function otpenable() { require_once "lib/otphp/vendor/base32.php"; require_once "lib/otphp/lib/otp.php"; require_once "lib/otphp/lib/totp.php"; $password = $_REQUEST["password"]; $otp = $_REQUEST["otp"]; $authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]); if ($authenticator->check_password($_SESSION["uid"], $password)) { $result = $this->dbh->query("SELECT salt\n\t\t\t\tFROM ttrss_users\n\t\t\t\tWHERE id = " . $_SESSION["uid"]); $base32 = new Base32(); $secret = $base32->encode(sha1($this->dbh->fetch_result($result, 0, "salt"))); $topt = new \OTPHP\TOTP($secret); $otp_check = $topt->now(); if ($otp == $otp_check) { $this->dbh->query("UPDATE ttrss_users SET otp_enabled = true WHERE\n\t\t\t\t\tid = " . $_SESSION["uid"]); print "OK"; } else { print "ERROR:" . __("Incorrect one time password"); } } else { print "ERROR:" . __("Incorrect password"); } }
public function sendTOTPText() { /*** * Send a text message to the destination number with the TOTP code ***/ # Get the current TOTP value for the user # Send the text through Twilio # Return the status and updated message if ($this->has2FA()) { try { self::doLoadOTP(); $totp = new OTPHP\TOTP($this->getSecret()); $totp->setDigest($this->getDigest()); $message = 'Your authentication code for ' . $this->getSiteName() . ' is: ' . $totp->now() . ' . It is valid for 30 seconds.'; $this->textUser($message); return true; } catch (Exception $e) { return false; } } else { throw new Exception('User does not have TOTP enabled to send a text!'); } }
function authenticate($login, $password) { $pwd_hash0 = hash_password($password); $pwd_hash1 = encrypt_password($password); $pwd_hash2 = encrypt_password($password, $login); $login = db_escape_string($login); $otp = db_escape_string($_REQUEST["otp"]); if (get_schema_version() > 96) { if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) { $result = db_query("SELECT otp_enabled,salt FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******'"); if (db_num_rows($result) > 0) { require_once "lib/otphp/vendor/base32.php"; require_once "lib/otphp/lib/otp.php"; require_once "lib/otphp/lib/totp.php"; $base32 = new Base32(); $otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled")); $secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt"))); $topt = new \OTPHP\TOTP($secret); $otp_check = $topt->now(); if ($otp_enabled) { if ($otp) { if ($otp != $otp_check) { return false; } } else { $return = urlencode($_REQUEST["return"]); ?> <html> <head><title>Tiny Tiny RSS</title></head> <?php echo stylesheet_tag("css/utility.css"); ?> <body class="otp"><div class="content"> <form action="public.php?return=<?php echo $return; ?> " method="POST" class="otpform"> <input type="hidden" name="op" value="login"> <input type="hidden" name="login" value="<?php echo htmlspecialchars($login); ?> "> <input type="hidden" name="password" value="<?php echo htmlspecialchars($password); ?> "> <input type="hidden" name="bw_limit" value="<?php echo htmlspecialchars($_POST["bw_limit"]); ?> "> <input type="hidden" name="remember_me" value="<?php echo htmlspecialchars($_POST["remember_me"]); ?> "> <input type="hidden" name="profile" value="<?php echo htmlspecialchars($_POST["profile"]); ?> "> <label><?php echo __("Please enter your one time password:"******"off" size="6" name="otp" value=""/> <input type="submit" value="Continue"/> </form></div> <script type="text/javascript"> document.forms[0].otp.focus(); </script> <?php exit; } } } } } $result = db_query("SELECT id,pwd_hash FROM ttrss_users WHERE\n\t\t\tlogin = '******'"); if (db_num_rows($result) === 1) { if (version_compare(PHP_VERSION, '5.5.0', '<')) { require_once 'vendor/ircmaxell/password-compat/lib/password.php'; } $pwd_hash_dp = db_fetch_result($result, 0, "pwd_hash"); if (password_verify($password, $pwd_hash_dp)) { return db_fetch_result($result, 0, "id"); } } if (get_schema_version() > 87) { $result = db_query("SELECT salt FROM ttrss_users WHERE\n\t\t\t\tlogin = '******'"); if (db_num_rows($result) !== 1) { return false; } $salt = db_fetch_result($result, 0, "salt"); if ($salt == "") { $query = "SELECT id\n\t\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')"; // verify and upgrade password to new salt base $result = db_query($query); if (db_num_rows($result) === 1) { // upgrade password to MODE2 $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($password, $salt, true); db_query("UPDATE ttrss_users SET\n\t\t\t\t\t\tpwd_hash = '{$pwd_hash}', salt = '{$salt}' WHERE login = '******'"); $query = "SELECT id\n\t\t\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'"; } else { return false; } } else { $pwd_hash = encrypt_password($password, $salt, true); $query = "SELECT id\n\t\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'"; } } else { $query = "SELECT id\n\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')"; } $result = db_query($query); if (db_num_rows($result) === 1) { // Authentication was successful, but the hash in the database // is not secure. We need to update it. db_query("UPDATE ttrss_users SET\n\t\t\t\tpwd_hash = '{$pwd_hash0}' WHERE login = '******'"); return db_fetch_result($result, 0, "id"); } return false; }
function authenticate($login, $password) { $pwd_hash1 = encrypt_password($password); $pwd_hash2 = encrypt_password($password, $login); $login = db_escape_string($login); $otp = db_escape_string($_REQUEST["otp"]); if (get_schema_version($this->link) > 96) { if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) { $result = db_query($this->link, "SELECT otp_enabled,salt FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******'"); if (db_num_rows($result) > 0) { require_once "lib/otphp/vendor/base32.php"; require_once "lib/otphp/lib/otp.php"; require_once "lib/otphp/lib/totp.php"; $base32 = new Base32(); $otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled")); $secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt"))); $topt = new \OTPHP\TOTP($secret); $otp_check = $topt->now(); if ($otp_enabled) { if ($otp) { if ($otp != $otp_check) { return false; } } else { $return = urlencode($_REQUEST["return"]); ?> <html> <head><title>Tiny Tiny RSS</title></head> <body> <form action="public.php?return=<?php echo $return; ?> " method="POST"> <input type="hidden" name="op" value="login"> <input type="hidden" name="login" value="<?php echo htmlspecialchars($login); ?> "> <input type="hidden" name="password" value="<?php echo htmlspecialchars($password); ?> "> <label><?php echo __("Please enter your one time password:"******"password" size="6" name="otp"/> <input type="submit" value="Continue"/> </form> <script type="text/javascript"> document.forms[0].otp.focus(); </script> <?php exit; } } } } } if (get_schema_version($this->link) > 87) { $result = db_query($this->link, "SELECT salt FROM ttrss_users WHERE\n\t\t\t\tlogin = '******'"); if (db_num_rows($result) != 1) { return false; } $salt = db_fetch_result($result, 0, "salt"); if ($salt == "") { $query = "SELECT id\n\t FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')"; // verify and upgrade password to new salt base $result = db_query($this->link, $query); if (db_num_rows($result) == 1) { // upgrade password to MODE2 $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($password, $salt, true); db_query($this->link, "UPDATE ttrss_users SET\n\t\t\t\t\t\tpwd_hash = '{$pwd_hash}', salt = '{$salt}' WHERE login = '******'"); $query = "SELECT id\n\t\t FROM ttrss_users WHERE\n\t\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'"; } else { return false; } } else { $pwd_hash = encrypt_password($password, $salt, true); $query = "SELECT id\n\t\t FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'"; } } else { $query = "SELECT id\n\t FROM ttrss_users WHERE\n\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')"; } $result = db_query($this->link, $query); if (db_num_rows($result) == 1) { return db_fetch_result($result, 0, "id"); } return false; }