/**
* Processes a user response from the {@link simpleid_openid_consent_form()} function.
*
* If the user verifies the relying party, an OpenID response will be sent to
* the relying party. Otherwise, the dashboard will be displayed to the user.
*
*/
function simpleid_openid_consent()
{
global $xtpl, $user, $version, $GETPOST;
if ($user == NULL) {
user_login_form('');
return;
}
if (!validate_form_token($GETPOST['tk'], 'rp')) {
set_message('SimpleID detected a potential security attack. Please try again.');
$xtpl->assign('title', 'OpenID Login');
$xtpl->parse('main');
$xtpl->out('main');
return;
}
$uid = $user['uid'];
$response = unpickle($GETPOST['s']);
$version = openid_get_version($response);
$return_to = $response['openid.return_to'];
if (!$return_to) {
$return_to = $GETPOST['openid.return_to'];
}
if ($GETPOST['op'] == 'Cancel') {
$response = simpleid_checkid_error(false);
if (!$return_to) {
set_message('Log in cancelled.');
}
} else {
$now = time();
$realm = $GETPOST['openid.realm'];
if (isset($user['rp'][$realm])) {
$rp = $user['rp'][$realm];
} else {
$rp = array('realm' => $realm, 'first_time' => $now);
}
$rp['last_time'] = $now;
$rp['auto_release'] = isset($GETPOST['autorelease']) && $GETPOST['autorelease'] ? 1 : 0;
extension_invoke_all('consent', $GETPOST, $response, $rp);
$user['rp'][$realm] = $rp;
user_save($user);
$response = simpleid_sign($response, isset($response['openid.assoc_handle']) ? $response['openid.assoc_handle'] : NULL);
if (!$return_to) {
set_message('You were logged in successfully.');
}
}
if ($return_to) {
simpleid_assertion_response($response, $return_to);
} else {
page_dashboard();
}
}
/**
* Displays the page used to set up login verification using one-time
* passwords.
*/
public function setup()
{
$auth = AuthManager::instance();
$store = StoreManager::instance();
$user = $auth->getUser();
$tpl = new \Template();
$token = new SecurityToken();
// Require HTTPS, redirect if necessary
$this->checkHttps('redirect', true);
if (!$auth->isLoggedIn()) {
$this->f3->reroute('/my/dashboard');
return;
}
if ($this->f3->get('POST.op') == $this->t('Disable')) {
if ($this->f3->exists('POST.tk') === false || !$token->verify($this->f3->get('POST.tk'), 'otp')) {
$this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.'));
$this->f3->mock('GET /my/dashboard');
return;
}
if (isset($user['otp'])) {
unset($user['otp']);
$store->saveUser($user);
}
$this->f3->set('message', $this->t('Login verification has been disabled.'));
$this->f3->mock('GET /my/dashboard');
return;
} elseif ($this->f3->get('POST.op') == $this->t('Verify')) {
$params = $token->getPayload($this->f3->get('POST.otp_params'));
$this->f3->set('otp_params', $this->f3->get('POST.otp_params'));
if ($this->f3->exists('POST.tk') === false || !$token->verify($this->f3->get('POST.tk'), 'otp')) {
$this->f3->set('message', $this->t('SimpleID detected a potential security attack. Please try again.'));
page_dashboard();
return;
} elseif ($this->f3->exists('POST.otp') === false || $this->f3->get('POST.otp') == '') {
$this->f3->set('message', $this->t('You need to enter the verification code to complete enabling login verification.'));
} elseif ($this->verifyOTP($params, $this->f3->get('POST.otp'), 10) === false) {
$this->f3->set('message', $this->t('The verification code is not correct.'));
} else {
$user['otp'] = $params;
$store->saveUser($user);
$this->f3->set('message', $this->t('Login verification has been enabled.'));
$this->f3->mock('GET /my/dashboard');
return;
}
} else {
$rand = new Random();
$params = array('type' => 'totp', 'secret' => $rand->bytes(10), 'algorithm' => 'sha1', 'digits' => 6, 'period' => 30, 'drift' => 0, 'remember' => array());
$this->f3->set('otp_params', $token->generate($params, SecurityToken::OPTION_BIND_SESSION));
}
$secret = new BigNum($params['secret'], 256);
$code = strtr($secret->val(32), '0123456789abcdefghijklmnopqrstuv', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567');
$code = str_repeat('A', 16 - strlen($code)) . $code;
for ($i = 0; $i < strlen($code); $i += 4) {
$this->f3->set('secret' . ($i + 1), substr($code, $i, 4));
}
$url = 'otpauth://totp/SimpleID?secret=' . $code . '&digits=' . $params['digits'] . '&period=' . $params['period'];
$this->f3->set('qr', addslashes($url));
$this->f3->set('about_otp', $this->t('Login verification adds an extra layer of protection to your account. When enabled, you will need to enter an additional security code whenever you log into SimpleID.'));
$this->f3->set('otp_warning', $this->t('<strong>WARNING:</strong> If you enable login verification and lose your authenticator app, you will need to <a href="!url">edit your identity file manually</a> before you can log in again.', array('!url' => 'http://simpleid.koinic.net/docs/2/common_problems/#otp')));
$this->f3->set('setup_otp', $this->t('To set up login verification, following these steps.'));
$this->f3->set('download_app', $this->t('Download an authenticator app that supports TOTP for your smartphone, such as Google Authenticator.'));
$this->f3->set('add_account', $this->t('Add your SimpleID account to authenticator app using this key. If you are viewing this page on your smartphone you can use <a href="!url">this link</a> or scan the QR code to add your account.', array('!url' => $url)));
$this->f3->set('verify_code', $this->t('To check that your account has been added properly, enter the verification code from your phone into the box below, and click Verify.'));
$this->f3->set('tk', $token->generate('otp', SecurityToken::OPTION_BIND_SESSION));
$this->f3->set('otp_label', $this->t('Verification code:'));
$this->f3->set('submit_button', $this->t('Verify'));
$this->f3->set('page_class', 'dialog-page');
$this->f3->set('title', $this->t('Login Verification'));
$this->f3->set('framekiller', true);
$this->f3->set('layout', 'auth_otp_setup.html');
print $tpl->render('page.html');
}