require entering current one time code to enable otp

author Andrew Dolgov <fox@madoka.volgo-balt.ru>

Tue, 16 Apr 2013 17:07:26 +0000 (21:07 +0400)

committer Andrew Dolgov <fox@madoka.volgo-balt.ru>

Tue, 16 Apr 2013 17:07:26 +0000 (21:07 +0400)
author Andrew Dolgov <fox@madoka.volgo-balt.ru>
Tue, 16 Apr 2013 17:07:26 +0000 (21:07 +0400)
committer Andrew Dolgov <fox@madoka.volgo-balt.ru>
Tue, 16 Apr 2013 17:07:26 +0000 (21:07 +0400)
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php

index c6d41c15b31060a27dce3817d7271fdba49a0964..dcd83ae26a75dc90889bff8d8c24af8937514999 100644 (file)
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -399,8 +399,8 @@ class Pref_Prefs extends Handler_Protected {
                                                         parameters: dojo.objectToQuery(this.getValues()),
                                                         onComplete: function(transport) {
                                                                 notify('');
-                                                               if (transport.responseText.indexOf('ERROR: ') == 0) {
-                                                                       notify_error(transport.responseText.replace('ERROR: ', ''));
+                                                               if (transport.responseText.indexOf('ERROR:') == 0) {
+                                                                       notify_error(transport.responseText.replace('ERROR:', ''));
                                                                 } else {
                                                                         window.location.reload();
                                                                 }
@@ -416,11 +416,13 @@ class Pref_Prefs extends Handler_Protected {
                                         print "<td class=\"prefValue\"><input dojoType=\"dijit.form.ValidationTextBox\" type=\"password\" required=\"1\"
                                                 name=\"password\"></td></tr>";
  
-                                       print "<tr><td colspan=\"2\">";
+                                       print "<tr><td width=\"40%\">".__("Enter the generated one time password")."</td>";
+
+                                       print "<td class=\"prefValue\"><input dojoType=\"dijit.form.ValidationTextBox\" autocomplete=\"off\"
+                                               required=\"1\"
+                                               name=\"otp\"></td></tr>";
  
-                                       print "<input dojoType=\"dijit.form.CheckBox\" required=\"1\"
-                                               type=\"checkbox\" id=\"enable_otp\" name=\"enable_otp\"/> ";
-                                       print "<label for=\"enable_otp\">".__("I have scanned the code and would like to enable OTP")."</label>";
+                                       print "<tr><td colspan=\"2\">";
  
                                         print "</td></tr><tr><td colspan=\"2\">";
  
@@ -957,22 +959,39 @@ class Pref_Prefs extends Handler_Protected {
         }
  
         function otpenable() {
-               $password = db_escape_string($this->link, $_REQUEST["password"]);
-               $enable_otp = $_REQUEST["enable_otp"] == "on";
+               require_once "lib/otphp/vendor/base32.php";
+               require_once "lib/otphp/lib/otp.php";
+               require_once "lib/otphp/lib/totp.php";
+
+               $password = $_REQUEST["password"];
+               $otp = $_REQUEST["otp"];
  
                 global $pluginhost;
                 $authenticator = $pluginhost->get_plugin($_SESSION["auth_module"]);
  
                 if ($authenticator->check_password($_SESSION["uid"], $password)) {
  
-                       if ($enable_otp) {
+                       $result = db_query($this->link, "SELECT salt
+                               FROM ttrss_users
+                               WHERE id = ".$_SESSION["uid"]);
+
+                       $base32 = new Base32();
+
+                       $secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt")));
+                       $topt = new \OTPHP\TOTP($secret);
+
+                       $otp_check = $topt->now();
+
+                       if ($otp == $otp_check) {
                                 db_query($this->link, "UPDATE ttrss_users SET otp_enabled = true WHERE
                                         id = " . $_SESSION["uid"]);
  
                                 print "OK";
+                       } else {
+                               print "ERROR:".__("Incorrect one time password");
                         }
                 } else {
-                       print "ERROR: ".__("Incorrect password");
+                       print "ERROR:".__("Incorrect password");
                 }
  
         }
author	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Tue, 16 Apr 2013 17:07:26 +0000 (21:07 +0400)
committer	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Tue, 16 Apr 2013 17:07:26 +0000 (21:07 +0400)