Misterzym
/
CodeIgniter-Aauth
mirror of https://github.com/misterzym/CodeIgniter-Aauth.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #52 from REJack/totp 

TOTP and some improvements
develop v2.3.0
Emre Akay 10 years ago
parent
322e578f88 87369a9341
commit
fa22a5efc6
6 changed files with 435 additions and 87 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      README.md
  2. 8
      application/config/aauth.php
  3. 208
      application/helpers/googleauthenticator_helper.php
  4. 4
      application/language/english/aauth_lang.php
  5. 300
      application/libraries/Aauth.php
  6. 1
      sql/Aauth_v2.sql

1
README.md
Unescape View File

@ -25,6 +25,7 @@ Aauth is a User Authorization Library for CodeIgniter 2.x, which aims to make ea
* Login DDoS Protection
* Updated functions (check documentation for details)
* Bugs fixes
* TOTP (Time-based One-time Password)
### Migration
***

8
application/config/aauth.php
Unescape View File

@ -11,7 +11,7 @@
// if user don't have permisssion to see the page he will be
// redirected the page spesificed below
$config['aauth']['no_permission'] = '/';
$config['aauth']['no_permission'] = FALSE;
//name of admin group
$config['aauth']['admin_group'] = 'admin';
//name of default group, the new user is added in it
@ -48,7 +48,7 @@ $config['aauth']['max'] = 13;
$config['aauth']['min'] = 5;
// non alphanumeric characters that are allowed in a name
$config['aauth']['valid_chars'] = array(' ', '\'');
$config['aauth']['valid_chars'] = array();
// ddos protection,
//if it is true, the user will be banned temporary when he exceed the login 'try'
@ -59,6 +59,9 @@ $config['aauth']['recaptcha_login_attempts'] = 4;
$config['aauth']['recaptcha_siteKey'] = '';
$config['aauth']['recaptcha_secret'] = '';
$config['aauth']['totp_active'] = false;
$config['aauth']['totp_only_on_ip_change'] = false;
$config['aauth']['totp_reset_over_reset_password'] = false;
// login attempts time interval
// default 20 times in one hour
$config['aauth']['max_login_attempt'] = 10;
@ -67,6 +70,7 @@ $config['aauth']['max_login_attempt'] = 10;
$config['aauth']['verification'] = false;
$config['aauth']['login_with_name'] = false;
$config['aauth']['use_cookies'] = false;
// system email.
$config['aauth']['email'] = 'admin@admin.com';

208
application/helpers/googleauthenticator_helper.php
Unescape View File

@ -0,0 +1,208 @@
<?php
/**
* PHP Class for handling Google Authenticator 2-factor authentication
*
* @author Michael Kliewe
* @copyright 2012 Michael Kliewe
* @license http://www.opensource.org/licenses/bsd-license.php BSD License
* @link http://www.phpgangsta.de/
*/
class PHPGangsta_GoogleAuthenticator
{
protected $_codeLength = 6;
/**
* Create new secret.
* 16 characters, randomly chosen from the allowed base32 characters.
*
* @param int $secretLength
* @return string
*/
public function createSecret($secretLength = 16)
{
$validChars = $this->_getBase32LookupTable();
unset($validChars[32]);
$secret = '';
for ($i = 0; $i < $secretLength; $i++) {
$secret .= $validChars[array_rand($validChars)];
}
return $secret;
}
/**
* Calculate the code, with given secret and point in time
*
* @param string $secret
* @param int|null $timeSlice
* @return string
*/
public function getCode($secret, $timeSlice = null)
{
if ($timeSlice === null) {
$timeSlice = floor(time() / 30);
}
$secretkey = $this->_base32Decode($secret);
// Pack time into binary string
$time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice);
// Hash it with users secret key
$hm = hash_hmac('SHA1', $time, $secretkey, true);
// Use last nipple of result as index/offset
$offset = ord(substr($hm, -1)) & 0x0F;
// grab 4 bytes of the result
$hashpart = substr($hm, $offset, 4);
// Unpak binary value
$value = unpack('N', $hashpart);
$value = $value[1];
// Only 32 bits
$value = $value & 0x7FFFFFFF;
$modulo = pow(10, $this->_codeLength);
return str_pad($value % $modulo, $this->_codeLength, '0', STR_PAD_LEFT);
}
/**
* Get QR-Code URL for image, from google charts
*
* @param string $name
* @param string $secret
* @param string $title
* @return string
*/
public function getQRCodeGoogleUrl($name, $secret, $title = null) {
$urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');
if(isset($title)) {
$urlencoded .= urlencode('&issuer='.urlencode($title));
}
return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl='.$urlencoded.'';
}
/**
* Check if the code is correct. This will accept codes starting from $discrepancy*30sec ago to $discrepancy*30sec from now
*
* @param string $secret
* @param string $code
* @param int $discrepancy This is the allowed time drift in 30 second units (8 means 4 minutes before or after)
* @param int|null $currentTimeSlice time slice if we want use other that time()
* @return bool
*/
public function verifyCode($secret, $code, $discrepancy = 1, $currentTimeSlice = null)
{
if ($currentTimeSlice === null) {
$currentTimeSlice = floor(time() / 30);
}
for ($i = -$discrepancy; $i <= $discrepancy; $i++) {
$calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);
if ($calculatedCode == $code ) {
return true;
}
}
return false;
}
/**
* Set the code length, should be >=6
*
* @param int $length
* @return PHPGangsta_GoogleAuthenticator
*/
public function setCodeLength($length)
{
$this->_codeLength = $length;
return $this;
}
/**
* Helper class to decode base32
*
* @param $secret
* @return bool|string
*/
protected function _base32Decode($secret)
{
if (empty($secret)) return '';
$base32chars = $this->_getBase32LookupTable();
$base32charsFlipped = array_flip($base32chars);
$paddingCharCount = substr_count($secret, $base32chars[32]);
$allowedValues = array(6, 4, 3, 1, 0);
if (!in_array($paddingCharCount, $allowedValues)) return false;
for ($i = 0; $i < 4; $i++){
if ($paddingCharCount == $allowedValues[$i] &&
substr($secret, -($allowedValues[$i])) != str_repeat($base32chars[32], $allowedValues[$i])) return false;
}
$secret = str_replace('=','', $secret);
$secret = str_split($secret);
$binaryString = "";
for ($i = 0; $i < count($secret); $i = $i+8) {
$x = "";
if (!in_array($secret[$i], $base32chars)) return false;
for ($j = 0; $j < 8; $j++) {
$x .= str_pad(base_convert(@$base32charsFlipped[@$secret[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT);
}
$eightBits = str_split($x, 8);
for ($z = 0; $z < count($eightBits); $z++) {
$binaryString .= ( ($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48 ) ? $y:"";
}
}
return $binaryString;
}
/**
* Helper class to encode base32
*
* @param string $secret
* @param bool $padding
* @return string
*/
protected function _base32Encode($secret, $padding = true)
{
if (empty($secret)) return '';
$base32chars = $this->_getBase32LookupTable();
$secret = str_split($secret);
$binaryString = "";
for ($i = 0; $i < count($secret); $i++) {
$binaryString .= str_pad(base_convert(ord($secret[$i]), 10, 2), 8, '0', STR_PAD_LEFT);
}
$fiveBitBinaryArray = str_split($binaryString, 5);
$base32 = "";
$i = 0;
while ($i < count($fiveBitBinaryArray)) {
$base32 .= $base32chars[base_convert(str_pad($fiveBitBinaryArray[$i], 5, '0'), 2, 10)];
$i++;
}
if ($padding && ($x = strlen($binaryString) % 40) != 0) {
if ($x == 8) $base32 .= str_repeat($base32chars[32], 6);
elseif ($x == 16) $base32 .= str_repeat($base32chars[32], 4);
elseif ($x == 24) $base32 .= str_repeat($base32chars[32], 3);
elseif ($x == 32) $base32 .= $base32chars[32];
}
return $base32;
}
/**
* Get array with all 32 characters for decoding from/encoding to base32
*
* @return array
*/
protected function _getBase32LookupTable()
{
return array(
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', // 7
'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23
'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31
'=' // padding char
);
}
}

4
application/language/english/aauth_lang.php
Unescape View File

@ -25,6 +25,9 @@ $lang['aauth_error_email_invalid'] = 'Invalid e-mail address';
$lang['aauth_error_password_invalid'] = 'Invalid password';
$lang['aauth_error_username_invalid'] = 'Invalid Username';
$lang['aauth_error_username_required'] = 'Username required';
$lang['aauth_error_totp_code_required'] = 'TOTP Code required';
$lang['aauth_error_totp_code_invalid'] = 'Invalid TOTP Code';
// Account update errors
$lang['aauth_error_update_email_exists'] = 'Email address already exists on the system. Please enter a different email address.';
@ -38,7 +41,6 @@ $lang['aauth_error_login_failed_name'] = 'Username and Password do not match.';
$lang['aauth_error_login_attempts_exceeded'] = 'You have exceeded your login attempts, your account has now been locked.';
$lang['aauth_error_recaptcha_not_correct'] = 'Sorry, the reCAPTCHA text entered was incorrect.';
// Misc. errors
$lang['aauth_error_no_user'] = 'User does not exist';
$lang['aauth_error_account_not_verified'] = 'Your account has not been verified. Please check your e-mail and verify your account.';

300
application/libraries/Aauth.php
Unescape View File

@ -22,7 +22,6 @@
* https://github.com/emreakay/CodeIgniter-Aauth
*
* @todo separate (on some level) the unvalidated users from the "banned" users
* @todo add configuration to not use cookies if sessions are enabled.
*/
class Aauth {
@ -102,6 +101,7 @@ class Aauth {
$this->CI->load->helper('email');
$this->CI->load->helper('language');
$this->CI->load->helper('recaptchalib');
$this->CI->load->helper('googleauthenticator_helper');
$this->CI->lang->load('aauth');
// config/aauth.php
@ -129,17 +129,19 @@ class Aauth {
* @param bool $remember
* @return bool Indicates successful login.
*/
public function login($identifier, $pass, $remember = FALSE) {
public function login($identifier, $pass, $remember = FALSE, $totp_code = NULL) {
// Remove cookies first
$cookie = array(
'name' => 'user',
'value' => '',
'expire' => time()-3600,
'path' => '/',
);
if($this->config_vars['use_cookies'] == TRUE){
// Remove cookies first
$cookie = array(
'name' => 'user',
'value' => '',
'expire' => time()-3600,
'path' => '/',
);
$this->CI->input->set_cookie($cookie);
}
$this->CI->input->set_cookie($cookie);
if( $this->config_vars['login_with_name'] == TRUE){
@ -184,13 +186,17 @@ class Aauth {
$query = $this->aauth_db->get($this->config_vars['users']);
$row = $query->row();
if($query->num_rows() > 0 && $this->config_vars['ddos_protection'] && $this->config_vars['recaptcha_active'] && $row->login_attempts >= $this->config_vars['recaptcha_login_attempts']){
$reCAPTCHA_cookie = array(
'name' => 'reCAPTCHA',
'value' => 'true',
'expire' => time()+7200,
'path' => '/',
);
$this->CI->input->set_cookie($reCAPTCHA_cookie);
if($this->config_vars['use_cookies'] == TRUE){
$reCAPTCHA_cookie = array(
'name' => 'reCAPTCHA',
'value' => 'true',
'expire' => time()+7200,
'path' => '/',
);
$this->CI->input->set_cookie($reCAPTCHA_cookie);
}else{
$this->CI->session->set_tempdata('reCAPTCHA', 'true', 7200);
}
}
// if user is not verified
@ -215,7 +221,63 @@ class Aauth {
}
$user_id = $query->row()->id;
if( ($this->config_vars['use_cookies'] == TRUE && $this->CI->input->cookie('reCAPTCHA', TRUE) == 'true') || ($this->config_vars['use_cookies'] == FALSE && $this->CI->session->tempdata('reCAPTCHA') == 'true') ){
$reCaptcha = new ReCaptcha( $this->config_vars['recaptcha_secret']);
$resp = $reCaptcha->verifyResponse( $this->CI->input->server("REMOTE_ADDR"), $this->CI->input->post("g-recaptcha-response") );
if(!$resp->success){
$this->error($this->CI->lang->line('aauth_error_recaptcha_not_correct'));
return FALSE;
}
}
if($this->config_vars['totp_active'] == TRUE AND $this->config_vars['totp_only_on_ip_change'] == FALSE){
$query = null;
$query = $this->aauth_db->where($db_identifier, $identifier);
$query = $this->aauth_db->get($this->config_vars['users']);
$totp_secret = $query->row()->totp_secret;
if ($query->num_rows() > 0 AND !$totp_code) {
$this->error($this->CI->lang->line('aauth_error_totp_code_required'));
return FALSE;
}else {
if(!empty($totp_secret)){
$ga = new PHPGangsta_GoogleAuthenticator();
$checkResult = $ga->verifyCode($totp_secret, $totp_code, 0);
if (!$checkResult) {
$this->error($this->CI->lang->line('aauth_error_totp_code_invalid'));
return FALSE;
}
}
}
}
if($this->config_vars['totp_active'] == TRUE AND $this->config_vars['totp_only_on_ip_change'] == TRUE){
$query = null;
$query = $this->aauth_db->where($db_identifier, $identifier);
$query = $this->aauth_db->get($this->config_vars['users']);
$totp_secret = $query->row()->totp_secret;
$ip_address = $query->row()->ip_address;
$current_ip_address = $this->CI->input->ip_address();
if ($query->num_rows() > 0 AND !$totp_code) {
if($ip_address != $current_ip_address ){
$this->error($this->CI->lang->line('aauth_error_totp_code_required'));
return FALSE;
}
}else {
if(!empty($totp_secret)){
if($ip_address != $current_ip_address ){
$ga = new PHPGangsta_GoogleAuthenticator();
$checkResult = $ga->verifyCode($totp_secret, $totp_code, 0);
if (!$checkResult) {
$this->error($this->CI->lang->line('aauth_error_totp_code_invalid'));
return FALSE;
}
}
}
}
}
$query = null;
$query = $this->aauth_db->where($db_identifier, $identifier);
@ -226,18 +288,9 @@ class Aauth {
$query = $this->aauth_db->get($this->config_vars['users']);
$row = $query->row();
if($this->CI->input->cookie('reCAPTCHA', TRUE) == 'true'){
$reCaptcha = new ReCaptcha( $this->config_vars['recaptcha_secret']);
$resp = $reCaptcha->verifyResponse( $this->CI->input->server("REMOTE_ADDR"), $this->CI->input->post("g-recaptcha-response") );
if(!$resp->success){
$this->error($this->CI->lang->line('aauth_error_recaptcha_not_correct'));
return FALSE;
}
}
// if email and pass matches and not banned
if ( $query->num_rows() > 0 ) {
if ( $query->num_rows() != 0 ) {
// If email and pass matches
// create session
@ -258,24 +311,32 @@ class Aauth {
$random_string = random_string('alnum', 16);
$this->update_remember($row->id, $random_string, $remember_date );
$cookie = array(
'name' => 'user',
'value' => $row->id . "-" . $random_string,
'expire' => time() + 99*999*999,
'path' => '/',
);
$this->CI->input->set_cookie($cookie);
if($this->config_vars['use_cookies'] == TRUE){
$cookie = array(
'name' => 'user',
'value' => $row->id . "-" . $random_string,
'expire' => time() + 99*999*999,
'path' => '/',
);
$this->CI->input->set_cookie($cookie);
}else{
$this->CI->session->set_userdata('remember', $row->id . "-" . $random_string);
}
}
if($this->config_vars['recaptcha_active']){
$reCAPTCHA_cookie = array(
'name' => 'reCAPTCHA',
'value' => 'false',
'expire' => time()-3600,
'path' => '/',
);
$this->CI->input->set_cookie($reCAPTCHA_cookie);
if($this->config_vars['use_cookies'] == TRUE){
$reCAPTCHA_cookie = array(
'name' => 'reCAPTCHA',
'value' => 'false',
'expire' => time()-3600,
'path' => '/',
);
$this->CI->input->set_cookie($reCAPTCHA_cookie);
}else{
$this->CI->session->unset_tempdata('reCAPTCHA');
}
}
// update last login
@ -306,37 +367,67 @@ class Aauth {
// cookie control
else {
if( ! $this->CI->input->cookie('user', TRUE) ){
return FALSE;
} else {
$cookie = explode('-', $this->CI->input->cookie('user', TRUE));
if(!is_numeric( $cookie[0] ) OR strlen($cookie[1]) < 13 ){return FALSE;}
else{
$query = $this->aauth_db->where('id', $cookie[0]);
$query = $this->aauth_db->where('remember_exp', $cookie[1]);
$query = $this->aauth_db->get($this->config_vars['users']);
$row = $query->row();
if ($query->num_rows() < 1) {
$this->update_remember($cookie[0]);
return FALSE;
}else{
if(strtotime($row->remember_time) > strtotime("now") ){
$this->login_fast($cookie[0]);
return TRUE;
if($this->config_vars['use_cookies'] == TRUE){
if( ! $this->CI->input->cookie('user', TRUE) ){
return FALSE;
} else {
$cookie = explode('-', $this->CI->input->cookie('user', TRUE));
if(!is_numeric( $cookie[0] ) OR strlen($cookie[1]) < 13 ){return FALSE;}
else{
$query = $this->aauth_db->where('id', $cookie[0]);
$query = $this->aauth_db->where('remember_exp', $cookie[1]);
$query = $this->aauth_db->get($this->config_vars['users']);
$row = $query->row();
if ($query->num_rows() < 1) {
$this->update_remember($cookie[0]);
return FALSE;
}else{
if(strtotime($row->remember_time) > strtotime("now") ){
$this->login_fast($cookie[0]);
return TRUE;
}
// if time is expired
else {
return FALSE;
}
}
// if time is expired
else {
}
}
}else{
if(!$this->CI->session->has_userdata('remember')){
return FALSE;
}else{
$session = explode('-', $this->CI->session->userdata('remember'));
if(!is_numeric( $session[0] ) OR strlen($session[1]) < 13 ){return FALSE;}
else{
$query = $this->aauth_db->where('id', $session[0]);
$query = $this->aauth_db->where('remember_exp', $session[1]);
$query = $this->aauth_db->get($this->config_vars['users']);
$row = $query->row();
if ($query->num_rows() < 1) {
$this->update_remember($session[0]);
return FALSE;
}else{
if(strtotime($row->remember_time) > strtotime("now") ){
$this->login_fast($session[0]);
return TRUE;
}
// if time is expired
else {
return FALSE;
}
}
}
}
}
}
return FALSE;
}
@ -376,15 +467,16 @@ class Aauth {
*/
public function logout() {
$cookie = array(
'name' => 'user',
'value' => '',
'expire' => time()-3600,
'path' => '/',
);
$this->CI->input->set_cookie($cookie);
if($this->config_vars['use_cookies'] == TRUE){
$cookie = array(
'name' => 'user',
'value' => '',
'expire' => time()-3600,
'path' => '/',
);
$this->CI->input->set_cookie($cookie);
}
return $this->CI->session->sess_destroy();
}
@ -487,6 +579,10 @@ class Aauth {
'pass' => $this->hash_password($pass, $user_id)
);
if($this->config_vars['totp_active'] == TRUE AND $this->config_vars['totp_reset_over_reset_password'] == TRUE){
$data['totp_secret'] = NULL;
}
$row = $query->row();
$email = $row->email;
@ -859,12 +955,10 @@ class Aauth {
* Delete user
* Delete a user from database. WARNING Can't be undone
* @param int $user_id User id to delete
* @return bool Delete fails/succeeds
*/
public function delete_user($user_id) {
$this->aauth_db->where('id', $user_id);
$this->aauth_db->delete($this->config_vars['users']);
// delete from perm_to_user
$this->aauth_db->where('user_id', $user_id);
$this->aauth_db->delete($this->config_vars['perm_to_user']);
@ -876,6 +970,11 @@ class Aauth {
// delete user vars
$this->aauth_db->where('user_id', $user_id);
$this->aauth_db->delete($this->config_vars['user_variables']);
// delete user
$this->aauth_db->where('id', $user_id);
return $this->aauth_db->delete($this->config_vars['users']);
}
//tested
@ -1553,7 +1652,7 @@ class Aauth {
$query = $this->aauth_db->get($this->config_vars['perms']);
if ($query->num_rows() == 0)
return NULL;
return FALSE;
$row = $query->row();
return $row->id;
@ -1656,11 +1755,12 @@ class Aauth {
if ($query->num_rows() < 1) {
$this->error( $this->CI->lang->line('aauth_error_no_pm') );
return FALSE;
}
if ($set_as_read) $this->set_as_read_pm($pm_id);
return $query->result();
return $query->row();
}
//tested
@ -2138,14 +2238,46 @@ class Aauth {
public function generate_recaptcha_field(){
$content = '';
if($this->config_vars['ddos_protection'] && $this->config_vars['recaptcha_active'] && $this->CI->input->cookie('reCAPTCHA', TRUE) == 'true'){
$content .= "<script type='text/javascript' src='https://www.google.com/recaptcha/api.js'></script>";
$siteKey = $this->config_vars['recaptcha_siteKey'];
$content .= "<div class='g-recaptcha' data-sitekey='{$siteKey}'></div>";
if($this->config_vars['ddos_protection'] && $this->config_vars['recaptcha_active']){
if( ($this->config_vars['use_cookies'] == TRUE && $this->CI->input->cookie('reCAPTCHA', TRUE) == 'true') || ($this->config_vars['use_cookies'] == FALSE && $this->CI->session->tempdata('reCAPTCHA') == 'true') ){
$content .= "<script type='text/javascript' src='https://www.google.com/recaptcha/api.js'></script>";
$siteKey = $this->config_vars['recaptcha_siteKey'];
$content .= "<div class='g-recaptcha' data-sitekey='{$siteKey}'></div>";
}
}
return $content;
}
public function update_user_totp_secret($user_id = FALSE, $secret) {
if ($user_id == FALSE)
$user_id = $this->CI->session->userdata('id');
$data['totp_secret'] = $secret;
$this->aauth_db->where('id', $user_id);
return $this->aauth_db->update($this->config_vars['users'], $data);
}
public function generate_unique_totp_secret(){
$ga = new PHPGangsta_GoogleAuthenticator();
$stop = false;
while (!$stop) {
$secret = $ga->createSecret();
$query = $this->aauth_db->where('totp_secret', $secret);
$query = $this->aauth_db->get($this->config_vars['users']);
if ($query->num_rows() == 0) {
return $secret;
$stop = true;
}
}
}
public function generate_totp_qrcode($secret){
$ga = new PHPGangsta_GoogleAuthenticator();
return $ga->getQRCodeGoogleUrl($this->config_vars['name'], $secret);
}
} // end class
// $this->CI->session->userdata('id')

1
sql/Aauth_v2.sql
Unescape View File

@ -117,6 +117,7 @@ CREATE TABLE `aauth_users` (
`remember_time` datetime DEFAULT NULL,
`remember_exp` text COLLATE utf8_general_ci,
`verification_code` text COLLATE utf8_general_ci,
`totp_secret` varchar(16) COLLATE utf8_general_ci DEFAULT NULL,
`ip_address` text COLLATE utf8_general_ci,
`login_attempts` int(11) DEFAULT '0',
PRIMARY KEY (`id`)

Write Preview
Loading…
Cancel
Save