From: Andrew Dolgov Date: Tue, 16 Apr 2013 17:07:26 +0000 (+0400) Subject: require entering current one time code to enable otp X-Git-Tag: 1.7.9~25^2~192 X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=9deca86d96ba34253f05a4c5d5f1e48c543062be;p=tt-rss.git require entering current one time code to enable otp --- diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php index c6d41c15..dcd83ae2 100644 --- a/classes/pref/prefs.php +++ b/classes/pref/prefs.php @@ -399,8 +399,8 @@ class Pref_Prefs extends Handler_Protected { parameters: dojo.objectToQuery(this.getValues()), onComplete: function(transport) { notify(''); - if (transport.responseText.indexOf('ERROR: ') == 0) { - notify_error(transport.responseText.replace('ERROR: ', '')); + if (transport.responseText.indexOf('ERROR:') == 0) { + notify_error(transport.responseText.replace('ERROR:', '')); } else { window.location.reload(); } @@ -416,11 +416,13 @@ class Pref_Prefs extends Handler_Protected { print ""; - print ""; + print "".__("Enter the generated one time password").""; + + print ""; - print " "; - print ""; + print ""; print ""; @@ -957,22 +959,39 @@ class Pref_Prefs extends Handler_Protected { } function otpenable() { - $password = db_escape_string($this->link, $_REQUEST["password"]); - $enable_otp = $_REQUEST["enable_otp"] == "on"; + require_once "lib/otphp/vendor/base32.php"; + require_once "lib/otphp/lib/otp.php"; + require_once "lib/otphp/lib/totp.php"; + + $password = $_REQUEST["password"]; + $otp = $_REQUEST["otp"]; global $pluginhost; $authenticator = $pluginhost->get_plugin($_SESSION["auth_module"]); if ($authenticator->check_password($_SESSION["uid"], $password)) { - if ($enable_otp) { + $result = db_query($this->link, "SELECT salt + FROM ttrss_users + WHERE id = ".$_SESSION["uid"]); + + $base32 = new Base32(); + + $secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt"))); + $topt = new \OTPHP\TOTP($secret); + + $otp_check = $topt->now(); + + if ($otp == $otp_check) { db_query($this->link, "UPDATE ttrss_users SET otp_enabled = true WHERE id = " . $_SESSION["uid"]); print "OK"; + } else { + print "ERROR:".__("Incorrect one time password"); } } else { - print "ERROR: ".__("Incorrect password"); + print "ERROR:".__("Incorrect password"); } }