32Encode($secret, $padding = true) + { + if (empty($secret)) return ''; + + $base32chars = $this->_getBase32LookupTable(); + + $secret = str_split($secret); + $binaryString = ""; + for ($i = 0; $i < count($secret); $i++) { + $binaryString .= str_pad(base_convert(ord($secret[$i]), 10, 2), 8, '0', STR_PAD_LEFT); + } + $fiveBitBinaryArray = str_split($binaryString, 5); + $base32 = ""; + $i = 0; + while ($i < count($fiveBitBinaryArray)) { + $base32 .= $base32chars[base_convert(str_pad($fiveBitBinaryArray[$i], 5, '0'), 2, 10)]; + $i++; + } + if ($padding && ($x = strlen($binaryString) % 40) != 0) { + if ($x == 8) $base32 .= str_repeat($base32chars[32], 6); + elseif ($x == 16) $base32 .= str_repeat($base32chars[32], 4); + elseif ($x == 24) $base32 .= str_repeat($base32chars[32], 3); + elseif ($x == 32) $base32 .= $base32chars[32]; + } + return $base32; + } + + /** + * Get array with all 32 characters for decoding from/encoding to base32 + * + * @return array + */ + protected function _getBase32LookupTable() + { + return array( + 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', // 7 + 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15 + 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23 + 'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31 + '=' // padding char + ); + } +} diff --git a/application/language/english/aauth_lang.php b/application/language/english/aauth_lang.php index ec28e22..9625f98 100644 --- a/application/language/english/aauth_lang.php +++ b/application/language/english/aauth_lang.php @@ -25,6 +25,9 @@ $lang['aauth_error_email_invalid'] = 'Invalid e-mail address'; $lang['aauth_error_password_invalid'] = 'Invalid password'; $lang['aauth_error_username_invalid'] = 'Invalid Username'; $lang['aauth_error_username_required'] = 'Username required'; +$lang['aauth_error_totp_code_required'] = 'TOTP Code required'; +$lang['aauth_error_totp_code_invalid'] = 'Invalid TOTP Code'; + // Access errors $lang['aauth_error_no_access'] = 'Sorry, you do not have access to the resource you requested.'; @@ -33,7 +36,6 @@ $lang['aauth_error_login_failed_name'] = 'Username and Password do not match.'; $lang['aauth_error_login_attempts_exceeded'] = 'You have exceeded your login attempts, your account has now been locked.'; $lang['aauth_error_recaptcha_not_correct'] = 'Sorry, the reCAPTCHA text entered was incorrect.'; - // Misc. errors $lang['aauth_error_no_user'] = 'User does not exist'; $lang['aauth_error_account_not_verified'] = 'Your account has not been verified. Please check your e-mail and verify your account.'; diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index c762e07..02f10a6 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -102,6 +102,7 @@ class Aauth { $this->CI->load->helper('email'); $this->CI->load->helper('language'); $this->CI->load->helper('recaptchalib'); + $this->CI->load->helper('googleauthenticator_helper'); $this->CI->lang->load('aauth'); // config/aauth.php @@ -129,7 +130,7 @@ class Aauth { * @param bool $remember * @return bool Indicates successful login. */ - public function login($identifier, $pass, $remember = FALSE) { + public function login($identifier, $pass, $remember = FALSE, $totp_code = NULL) { // Remove cookies first $cookie = array( @@ -234,7 +235,26 @@ class Aauth { return FALSE; } } - + + if($this->config_vars['totp_active'] == TRUE){ + $query = null; + $query = $this->aauth_db->where($db_identifier, $identifier); + $query = $this->aauth_db->where('totp_secret !=', ''); + $query = $this->aauth_db->get($this->config_vars['users']); + $totp_secret = $query->row()->totp_secret; + if ($query->num_rows() > 0 AND !$totp_code) { + $this->error($this->CI->lang->line('aauth_error_totp_code_required')); + return FALSE; + }else if ($query->num_rows() > 0 AND $totp_code) { + $ga = new PHPGangsta_GoogleAuthenticator(); + $checkResult = $ga->verifyCode($totp_secret, $totp_code, 0); + if (!$checkResult) { + $this->error($this->CI->lang->line('aauth_error_totp_code_invalid')); + return FALSE; + } + } + } + // if email and pass matches and not banned if ( $query->num_rows() > 0 ) { @@ -2111,6 +2131,25 @@ class Aauth { return $content; } + public function generate_totp_secret(){ + $ga = new PHPGangsta_GoogleAuthenticator(); + $stop = false; + while (!$stop) { + $secret = $ga->createSecret(); + $query = $this->aauth_db->where('totp_secret', $secret); + $query = $this->aauth_db->get($this->config_vars['users']); + if ($query->num_rows() == 0) { + return $secret; + $stop = true; + } + } + } + + public function generate_totp_qrcode($secret){ + $ga = new PHPGangsta_GoogleAuthenticator(); + return $ga->getQRCodeGoogleUrl($this->config_vars['name'], $secret); + } + } // end class // $this->CI->session->userdata('id') diff --git a/sql/Aauth_v2.sql b/sql/Aauth_v2.sql index b0c68a1..12ee7a5 100644 --- a/sql/Aauth_v2.sql +++ b/sql/Aauth_v2.sql @@ -117,6 +117,7 @@ CREATE TABLE `aauth_users` ( `remember_time` datetime DEFAULT NULL, `remember_exp` text COLLATE utf8_general_ci, `verification_code` text COLLATE utf8_general_ci, + `totp_secret` varchar(16) COLLATE utf8_general_ci DEFAULT NULL, `ip_address` text COLLATE utf8_general_ci, `login_attempts` int(11) DEFAULT '0', PRIMARY KEY (`id`) From 11288205faddb39b339e550fff55ade55609a317 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Wed, 20 May 2015 05:33:16 +0200 Subject: [PATCH 02/19] added totp_reset_over_reset_password and update_user_totp_secret() --- application/config/aauth.php | 2 ++ application/libraries/Aauth.php | 17 ++++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index 9ec712c..d9d3858 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -58,6 +58,8 @@ $config['aauth']['recaptcha_siteKey'] = ''; $config['aauth']['recaptcha_secret'] = ''; $config['aauth']['totp_active'] = true; +$config['aauth']['totp_reset_over_reset_password'] = false; + // login attempts time interval // default 20 times in one hour $config['aauth']['max_login_attempt'] = 10; diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index 02f10a6..54fbeac 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -502,6 +502,10 @@ class Aauth { 'pass' => $this->hash_password($pass, $user_id) ); + if($this->config_vars['totp_active'] == TRUE AND $this->config_vars['totp_reset_over_reset_password'] == TRUE){ + $data['totp_secret'] = NULL; + } + $row = $query->row(); $email = $row->email; @@ -2131,7 +2135,18 @@ class Aauth { return $content; } - public function generate_totp_secret(){ + public function update_user_totp_secret($user_id = FALSE, $secret) { + + if ($user_id == FALSE) + $user_id = $this->CI->session->userdata('id'); + + $data['totp_secret'] = $secret; + + $this->aauth_db->where('id', $user_id); + return $this->aauth_db->update($this->config_vars['users'], $data); + } + + public function generate_unique_totp_secret(){ $ga = new PHPGangsta_GoogleAuthenticator(); $stop = false; while (!$stop) { From 86845c22b0e14b72c15cbfe279e59cfa380dde3a Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Fri, 22 May 2015 11:32:23 +0200 Subject: [PATCH 03/19] fixed a error on login without totp_code --- application/libraries/Aauth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index 54fbeac..b7050d6 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -241,11 +241,11 @@ class Aauth { $query = $this->aauth_db->where($db_identifier, $identifier); $query = $this->aauth_db->where('totp_secret !=', ''); $query = $this->aauth_db->get($this->config_vars['users']); - $totp_secret = $query->row()->totp_secret; if ($query->num_rows() > 0 AND !$totp_code) { $this->error($this->CI->lang->line('aauth_error_totp_code_required')); return FALSE; }else if ($query->num_rows() > 0 AND $totp_code) { + $totp_secret = $query->row()->totp_secret; $ga = new PHPGangsta_GoogleAuthenticator(); $checkResult = $ga->verifyCode($totp_secret, $totp_code, 0); if (!$checkResult) { From f0f1bb08e8958e2f154f8b22ae79c41469a6128d Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Fri, 22 May 2015 13:22:58 +0200 Subject: [PATCH 04/19] fixed a failure --- application/libraries/Aauth.php | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index b7050d6..0c81f7d 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -239,18 +239,19 @@ class Aauth { if($this->config_vars['totp_active'] == TRUE){ $query = null; $query = $this->aauth_db->where($db_identifier, $identifier); - $query = $this->aauth_db->where('totp_secret !=', ''); $query = $this->aauth_db->get($this->config_vars['users']); + $totp_secret = $query->row()->totp_secret; if ($query->num_rows() > 0 AND !$totp_code) { $this->error($this->CI->lang->line('aauth_error_totp_code_required')); return FALSE; - }else if ($query->num_rows() > 0 AND $totp_code) { - $totp_secret = $query->row()->totp_secret; - $ga = new PHPGangsta_GoogleAuthenticator(); - $checkResult = $ga->verifyCode($totp_secret, $totp_code, 0); - if (!$checkResult) { - $this->error($this->CI->lang->line('aauth_error_totp_code_invalid')); - return FALSE; + }else { + if(!empty($totp_secret)){ + $ga = new PHPGangsta_GoogleAuthenticator(); + $checkResult = $ga->verifyCode($totp_secret, $totp_code, 0); + if (!$checkResult) { + $this->error($this->CI->lang->line('aauth_error_totp_code_invalid')); + return FALSE; + } } } } From d2cf407cb38c5ee4c7898fddad4fc5e58fdf1354 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Fri, 22 May 2015 13:23:19 +0200 Subject: [PATCH 05/19] changed totp_active default value to false --- application/config/aauth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index d9d3858..0d24b8b 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -57,7 +57,7 @@ $config['aauth']['recaptcha_login_attempts'] = 4; $config['aauth']['recaptcha_siteKey'] = ''; $config['aauth']['recaptcha_secret'] = ''; -$config['aauth']['totp_active'] = true; +$config['aauth']['totp_active'] = false; $config['aauth']['totp_reset_over_reset_password'] = false; // login attempts time interval From f4c42a31208c8b4c093de3eb66cfbef87251b57f Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Tue, 26 May 2015 20:32:15 +0200 Subject: [PATCH 06/19] added totp_only_on_ip_change --- application/config/aauth.php | 2 +- application/libraries/Aauth.php | 28 +++++++++++++++++++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index 0d24b8b..ddfeb7c 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -58,8 +58,8 @@ $config['aauth']['recaptcha_siteKey'] = ''; $config['aauth']['recaptcha_secret'] = ''; $config['aauth']['totp_active'] = false; +$config['aauth']['totp_only_on_ip_change'] = false; $config['aauth']['totp_reset_over_reset_password'] = false; - // login attempts time interval // default 20 times in one hour $config['aauth']['max_login_attempt'] = 10; diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index 0c81f7d..7784ba6 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -236,7 +236,7 @@ class Aauth { } } - if($this->config_vars['totp_active'] == TRUE){ + if($this->config_vars['totp_active'] == TRUE AND $this->config_vars['totp_only_on_ip_change'] == FALSE){ $query = null; $query = $this->aauth_db->where($db_identifier, $identifier); $query = $this->aauth_db->get($this->config_vars['users']); @@ -255,6 +255,32 @@ class Aauth { } } } + + if($this->config_vars['totp_active'] == TRUE AND $this->config_vars['totp_only_on_ip_change'] == TRUE){ + $query = null; + $query = $this->aauth_db->where($db_identifier, $identifier); + $query = $this->aauth_db->get($this->config_vars['users']); + $totp_secret = $query->row()->totp_secret; + $ip_address = $query->row()->ip_address; + $current_ip_address = $this->CI->input->ip_address(); + if ($query->num_rows() > 0 AND !$totp_code) { + if($ip_address != $current_ip_address ){ + $this->error($this->CI->lang->line('aauth_error_totp_code_required')); + return FALSE; + } + }else { + if(!empty($totp_secret)){ + if($ip_address != $current_ip_address ){ + $ga = new PHPGangsta_GoogleAuthenticator(); + $checkResult = $ga->verifyCode($totp_secret, $totp_code, 0); + if (!$checkResult) { + $this->error($this->CI->lang->line('aauth_error_totp_code_invalid')); + return FALSE; + } + } + } + } + } // if email and pass matches and not banned if ( $query->num_rows() > 0 ) { From 239ef68c802b45b6f4ce8f073ebe94ac379659a9 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Wed, 3 Jun 2015 07:39:09 +0200 Subject: [PATCH 07/19] changed some default config vars --- application/config/aauth.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index ddfeb7c..92b5c1e 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -11,7 +11,7 @@ // if user don't have permisssion to see the page he will be // redirected the page spesificed below -$config['aauth']['no_permission'] = '/'; +$config['aauth']['no_permission'] = FALSE; //name of admin group $config['aauth']['admin_group'] = 'admin'; //name of default group, the new user is added in it @@ -43,10 +43,10 @@ $config['aauth']['user_variables'] = 'aauth_user_variables'; $config['aauth']['remember'] = ' +3 days'; // pasword maximum char long (min is 4) -$config['aauth']['max'] = 13; +$config['aauth']['max'] = 24; // non alphanumeric characters that are allowed in a name -$config['aauth']['valid_chars'] = array(' ', '\''); +$config['aauth']['valid_chars'] = array(); // ddos protection, //if it is true, the user will be banned temporary when he exceed the login 'try' From 341bab55a73e45b9c2f6ea3bfae12a452bd1bdfc Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Mon, 8 Jun 2015 00:51:30 +0200 Subject: [PATCH 08/19] added min password length --- application/config/aauth.php | 4 +++- application/libraries/Aauth.php | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index 92b5c1e..8e38c95 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -42,7 +42,9 @@ $config['aauth']['user_variables'] = 'aauth_user_variables'; // remember time $config['aauth']['remember'] = ' +3 days'; -// pasword maximum char long (min is 4) +// pasword minimum char long +$config['aauth']['min'] = 8; +// pasword maximum char long $config['aauth']['max'] = 24; // non alphanumeric characters that are allowed in a name diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index 7784ba6..afeb061 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -666,7 +666,7 @@ class Aauth { $this->error($this->CI->lang->line('aauth_error_email_invalid')); $valid = FALSE; } - if ( strlen($pass) < 5 OR strlen($pass) > $this->config_vars['max'] ){ + if ( strlen($pass) < $this->config_vars['min'] OR strlen($pass) > $this->config_vars['max'] ){ $this->error($this->CI->lang->line('aauth_error_password_invalid')); $valid = FALSE; } From bbc992d2f7386e02ba06a472d832f8cd1a32b2ef Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Mon, 8 Jun 2015 00:53:54 +0200 Subject: [PATCH 09/19] Revert "added min password length" This reverts commit 341bab55a73e45b9c2f6ea3bfae12a452bd1bdfc. --- application/config/aauth.php | 4 +--- application/libraries/Aauth.php | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index 8e38c95..92b5c1e 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -42,9 +42,7 @@ $config['aauth']['user_variables'] = 'aauth_user_variables'; // remember time $config['aauth']['remember'] = ' +3 days'; -// pasword minimum char long -$config['aauth']['min'] = 8; -// pasword maximum char long +// pasword maximum char long (min is 4) $config['aauth']['max'] = 24; // non alphanumeric characters that are allowed in a name diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index afeb061..7784ba6 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -666,7 +666,7 @@ class Aauth { $this->error($this->CI->lang->line('aauth_error_email_invalid')); $valid = FALSE; } - if ( strlen($pass) < $this->config_vars['min'] OR strlen($pass) > $this->config_vars['max'] ){ + if ( strlen($pass) < 5 OR strlen($pass) > $this->config_vars['max'] ){ $this->error($this->CI->lang->line('aauth_error_password_invalid')); $valid = FALSE; } From 9afda70a7d61692edbece00340735a027d57dd58 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Tue, 23 Jun 2015 00:05:10 +0200 Subject: [PATCH 10/19] Updated README.md added TOTP info @tswagger take look over the TOTP pls, i dont know if anything is missing. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 80d60b0..37d2edd 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,7 @@ Aauth is a User Authorization Library for CodeIgniter 2.x, which aims to make ea * Login DDoS Protection * Updated functions (check documentation for details) * Bugs fixes +* TOTP (Time-based One-time Password) ### Migration *** From 3413b3bf0ae45336aa3af01607942a11eb230887 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Thu, 25 Jun 2015 18:09:11 +0200 Subject: [PATCH 11/19] added configuration to not use cookies if sessions are enabled. --- application/config/aauth.php | 1 + application/libraries/Aauth.php | 180 ++++++++++++++++++++------------ 2 files changed, 114 insertions(+), 67 deletions(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index 92b5c1e..f955c76 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -68,6 +68,7 @@ $config['aauth']['max_login_attempt'] = 10; $config['aauth']['verification'] = false; $config['aauth']['login_with_name'] = false; +$config['aauth']['use_cookies'] = false; // system email. $config['aauth']['email'] = 'admin@admin.com'; diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index 7784ba6..d6b4645 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -22,7 +22,6 @@ * https://github.com/emreakay/CodeIgniter-Aauth * * @todo separate (on some level) the unvalidated users from the "banned" users - * @todo add configuration to not use cookies if sessions are enabled. */ class Aauth { @@ -132,15 +131,17 @@ class Aauth { */ public function login($identifier, $pass, $remember = FALSE, $totp_code = NULL) { - // Remove cookies first - $cookie = array( - 'name' => 'user', - 'value' => '', - 'expire' => time()-3600, - 'path' => '/', - ); + if($this->config_vars['use_cookies'] == TRUE){ + // Remove cookies first + $cookie = array( + 'name' => 'user', + 'value' => '', + 'expire' => time()-3600, + 'path' => '/', + ); + $this->CI->input->set_cookie($cookie); + } - $this->CI->input->set_cookie($cookie); if( $this->config_vars['login_with_name'] == TRUE){ if( !$identifier OR strlen($pass) < 5 OR strlen($pass) > $this->config_vars['max'] ) @@ -184,13 +185,17 @@ class Aauth { $query = $this->aauth_db->get($this->config_vars['users']); $row = $query->row(); if($query->num_rows() > 0 && $this->config_vars['ddos_protection'] && $this->config_vars['recaptcha_active'] && $row->login_attempts >= $this->config_vars['recaptcha_login_attempts']){ - $reCAPTCHA_cookie = array( - 'name' => 'reCAPTCHA', - 'value' => 'true', - 'expire' => time()+7200, - 'path' => '/', - ); - $this->CI->input->set_cookie($reCAPTCHA_cookie); + if($this->config_vars['use_cookies'] == TRUE){ + $reCAPTCHA_cookie = array( + 'name' => 'reCAPTCHA', + 'value' => 'true', + 'expire' => time()+7200, + 'path' => '/', + ); + $this->CI->input->set_cookie($reCAPTCHA_cookie); + }else{ + $this->CI->session->set_tempdata('reCAPTCHA', 'true', 7200); + } } // if user is not verified @@ -226,7 +231,7 @@ class Aauth { $query = $this->aauth_db->get($this->config_vars['users']); $row = $query->row(); - if($this->CI->input->cookie('reCAPTCHA', TRUE) == 'true'){ + if( ($this->config_vars['use_cookies'] == TRUE && $this->CI->input->cookie('reCAPTCHA', TRUE) == 'true') || ($this->config_vars['use_cookies'] == FALSE && $this->CI->session->tempdata('reCAPTCHA') == 'true') ){ $reCaptcha = new ReCaptcha( $this->config_vars['recaptcha_secret']); $resp = $reCaptcha->verifyResponse( $this->CI->input->server("REMOTE_ADDR"), $this->CI->input->post("g-recaptcha-response") ); @@ -304,24 +309,32 @@ class Aauth { $random_string = random_string('alnum', 16); $this->update_remember($row->id, $random_string, $remember_date ); - $cookie = array( - 'name' => 'user', - 'value' => $row->id . "-" . $random_string, - 'expire' => time() + 99*999*999, - 'path' => '/', - ); - - $this->CI->input->set_cookie($cookie); + if($this->config_vars['use_cookies'] == TRUE){ + $cookie = array( + 'name' => 'user', + 'value' => $row->id . "-" . $random_string, + 'expire' => time() + 99*999*999, + 'path' => '/', + ); + + $this->CI->input->set_cookie($cookie); + }else{ + $this->CI->session->set_userdata('remember', $row->id . "-" . $random_string); + } } if($this->config_vars['recaptcha_active']){ - $reCAPTCHA_cookie = array( - 'name' => 'reCAPTCHA', - 'value' => 'false', - 'expire' => time()-3600, - 'path' => '/', - ); - $this->CI->input->set_cookie($reCAPTCHA_cookie); + if($this->config_vars['use_cookies'] == TRUE){ + $reCAPTCHA_cookie = array( + 'name' => 'reCAPTCHA', + 'value' => 'false', + 'expire' => time()-3600, + 'path' => '/', + ); + $this->CI->input->set_cookie($reCAPTCHA_cookie); + }else{ + $this->CI->session->unset_tempdata('reCAPTCHA'); + } } // update last login @@ -352,37 +365,67 @@ class Aauth { // cookie control else { - if( ! $this->CI->input->cookie('user', TRUE) ){ - return FALSE; - } else { - $cookie = explode('-', $this->CI->input->cookie('user', TRUE)); - if(!is_numeric( $cookie[0] ) OR strlen($cookie[1]) < 13 ){return FALSE;} - else{ - $query = $this->aauth_db->where('id', $cookie[0]); - $query = $this->aauth_db->where('remember_exp', $cookie[1]); - $query = $this->aauth_db->get($this->config_vars['users']); - - $row = $query->row(); - - if ($query->num_rows() < 1) { - $this->update_remember($cookie[0]); - return FALSE; - }else{ - - if(strtotime($row->remember_time) > strtotime("now") ){ - $this->login_fast($cookie[0]); - return TRUE; + if($this->config_vars['use_cookies'] == TRUE){ + if( ! $this->CI->input->cookie('user', TRUE) ){ + return FALSE; + } else { + $cookie = explode('-', $this->CI->input->cookie('user', TRUE)); + if(!is_numeric( $cookie[0] ) OR strlen($cookie[1]) < 13 ){return FALSE;} + else{ + $query = $this->aauth_db->where('id', $cookie[0]); + $query = $this->aauth_db->where('remember_exp', $cookie[1]); + $query = $this->aauth_db->get($this->config_vars['users']); + + $row = $query->row(); + + if ($query->num_rows() < 1) { + $this->update_remember($cookie[0]); + return FALSE; + }else{ + + if(strtotime($row->remember_time) > strtotime("now") ){ + $this->login_fast($cookie[0]); + return TRUE; + } + // if time is expired + else { + return FALSE; + } } - // if time is expired - else { + } + } + }else{ + if(!$this->CI->session->has_userdata('remember')){ + return FALSE; + }else{ + $session = explode('-', $this->CI->session->userdata('remember')); + if(!is_numeric( $session[0] ) OR strlen($session[1]) < 13 ){return FALSE;} + else{ + $query = $this->aauth_db->where('id', $session[0]); + $query = $this->aauth_db->where('remember_exp', $session[1]); + $query = $this->aauth_db->get($this->config_vars['users']); + + $row = $query->row(); + + if ($query->num_rows() < 1) { + $this->update_remember($session[0]); return FALSE; + }else{ + + if(strtotime($row->remember_time) > strtotime("now") ){ + $this->login_fast($session[0]); + return TRUE; + } + // if time is expired + else { + return FALSE; + } } } } } } - return FALSE; } @@ -422,14 +465,15 @@ class Aauth { */ public function logout() { - $cookie = array( - 'name' => 'user', - 'value' => '', - 'expire' => time()-3600, - 'path' => '/', - ); - - $this->CI->input->set_cookie($cookie); + if($this->config_vars['use_cookies'] == TRUE){ + $cookie = array( + 'name' => 'user', + 'value' => '', + 'expire' => time()-3600, + 'path' => '/', + ); + $this->CI->input->set_cookie($cookie); + } return $this->CI->session->sess_destroy(); } @@ -2154,10 +2198,12 @@ class Aauth { public function generate_recaptcha_field(){ $content = ''; - if($this->config_vars['ddos_protection'] && $this->config_vars['recaptcha_active'] && $this->CI->input->cookie('reCAPTCHA', TRUE) == 'true'){ - $content .= ""; - $siteKey = $this->config_vars['recaptcha_siteKey']; - $content .= "
"; + if($this->config_vars['ddos_protection'] && $this->config_vars['recaptcha_active']){ + if( ($this->config_vars['use_cookies'] == TRUE && $this->CI->input->cookie('reCAPTCHA', TRUE) == 'true') || ($this->config_vars['use_cookies'] == FALSE && $this->CI->session->tempdata('reCAPTCHA') == 'true') ){ + $content .= ""; + $siteKey = $this->config_vars['recaptcha_siteKey']; + $content .= "
"; + } } return $content; } From 461278b157e55426ec355bfffd4c8f261aa635b2 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Thu, 25 Jun 2015 18:11:01 +0200 Subject: [PATCH 12/19] fixed login error after TOTP check (login with wrong pw fixed) --- application/libraries/Aauth.php | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index d6b4645..043e646 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -220,17 +220,7 @@ class Aauth { } $user_id = $query->row()->id; - - $query = null; - $query = $this->aauth_db->where($db_identifier, $identifier); - - // Database stores pasword hashed password - $query = $this->aauth_db->where('pass', $this->hash_password($pass, $user_id)); - $query = $this->aauth_db->where('banned', 0); - $query = $this->aauth_db->get($this->config_vars['users']); - - $row = $query->row(); if( ($this->config_vars['use_cookies'] == TRUE && $this->CI->input->cookie('reCAPTCHA', TRUE) == 'true') || ($this->config_vars['use_cookies'] == FALSE && $this->CI->session->tempdata('reCAPTCHA') == 'true') ){ $reCaptcha = new ReCaptcha( $this->config_vars['recaptcha_secret']); $resp = $reCaptcha->verifyResponse( $this->CI->input->server("REMOTE_ADDR"), $this->CI->input->post("g-recaptcha-response") ); @@ -286,9 +276,20 @@ class Aauth { } } } - + + $query = null; + $query = $this->aauth_db->where($db_identifier, $identifier); + + // Database stores pasword hashed password + $query = $this->aauth_db->where('pass', $this->hash_password($pass, $user_id)); + $query = $this->aauth_db->where('banned', 0); + + $query = $this->aauth_db->get($this->config_vars['users']); + + $row = $query->row(); + // if email and pass matches and not banned - if ( $query->num_rows() > 0 ) { + if ( $query->num_rows() != 0 ) { // If email and pass matches // create session @@ -474,7 +475,7 @@ class Aauth { ); $this->CI->input->set_cookie($cookie); } - + return $this->CI->session->sess_destroy(); } From bcbf28b432c0a07feef72d0116cd5fbfeb27ab7d Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Fri, 24 Jul 2015 13:11:20 +0200 Subject: [PATCH 13/19] changed NULL to FALSE by get_perm_id() i found that error on my unit tests :smile: --- application/libraries/Aauth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index 043e646..d25df2c 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -1614,7 +1614,7 @@ class Aauth { $query = $this->aauth_db->get($this->config_vars['perms']); if ($query->num_rows() == 0) - return NULL; + return FALSE; $row = $query->row(); return $row->id; From f0cf74ec517b24428f93a7b7029b94af17730bc0 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Fri, 24 Jul 2015 13:15:29 +0200 Subject: [PATCH 14/19] added return by delete_user() --- application/libraries/Aauth.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index d25df2c..2a366f5 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -923,12 +923,10 @@ class Aauth { * Delete user * Delete a user from database. WARNING Can't be undone * @param int $user_id User id to delete + * @return bool Delete fails/succeeds */ public function delete_user($user_id) { - $this->aauth_db->where('id', $user_id); - $this->aauth_db->delete($this->config_vars['users']); - // delete from perm_to_user $this->aauth_db->where('user_id', $user_id); $this->aauth_db->delete($this->config_vars['perm_to_user']); @@ -940,6 +938,11 @@ class Aauth { // delete user vars $this->aauth_db->where('user_id', $user_id); $this->aauth_db->delete($this->config_vars['user_variables']); + + // delete user + $this->aauth_db->where('id', $user_id); + return $this->aauth_db->delete($this->config_vars['users']); + } //tested From 12a76b1659984fb72b78113081dee1519fc5cfb5 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Fri, 24 Jul 2015 13:40:18 +0200 Subject: [PATCH 15/19] changed result to row by get_pm added return false if ``aauth_error_no_pm`` appears --- application/libraries/Aauth.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php index 2a366f5..d8d6358 100644 --- a/application/libraries/Aauth.php +++ b/application/libraries/Aauth.php @@ -1720,11 +1720,12 @@ class Aauth { if ($query->num_rows() < 1) { $this->error( $this->CI->lang->line('aauth_error_no_pm') ); + return FALSE; } if ($set_as_read) $this->set_as_read_pm($pm_id); - return $query->result(); + return $query->row(); } //tested From 6474cdf2e4bd82ef57ead03cb5d17361d5a8d1fe Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Tue, 28 Jul 2015 01:23:35 +0200 Subject: [PATCH 16/19] test to resolve conflicts :smile: --- application/config/aauth.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index f955c76..66dad04 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -42,8 +42,10 @@ $config['aauth']['user_variables'] = 'aauth_user_variables'; // remember time $config['aauth']['remember'] = ' +3 days'; -// pasword maximum char long (min is 4) +// pasword maximum char long $config['aauth']['max'] = 24; +// pasword minimum char long +$config['aauth']['min'] = 5; // non alphanumeric characters that are allowed in a name $config['aauth']['valid_chars'] = array(); From 595fe0b5bb18ca074b25ab9308cfeb5e96c284c7 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Tue, 28 Jul 2015 01:25:26 +0200 Subject: [PATCH 17/19] revert max pw lenght --- application/config/aauth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index 66dad04..285cc2d 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -43,7 +43,7 @@ $config['aauth']['user_variables'] = 'aauth_user_variables'; $config['aauth']['remember'] = ' +3 days'; // pasword maximum char long -$config['aauth']['max'] = 24; +$config['aauth']['max'] = 13; // pasword minimum char long $config['aauth']['min'] = 5; From b449749451e392c996c7d0783745c6227390673f Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Tue, 28 Jul 2015 01:31:32 +0200 Subject: [PATCH 18/19] reverted the revert :smile: --- application/config/aauth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index 285cc2d..66dad04 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -43,7 +43,7 @@ $config['aauth']['user_variables'] = 'aauth_user_variables'; $config['aauth']['remember'] = ' +3 days'; // pasword maximum char long -$config['aauth']['max'] = 13; +$config['aauth']['max'] = 24; // pasword minimum char long $config['aauth']['min'] = 5; From 87369a93419407a1beb98982daaea2cb5ede7114 Mon Sep 17 00:00:00 2001 From: Raphael Jackstadt Date: Tue, 28 Jul 2015 01:32:27 +0200 Subject: [PATCH 19/19] Revert "reverted the revert :smile:" This reverts commit b449749451e392c996c7d0783745c6227390673f. --- application/config/aauth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/config/aauth.php b/application/config/aauth.php index 66dad04..285cc2d 100644 --- a/application/config/aauth.php +++ b/application/config/aauth.php @@ -43,7 +43,7 @@ $config['aauth']['user_variables'] = 'aauth_user_variables'; $config['aauth']['remember'] = ' +3 days'; // pasword maximum char long -$config['aauth']['max'] = 24; +$config['aauth']['max'] = 13; // pasword minimum char long $config['aauth']['min'] = 5;