Pro-Idler/AccountHub
1
0
Fork 0
forked from Business/AccountHub
Code Issues Pull Requests Projects Releases Wiki Activity

Improve 2-factor auth enablement experience

Browse Source
This commit is contained in:
Skylar Ittner 2017-12-09 22:18:04 -07:00
parent 81658a47c5
commit 6bf1606997
5 changed files with 43 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
action.php
View File

@ -3,9 +3,10 @@
/** /**
* Make things happen when buttons are pressed and forms submitted. * Make things happen when buttons are pressed and forms submitted.
*/ */
require_once __DIR__ . "/required.php"; require_once __DIR__ . "/required.php";
use OTPHP\TOTP;
// If the user presses Sign Out but we're not logged in anymore, // If the user presses Sign Out but we're not logged in anymore,
// we don't want to show a nasty error. // we don't want to show a nasty error.
if ($VARS['action'] == 'signout' && $_SESSION['loggedin'] != true) { if ($VARS['action'] == 'signout' && $_SESSION['loggedin'] != true) {
@ -55,6 +56,10 @@ switch ($VARS['action']) {
if (is_empty($VARS['secret'])) { if (is_empty($VARS['secret'])) {
returnToSender("invalid_parameters"); returnToSender("invalid_parameters");
} }
$totp = new TOTP(null, $VARS['secret']);
if (!$totp->verify($VARS["totpcode"])) {
returnToSender("2fa_wrong_code");
}
$database->update('accounts', ['authsecret' => $VARS['secret']], ['uid' => $_SESSION['uid']]); $database->update('accounts', ['authsecret' => $VARS['secret']], ['uid' => $_SESSION['uid']]);
insertAuthLog(9, $_SESSION['uid']); insertAuthLog(9, $_SESSION['uid']);
returnToSender("2fa_enabled"); returnToSender("2fa_enabled");

17
apps/2fa_qrcode.php
View File

@ -1,17 +0,0 @@
<?php
dieifnotloggedin();
// extra login utils
require_once __DIR__ . "/../lib/login.php";
$APPS["setup_2fa"]["title"] = lang("setup 2fa", false);
$APPS["setup_2fa"]["icon"] = "lock";
if (userHasTOTP($_SESSION['username'])) {
$APPS["setup_2fa"]["content"] = '<a href="action.php?action=rm2fa&source=security" class="btn btn-warning">'
. lang("remove 2fa", false) . '</a>';
} else {
$APPS["setup_2fa"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("2fa explained", false) . '</div>'
. '<button class="btn btn-success">'
. lang("enable 2fa", false) . '</button>';
}

29
apps/setup_2fa.php
View File

@ -16,15 +16,26 @@ if (userHasTOTP($_SESSION['username'])) {
. lang("remove 2fa", false) . '</a>'; . lang("remove 2fa", false) . '</a>';
} else if ($_GET['2fa'] == "generate") { } else if ($_GET['2fa'] == "generate") {
$codeuri = newTOTP($_SESSION['username']); $codeuri = newTOTP($_SESSION['username']);
$userdata = $database->select('accounts', ['email', 'authsecret', 'realname'], ['username' => $_SESSION['username']])[0];
$label = SYSTEM_NAME . ":" . is_null($userdata['email']) ? $userdata['realname'] : $userdata['email'];
$issuer = SYSTEM_NAME;
$qrCode = new QrCode($codeuri); $qrCode = new QrCode($codeuri);
$qrCode->setSize(200); $qrCode->setSize(200);
$qrCode->setErrorCorrection("H"); $qrCode->setErrorCorrection("H");
$qrcode = $qrCode->getDataUri(); $qrcode = $qrCode->getDataUri();
$totp = Factory::loadFromProvisioningUri($codeuri); $totp = Factory::loadFromProvisioningUri($codeuri);
$codesecret = $totp->getSecret(); $codesecret = $totp->getSecret();
$chunk_secret = trim(chunk_split($codesecret, 8, ' ')); $chunk_secret = trim(chunk_split($codesecret, 4, ' '));
$lang_manualsetup = lang("manual setup", false);
$lang_secretkey = lang("secret key", false);
$lang_label = lang("label", false);
$lang_issuer = lang("issuer", false);
$lang_entercode = lang("enter otp code", false);
$APPS["setup_2fa"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan 2fa qrcode", false) . '</div>' . <<<END $APPS["setup_2fa"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("scan 2fa qrcode", false) . '</div>' . <<<END
<style nonce="$SECURE_NONCE"> <style nonce="$SECURE_NONCE">
.margintop-15px {
margin-top: 15px;
}
.mono-chunk { .mono-chunk {
text-align: center; text-align: center;
font-size: 110%; font-size: 110%;
@ -32,8 +43,9 @@ if (userHasTOTP($_SESSION['username'])) {
} }
</style> </style>
<img src="$qrcode" class="img-responsive qrcode" /> <img src="$qrcode" class="img-responsive qrcode" />
<div class="well well-sm mono-chunk">$chunk_secret</div> <form action="action.php" method="POST" class="margintop-15px">
<form action="action.php" method="POST"> <input type="text" name="totpcode" class="form-control" placeholder="$lang_entercode" minlength=6 maxlength=6 required />
<br />
<input type="hidden" name="action" value="add2fa" /> <input type="hidden" name="action" value="add2fa" />
<input type="hidden" name="source" value="security" /> <input type="hidden" name="source" value="security" />
<input type="hidden" name="secret" value="$codesecret" /> <input type="hidden" name="secret" value="$codesecret" />
@ -42,6 +54,17 @@ END
. lang("confirm 2fa", false) . <<<END . lang("confirm 2fa", false) . <<<END
</button> </button>
</form> </form>
<div class="panel panel-default margintop-15px">
<div class="panel-body">
<b>$lang_manualsetup</b>
<br /><label>$lang_secretkey:</label>
<div class="well well-sm mono-chunk">$chunk_secret</div>
<br /><label>$lang_label:</label>
<div class="well well-sm mono-chunk">$label</div>
<br /><label>$lang_issuer:</label>
<div class="well well-sm mono-chunk">$issuer</div>
</div>
</div>
END; END;
} else { } else {
$APPS["setup_2fa"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("2fa explained", false) . '</div>' $APPS["setup_2fa"]["content"] = '<div class="alert alert-info"><i class="fa fa-info-circle"></i> ' . lang("2fa explained", false) . '</div>'

9
lang/en_us.php
View File

@ -41,7 +41,8 @@ $STRINGS = [
"2fa enabled" => "2-factor authentication activated.", "2fa enabled" => "2-factor authentication activated.",
"remove 2fa" => "Disable 2-factor authentication", "remove 2fa" => "Disable 2-factor authentication",
"2fa explained" => "2-factor authentication adds more security to your " "2fa explained" => "2-factor authentication adds more security to your "
. "account. You'll need an app such as Google Authenticator on your " . "account. You can use the Auth Keys (key icon) feature of the Netsyms "
. "Business Mobile app, or another TOTP-enabled app (Authy, FreeOTP, etc) on your "
. "smartphone. When you have the app installed, you can enable 2-factor " . "smartphone. When you have the app installed, you can enable 2-factor "
. "authentication by clicking the button below and scanning a QR code with " . "authentication by clicking the button below and scanning a QR code with "
. "the app. Whenever you sign in in the future, you'll need to input a " . "the app. Whenever you sign in in the future, you'll need to input a "
@ -53,7 +54,7 @@ $STRINGS = [
. "security device, click the button below.", . "security device, click the button below.",
"enable 2fa" => "Enable 2-factor authentication", "enable 2fa" => "Enable 2-factor authentication",
"scan 2fa qrcode" => "Scan the QR Code with the authenticator app, or enter" "scan 2fa qrcode" => "Scan the QR Code with the authenticator app, or enter"
. " the secret key manually.", . " the information manually. Then type in the six-digit code the app gives you and press Finish Setup.",
"confirm 2fa" => "Finish setup", "confirm 2fa" => "Finish setup",
"invalid parameters" => "Invalid request parameters.", "invalid parameters" => "Invalid request parameters.",
"ldap server error" => "The LDAP server returned an error: {arg}", "ldap server error" => "The LDAP server returned an error: {arg}",
@ -86,4 +87,8 @@ $STRINGS = [
. "\r\n" . "\r\n"
. "\r\nThese notifications can be disabled by editing the user in " . "\r\nThese notifications can be disabled by editing the user in "
. "ManagePanel.", . "ManagePanel.",
"enter otp code" => "Enter 6-digit code",
"secret key" => "Secret key",
"label" => "Label",
"issuer" => "Issuer",
]; ];

4
lang/messages.php
View File

@ -25,6 +25,10 @@ define("MESSAGES", [
"string" => "2fa enabled", "string" => "2fa enabled",
"type" => "success" "type" => "success"
], ],
"2fa_wrong_code" => [
"string" => "2fa incorrect",
"type" => "danger"
],
"invalid_parameters" => [ "invalid_parameters" => [
"string" => "invalid parameters", "string" => "invalid parameters",
"type" => "danger" "type" => "danger"