Browse Source

Génération aléatoire du secret OTP

Il reste à rendre ça beau...
Christophe HENRY 4 years ago
parent
commit
d2fa4742c7
7 changed files with 28 additions and 23 deletions
  1. 2 2
      User.class.php
  2. 1 1
      action.php
  3. 2 16
      otTest.php
  4. 3 0
      qrcode.php
  5. 1 0
      templates/marigolds/css/style.css
  6. 13 0
      templates/marigolds/js/script.js
  7. 6 4
      templates/marigolds/settings.html

+ 2 - 2
User.class.php

@@ -127,11 +127,11 @@ class User extends MysqlEntity{
         $this->password = User::encrypt($password,$salt);
     }
 
-    function getOtpSeed(){
+    function getOtpSecret(){
         return $this->otpSecret;
     }
 
-    function setOtpSeed($otpSecret){
+    function setOtpSecret($otpSecret){
         return $this->otpSecret = $otpSecret;
     }
 

+ 1 - 1
action.php

@@ -143,7 +143,7 @@ switch ($action){
             if ($myUser->isOtpSecretValid($otpSecret)) {
                 $userManager->change(array('login'=>$_['login'], 'otpSecret'=>$otpSecret),array('id'=>$myUser->getId()));
                 $myUser->setLogin($_['login']);
-                $myUser->setOtpSeed($otpSecret);
+                $myUser->setOtpSecret($otpSecret);
                 $_SESSION['currentUser'] = serialize($myUser);
             }
 

+ 2 - 16
otTest.php

@@ -11,25 +11,11 @@ require_once dirname(__FILE__).'/otphp/lib/otphp.php';
 # d'un coup. Idéal à placer sur la gestion du compte pour activer l'OTP sans se
 # soucier du secret.
 
-$pass = '42432526';
-$pass = 'abcdefgh';
-$pass = 'abcdefgh23456';
-$pass = 'abcdeijrgfoaefgh23456';
-$pass = "yiemah3ShulaeXaichae";
-$pass = "yiemah3shulaexaichae";
-
-$pass = "yiemah3shul";
+$pass = $argv[1];
 $totp1 = new \OTPHP\TOTP($pass, array('interval'=>30, 'digits'=>8, 'digest'=>'sha1'));
-$totp2 = new \OTPHP\TOTP(strtoupper($pass), array('interval'=>30, 'digits'=>8, 'digest'=>'sha1'));
 
 
 while( True ){
-    echo "1 ", str_pad($totp1->now(), $totp1->digits, '0', STR_PAD_LEFT)."\n";
-    echo "2 ", str_pad($totp2->now(), $totp2->digits, '0', STR_PAD_LEFT)."\n";
+    echo str_pad($totp1->now(), $totp1->digits, '0', STR_PAD_LEFT)."\n";
     sleep(1);
 }
-
-// OTP verified for current time
-// $totp->verify(492039); // => true
-// //30s later
-// $totp->verify(492039); // => false

+ 3 - 0
qrcode.php

@@ -9,6 +9,9 @@ $methode = array_keys($_REQUEST)[0];
 switch($methode) {
     case 'qr': # qrcode.php?qr&label=A&user=B&key=C
         Functions::chargeVarRequest('label', 'user', 'key', 'issuer', 'algorithm', 'digits', 'period');
+        if (empty($key)) {
+            $key = "*****";
+        }
         $qrCode = "otpauth://totp/{$label}:{$user}?secret={$key}";
         foreach (array('issuer', 'algorithm', 'digits', 'period') as $champ)
             if (!empty(${$champ}))

+ 1 - 0
templates/marigolds/css/style.css

@@ -192,6 +192,7 @@ body{ font:16px/26px 'Open Sans',Helvetica, Helvetica Neue, Arial; }
 .icon-progress-1:before { content: '\e81b'; } /* '' */
 .icon-progress-2:before { content: '\e81c'; } /* '' */
 .icon-folder-empty:before { content: '\e817'; } /* '' */
+.icon-random-otp:before { content: '\e802'; } /* '' */
 
 
 /* ===================

+ 13 - 0
templates/marigolds/js/script.js

@@ -946,3 +946,16 @@ function markAllAsRead(el, type) {
         window.location = 'action.php?action=' + action + '=' + infoLink.data('id');
     }
 }
+
+function randomOtpSecret(otpSecretInput) {
+    base32chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+    secretLength = 16;
+    otpSecret = '';
+    for (i=0;i<secretLength;i++) {
+        otpSecret = otpSecret + base32chars[Math.floor(Math.random()*base32chars.length)];
+    }
+    //DEBUG: ajout du secret dans le label, donc visible !
+    url = $('#qrCodeOtp').attr("src").replace(/key=[a-zA-Z2-7]*/, 'key='+otpSecret).replace(/label=[a-zA-Z2-7]*/, 'label='+otpSecret);
+    $('#qrCodeOtp').attr("src", url);
+    $(otpSecretInput).val(otpSecret);
+}

+ 6 - 4
templates/marigolds/settings.html

@@ -172,15 +172,17 @@
                         <h3>{function="_t('USER')"}</h3>
                         <p><label for="login">{function="_t('LOGIN')"} :</label> <input type="text" id="login" name="login" value="{$myUser->getLogin()}"></p>
                         <p><label for="password">{function="_t('PASSWORD')"} :</label> <input type="text" id="password" name="password" autocomplete="off" value="" placeholder="{function="_t('INSTALL_DISPLAY_CLEAR')"}"></p>
-                        <h4>{function="_t('LET_EMPTY_IF_NO_PASS_CHANGE')"}</h4>
-                        <h4>{function="_t('HOWTO_RESET_PASSWORD')"}</h4>
+                        <p>{function="_t('LET_EMPTY_IF_NO_PASS_CHANGE')"}<br/>
+                        {function="_t('HOWTO_RESET_PASSWORD')"}</p>
                         <fieldset>
-                            <img src="../../qrcode.php?qr&label={$serviceUrl}&user={$myUser->getLogin()}&key={$myUser->getOtpSeed()}&issuer={$serviceUrl}&algorithm=sha1&digits=8&period=30&_qrSize=4&_qrMargin=1" style='float:left;margin:0em 1em 1em 0em'/>
+                            <!-- <img id="qrCodeOtp" src="../../qrcode.php?qr&label={$serviceUrl}&user={$myUser->getLogin()}&key={$myUser->getOtpSecret()}&issuer={$serviceUrl}&algorithm=sha1&digits=8&period=30&_qrSize=4&_qrMargin=1" style='float:left;margin:0em 1em 1em 0em'/> -->
+                            <img id="qrCodeOtp" src="../../qrcode.php?qr&label={$myUser->getOtpSecret()}&user=DEBUG%20{$myUser->getLogin()}&key={$myUser->getOtpSecret()}&issuer={$serviceUrl}&algorithm=sha1&digits=8&period=30&_qrSize=4&_qrMargin=1" style='float:left;margin:0em 1em 1em 0em'/>
                             <legend>{function="_t('OTP_SETTINGS')"}</legend>
                             <input type="radio" {if="$otpEnabled"} checked="checked" {/if} value="1" id="otpEnabledYes" name="otpEnabled" /><label for="otpEnabledYes">{function="_t('YES')"}</label>
                             <input type="radio" {if="!$otpEnabled"} checked="checked" {/if} value="0" id="otpEnabledNo" name="otpEnabled" /><label for="otpEnabledNo">{function="_t('NO')"}</label>
                             <p>{function="_t('OTP_SETTINGS_DESC')"}{$myUser->getOtpKey()}.</p>
-                        <p><label for="otpSecret">{function="_t('OTP_SECRET')"} :</label> <input type="text" id="otpSecret" name="otpSecret" autocomplete="off" placeholder="{function="_t('OTP_DISABLED_EMPTY')"}" value="{$myUser->getOtpSeed()}">
+                        <p><label for="otpSecret">{function="_t('OTP_SECRET')"} :</label> <input type="text" id="otpSecret" name="otpSecret" autocomplete="off" placeholder="{function="_t('OTP_DISABLED_EMPTY')"}" value="{$myUser->getOtpSecret()}">
+                        <i class="icon-random-otp" onclick="randomOtpSecret('#otpSecret')" style="cursor:pointer" title="Random OTP secret"></i>
                         </p>
                         </fieldset>
                     </section>