From ad2085c603c0286d1885837752b6cdbb14462084 Mon Sep 17 00:00:00 2001 From: Daniel Seifert Date: Fri, 19 Oct 2018 00:32:59 +0200 Subject: [PATCH] make compatible to TOTP library v0.9, save password for decoding the seed --- src/Application/Model/d3totp.php | 34 +++++++++++++++---- .../blocks/d3totp_login_admin_login_form.tpl | 1 + .../Admin/d3_totp_LoginController.php | 10 ++++-- .../Application/Model/d3_totp_user.php | 3 +- src/Modules/Core/d3_totp_utils.php | 2 +- src/metadata.php | 2 +- 6 files changed, 40 insertions(+), 12 deletions(-) diff --git a/src/Application/Model/d3totp.php b/src/Application/Model/d3totp.php index bb07148..3e4cfb3 100644 --- a/src/Application/Model/d3totp.php +++ b/src/Application/Model/d3totp.php @@ -27,6 +27,8 @@ use OxidEsales\Eshop\Core\Registry; class d3totp extends BaseModel { + const TOTP_SESSION_VARNAME = 'totp_auth'; + public $tableName = 'd3totp'; public $userId; public $totp; @@ -89,6 +91,7 @@ class d3totp extends BaseModel public function getSavedSecret() { $secret = $this->getFieldData('seed'); + $sPwd = Registry::getSession()->getVariable('pwdTransmit'); if ($secret) { return $secret; @@ -103,19 +106,38 @@ class d3totp extends BaseModel public function getTotp() { if (false == $this->totp) { - $this->totp = oxNew( - TOTP::class, - $this->getUser()->getFieldData('oxusername') + + if ($this->getTotpLibVersion() == 8) { // version 0.8 (< PHP 7.1) + $this->totp = oxNew( + TOTP::class, + $this->getUser()->getFieldData('oxusername') + ? $this->getUser()->getFieldData('oxusername') + : null, + $this->getSavedSecret() + ); + } else { // version 0.9 (>= PHP 7.1) + $this->totp = TOTP::create($this->getSavedSecret()); + $this->totp->setLabel($this->getUser()->getFieldData('oxusername') ? $this->getUser()->getFieldData('oxusername') - : null, - $this->getSavedSecret() - ); + : null + ); + } $this->totp->setIssuer(Registry::getConfig()->getActiveShop()->getFieldData('oxname')); } return $this->totp; } + /** + * @return int + */ + public function getTotpLibVersion() + { + return method_exists(TOTP::class, 'create') ? + 9 : + 8; + } + /** * @return string */ diff --git a/src/Application/views/admin/blocks/d3totp_login_admin_login_form.tpl b/src/Application/views/admin/blocks/d3totp_login_admin_login_form.tpl index 498ceaf..b34a75c 100644 --- a/src/Application/views/admin/blocks/d3totp_login_admin_login_form.tpl +++ b/src/Application/views/admin/blocks/d3totp_login_admin_login_form.tpl @@ -1,4 +1,5 @@ [{if $request_totp}] + [{$oViewConf->getHiddenSid()}] diff --git a/src/Modules/Application/Controller/Admin/d3_totp_LoginController.php b/src/Modules/Application/Controller/Admin/d3_totp_LoginController.php index 7b8b5eb..a70bc99 100644 --- a/src/Modules/Application/Controller/Admin/d3_totp_LoginController.php +++ b/src/Modules/Application/Controller/Admin/d3_totp_LoginController.php @@ -39,7 +39,7 @@ class d3_totp_LoginController extends d3_totp_LoginController_parent if ($auth && $totp->UserUseTotp() - && false == Registry::getSession()->getVariable("totp_auth") + && false == Registry::getSession()->getVariable(d3totp::TOTP_SESSION_VARNAME) ) { // set auth as secured parameter; Registry::getSession()->setVariable("auth", $auth); @@ -61,13 +61,17 @@ class d3_totp_LoginController extends d3_totp_LoginController_parent $totp = oxNew(d3totp::class); $totp->loadByUserId(Registry::getSession()->getVariable("auth")); + if (Registry::getRequest()->getRequestParameter('pwd')) { + Registry::getSession()->setVariable('pwdTransmit', Registry::getRequest()->getRequestParameter('pwd')); + } + $return = 'login'; try { if ($this->isNoTotpOrNoLogin($totp)) { $return = parent::checklogin(); } elseif ($this->hasValidTotp($sTotp, $totp)) { - Registry::getSession()->setVariable('totp_auth', $sTotp); + Registry::getSession()->setVariable(d3totp::TOTP_SESSION_VARNAME, $sTotp); $return = "admin_start"; } } catch (d3totp_wrongOtpException $oEx) { @@ -95,7 +99,7 @@ class d3_totp_LoginController extends d3_totp_LoginController_parent */ public function hasValidTotp($sTotp, $totp) { - return Registry::getSession()->getVariable("totp_auth") || + return Registry::getSession()->getVariable(d3totp::TOTP_SESSION_VARNAME) || ( $sTotp && $totp->verify($sTotp) ); diff --git a/src/Modules/Application/Model/d3_totp_user.php b/src/Modules/Application/Model/d3_totp_user.php index 1e0c719..c59c53a 100644 --- a/src/Modules/Application/Model/d3_totp_user.php +++ b/src/Modules/Application/Model/d3_totp_user.php @@ -15,6 +15,7 @@ namespace D3\Totp\Modules\Application\Model; +use D3\Totp\Application\Model\d3totp; use OxidEsales\Eshop\Core\Registry; class d3_totp_user extends d3_totp_user_parent @@ -24,7 +25,7 @@ class d3_totp_user extends d3_totp_user_parent $return = parent::logout(); // deleting session info - Registry::getSession()->deleteVariable('totp_auth'); + Registry::getSession()->deleteVariable(d3totp::TOTP_SESSION_VARNAME); return $return; } diff --git a/src/Modules/Core/d3_totp_utils.php b/src/Modules/Core/d3_totp_utils.php index a7ba3dc..c0233e4 100644 --- a/src/Modules/Core/d3_totp_utils.php +++ b/src/Modules/Core/d3_totp_utils.php @@ -32,7 +32,7 @@ class d3_totp_utils extends d3_totp_utils_parent $blAuth = parent::checkAccessRights(); $userID = Registry::getSession()->getVariable("auth"); - $totpAuth = (bool) Registry::getSession()->getVariable("totp_auth"); + $totpAuth = (bool) Registry::getSession()->getVariable(d3totp::TOTP_SESSION_VARNAME); /** @var d3totp $totp */ $totp = oxNew(d3totp::class); $totp->loadByUserId($userID); diff --git a/src/metadata.php b/src/metadata.php index 88e8ef0..a1caa33 100644 --- a/src/metadata.php +++ b/src/metadata.php @@ -81,7 +81,7 @@ $aModule = [ // `OXID` CHAR(32) NOT NULL, // `OXUSERID` CHAR(32) NOT NULL, // `USETOTP` TINYINT(1) NOT NULL DEFAULT '0', -// `SEED` VARCHAR(100) NOT NULL DEFAULT '0', +// `SEED` VARCHAR(125) NOT NULL DEFAULT '0', // PRIMARY KEY (`OXID`), // UNIQUE INDEX `Schl�ssel 2` (`OXUSERID`) //)