public function tfaEnableAction()
{
if (!$this->session2FA->secretCode) {
$this->session2FA->secretCode = Base32::encode(random_bytes(256));
}
$totp = new \OTPHP\TOTP('Zource', $this->session2FA->secretCode);
if ($this->getRequest()->isPost()) {
$code = $this->getRequest()->getPost('code');
var_dump($totp->verify($code));
}
return new ViewModel(['secretCode' => $this->session2FA->secretCode]);
}
public function test_it_returns_the_provisioning_uri()
{
$o = new \OTPHP\TOTP('JDDK4U6G3BJLEZ7Y');
$this->assertEquals("otpauth://totp/name?secret=JDDK4U6G3BJLEZ7Y", $o->provisioning_uri('name'));
}
function otpenable()
{
require_once "lib/otphp/vendor/base32.php";
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
$password = $_REQUEST["password"];
$otp = $_REQUEST["otp"];
$authenticator = PluginHost::getInstance()->get_plugin($_SESSION["auth_module"]);
if ($authenticator->check_password($_SESSION["uid"], $password)) {
$result = $this->dbh->query("SELECT salt\n\t\t\t\tFROM ttrss_users\n\t\t\t\tWHERE id = " . $_SESSION["uid"]);
$base32 = new Base32();
$secret = $base32->encode(sha1($this->dbh->fetch_result($result, 0, "salt")));
$topt = new \OTPHP\TOTP($secret);
$otp_check = $topt->now();
if ($otp == $otp_check) {
$this->dbh->query("UPDATE ttrss_users SET otp_enabled = true WHERE\n\t\t\t\t\tid = " . $_SESSION["uid"]);
print "OK";
} else {
print "ERROR:" . __("Incorrect one time password");
}
} else {
print "ERROR:" . __("Incorrect password");
}
}
function authenticate($login, $password)
{
$pwd_hash0 = hash_password($password);
$pwd_hash1 = encrypt_password($password);
$pwd_hash2 = encrypt_password($password, $login);
$login = db_escape_string($login);
$otp = db_escape_string($_REQUEST["otp"]);
if (get_schema_version() > 96) {
if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {
$result = db_query("SELECT otp_enabled,salt FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******'");
if (db_num_rows($result) > 0) {
require_once "lib/otphp/vendor/base32.php";
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
$base32 = new Base32();
$otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled"));
$secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt")));
$topt = new \OTPHP\TOTP($secret);
$otp_check = $topt->now();
if ($otp_enabled) {
if ($otp) {
if ($otp != $otp_check) {
return false;
}
} else {
$return = urlencode($_REQUEST["return"]);
?>
<html>
<head><title>Tiny Tiny RSS</title></head>
<?php
echo stylesheet_tag("css/utility.css");
?>
<body class="otp"><div class="content">
<form action="public.php?return=<?php
echo $return;
?>
"
method="POST" class="otpform">
<input type="hidden" name="op" value="login">
<input type="hidden" name="login" value="<?php
echo htmlspecialchars($login);
?>
">
<input type="hidden" name="password" value="<?php
echo htmlspecialchars($password);
?>
">
<input type="hidden" name="bw_limit" value="<?php
echo htmlspecialchars($_POST["bw_limit"]);
?>
">
<input type="hidden" name="remember_me" value="<?php
echo htmlspecialchars($_POST["remember_me"]);
?>
">
<input type="hidden" name="profile" value="<?php
echo htmlspecialchars($_POST["profile"]);
?>
">
<label><?php
echo __("Please enter your one time password:"******"off" size="6" name="otp" value=""/>
<input type="submit" value="Continue"/>
</form></div>
<script type="text/javascript">
document.forms[0].otp.focus();
</script>
<?php
exit;
}
}
}
}
}
$result = db_query("SELECT id,pwd_hash FROM ttrss_users WHERE\n\t\t\tlogin = '******'");
if (db_num_rows($result) === 1) {
if (version_compare(PHP_VERSION, '5.5.0', '<')) {
require_once 'vendor/ircmaxell/password-compat/lib/password.php';
}
$pwd_hash_dp = db_fetch_result($result, 0, "pwd_hash");
if (password_verify($password, $pwd_hash_dp)) {
return db_fetch_result($result, 0, "id");
}
}
if (get_schema_version() > 87) {
$result = db_query("SELECT salt FROM ttrss_users WHERE\n\t\t\t\tlogin = '******'");
if (db_num_rows($result) !== 1) {
return false;
}
$salt = db_fetch_result($result, 0, "salt");
if ($salt == "") {
$query = "SELECT id\n\t\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')";
// verify and upgrade password to new salt base
$result = db_query($query);
if (db_num_rows($result) === 1) {
// upgrade password to MODE2
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($password, $salt, true);
db_query("UPDATE ttrss_users SET\n\t\t\t\t\t\tpwd_hash = '{$pwd_hash}', salt = '{$salt}' WHERE login = '******'");
$query = "SELECT id\n\t\t\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'";
} else {
return false;
}
} else {
$pwd_hash = encrypt_password($password, $salt, true);
$query = "SELECT id\n\t\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'";
}
} else {
$query = "SELECT id\n\t\t\t\tFROM ttrss_users WHERE\n\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')";
}
$result = db_query($query);
if (db_num_rows($result) === 1) {
// Authentication was successful, but the hash in the database
// is not secure. We need to update it.
db_query("UPDATE ttrss_users SET\n\t\t\t\tpwd_hash = '{$pwd_hash0}' WHERE login = '******'");
return db_fetch_result($result, 0, "id");
}
return false;
}
public function sendTOTPText()
{
/***
* Send a text message to the destination number with the TOTP code
***/
# Get the current TOTP value for the user
# Send the text through Twilio
# Return the status and updated message
if ($this->has2FA()) {
try {
self::doLoadOTP();
$totp = new OTPHP\TOTP($this->getSecret());
$totp->setDigest($this->getDigest());
$message = 'Your authentication code for ' . $this->getSiteName() . ' is: ' . $totp->now() . ' . It is valid for 30 seconds.';
$this->textUser($message);
return true;
} catch (Exception $e) {
return false;
}
} else {
throw new Exception('User does not have TOTP enabled to send a text!');
}
}
function authenticate($login, $password)
{
$pwd_hash1 = encrypt_password($password);
$pwd_hash2 = encrypt_password($password, $login);
$login = db_escape_string($login);
$otp = db_escape_string($_REQUEST["otp"]);
if (get_schema_version($this->link) > 96) {
if (!defined('AUTH_DISABLE_OTP') || !AUTH_DISABLE_OTP) {
$result = db_query($this->link, "SELECT otp_enabled,salt FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******'");
if (db_num_rows($result) > 0) {
require_once "lib/otphp/vendor/base32.php";
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
$base32 = new Base32();
$otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled"));
$secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt")));
$topt = new \OTPHP\TOTP($secret);
$otp_check = $topt->now();
if ($otp_enabled) {
if ($otp) {
if ($otp != $otp_check) {
return false;
}
} else {
$return = urlencode($_REQUEST["return"]);
?>
<html>
<head><title>Tiny Tiny RSS</title></head>
<body>
<form action="public.php?return=<?php
echo $return;
?>
"
method="POST">
<input type="hidden" name="op" value="login">
<input type="hidden" name="login" value="<?php
echo htmlspecialchars($login);
?>
">
<input type="hidden" name="password" value="<?php
echo htmlspecialchars($password);
?>
">
<label><?php
echo __("Please enter your one time password:"******"password" size="6" name="otp"/>
<input type="submit" value="Continue"/>
</form>
<script type="text/javascript">
document.forms[0].otp.focus();
</script>
<?php
exit;
}
}
}
}
}
if (get_schema_version($this->link) > 87) {
$result = db_query($this->link, "SELECT salt FROM ttrss_users WHERE\n\t\t\t\tlogin = '******'");
if (db_num_rows($result) != 1) {
return false;
}
$salt = db_fetch_result($result, 0, "salt");
if ($salt == "") {
$query = "SELECT id\n\t FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')";
// verify and upgrade password to new salt base
$result = db_query($this->link, $query);
if (db_num_rows($result) == 1) {
// upgrade password to MODE2
$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$pwd_hash = encrypt_password($password, $salt, true);
db_query($this->link, "UPDATE ttrss_users SET\n\t\t\t\t\t\tpwd_hash = '{$pwd_hash}', salt = '{$salt}' WHERE login = '******'");
$query = "SELECT id\n\t\t FROM ttrss_users WHERE\n\t\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'";
} else {
return false;
}
} else {
$pwd_hash = encrypt_password($password, $salt, true);
$query = "SELECT id\n\t\t FROM ttrss_users WHERE\n\t\t\t\t\tlogin = '******' AND pwd_hash = '{$pwd_hash}'";
}
} else {
$query = "SELECT id\n\t FROM ttrss_users WHERE\n\t\t\t\tlogin = '******' AND (pwd_hash = '{$pwd_hash1}' OR\n\t\t\t\t\tpwd_hash = '{$pwd_hash2}')";
}
$result = db_query($this->link, $query);
if (db_num_rows($result) == 1) {
return db_fetch_result($result, 0, "id");
}
return false;
}
function otpqrcode()
{
require_once "lib/otphp/vendor/base32.php";
require_once "lib/otphp/lib/otp.php";
require_once "lib/otphp/lib/totp.php";
require_once "lib/phpqrcode/phpqrcode.php";
$result = db_query($this->link, "SELECT login,salt,otp_enabled\n\t\t\tFROM ttrss_users\n\t\t\tWHERE id = " . $_SESSION["uid"]);
$base32 = new Base32();
$login = db_fetch_result($result, 0, "login");
$otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled"));
if (!$otp_enabled) {
$secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt")));
$topt = new \OTPHP\TOTP($secret);
print QRcode::png($topt->provisioning_uri($login));
}
}
