Add Universal Two Factor support

Also create seperate account security options page

This commit requires a new database table

classes/twofa.class.php

@@ -25,7 +25,7 @@ class TwoFactorAuth {
     self::$_base32lookup = array_flip(self::$_base32);
   }
 
-  public function createSecret($bits = 80) {
+  public function createSecret($bits = 210) {
     $secret = '';
     $bytes = ceil($bits / 5); //We use 5 bits of each byte (since we have a 32-character 'alphabet' / BASE32)
     $rnd = random_bytes($bytes);

classes/u2f.class.php

@@ -0,0 +1,474 @@
+<?php
+// Taken from https://github.com/Yubico/php-u2flib-server/blob/master/src/u2flib_server/U2F.php
+
+/* Copyright (c) 2014 Yubico AB
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *
+ *   * Redistributions in binary form must reproduce the above
+ *     copyright notice, this list of conditions and the following
+ *     disclaimer in the documentation and/or other materials provided
+ *     with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace u2f;
+
+/** Constant for the version of the u2f protocol */
+const U2F_VERSION = "U2F_V2";
+
+/** Error for the authentication message not matching any outstanding
+ * authentication request */
+const ERR_NO_MATCHING_REQUEST = 1;
+
+/** Error for the authentication message not matching any registration */
+const ERR_NO_MATCHING_REGISTRATION = 2;
+
+/** Error for the signature on the authentication message not verifying with
+ * the correct key */
+const ERR_AUTHENTICATION_FAILURE = 3;
+
+/** Error for the challenge in the registration message not matching the
+ * registration challenge */
+const ERR_UNMATCHED_CHALLENGE = 4;
+
+/** Error for the attestation signature on the registration message not
+ * verifying */
+const ERR_ATTESTATION_SIGNATURE = 5;
+
+/** Error for the attestation verification not verifying */
+const ERR_ATTESTATION_VERIFICATION = 6;
+
+/** Error for not getting good random from the system */
+const ERR_BAD_RANDOM = 7;
+
+/** Error when the counter is lower than expected */
+const ERR_COUNTER_TOO_LOW = 8;
+
+/** Error decoding public key */
+const ERR_PUBKEY_DECODE = 9;
+
+/** Error user-agent returned error */
+const ERR_BAD_UA_RETURNING = 10;
+
+/** Error old OpenSSL version */
+const ERR_OLD_OPENSSL = 11;
+
+const PUBKEY_LEN = 65;
+
+class U2F {
+  private $appId;
+
+  private $attestDir;
+
+  private $FIXCERTS = array(
+    '349bca1031f8c82c4ceca38b9cebf1a69df9fb3b94eed99eb3fb9aa3822d26e8',
+    'dd574527df608e47ae45fbba75a2afdd5c20fd94a02419381813cd55a2a3398f',
+    '1d8764f0f7cd1352df6150045c8f638e517270e8b5dda1c63ade9c2280240cae',
+    'd0edc9a91a1677435a953390865d208c55b3183c6759c9b5a7ff494c322558eb',
+    '6073c436dcd064a48127ddbf6032ac1a66fd59a0c24434f070d4e564c124c897',
+    'ca993121846c464d666096d35f13bf44c1b05af205f9b4a1e00cf6cc10c5e511'
+  );
+
+  /**
+   * @param string $appId Application id for the running application
+   * @param string|null $attestDir Directory where trusted attestation roots may be found
+   * @throws Error If OpenSSL older than 1.0.0 is used
+   */
+  public function __construct($appId, $attestDir = null) {
+    if (OPENSSL_VERSION_NUMBER < 0x10000000) {
+      throw new Error('OpenSSL has to be at least version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL);
+    }
+    $this->appId = $appId;
+    $this->attestDir = $attestDir;
+  }
+
+  /**
+   * Called to get a registration request to send to a user.
+   * Returns an array of one registration request and a array of sign requests.
+   *
+   * @param array $registrations List of current registrations for this
+   * user, to prevent the user from registering the same authenticator several
+   * times.
+   * @return array An array of two elements, the first containing a
+   * RegisterRequest the second being an array of SignRequest
+   * @throws Error
+   */
+  public function getRegisterData(array $registrations = []) {
+    $challenge = $this->createChallenge();
+    $request = new RegisterRequest($challenge, $this->appId);
+    $signs = $this->getAuthenticateData($registrations);
+    return [$request, $signs];
+  }
+
+  /**
+   * Called to verify and unpack a registration message.
+   *
+   * @param RegisterRequest $request this is a reply to
+   * @param object $response response from a user
+   * @param bool $includeCert set to true if the attestation certificate should be
+   * included in the returned Registration object
+   * @return Registration
+   * @throws Error
+   */
+  public function doRegister($request, $response, $includeCert = true) {
+    if (!is_object($request)) {
+      throw new \InvalidArgumentException('$request of doRegister() method only accepts object.');
+    }
+
+    if (!is_object($response)) {
+      throw new \InvalidArgumentException('$response of doRegister() method only accepts object.');
+    }
+
+    if (property_exists($response, 'errorCode') && $response->errorCode !== 0) {
+      throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING );
+    }
+
+    if (!is_bool($includeCert)) {
+      throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.');
+    }
+
+    $rawReg = $this->base64u_decode($response->registrationData);
+    $regData = array_values(unpack('C*', $rawReg));
+    $clientData = $this->base64u_decode($response->clientData);
+    $cli = json_decode($clientData);
+
+    if ($cli->challenge !== $request->challenge) {
+      throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE );
+    }
+
+    $registration = new Registration();
+    $offs = 1;
+    $pubKey = substr($rawReg, $offs, PUBKEY_LEN);
+    $offs += PUBKEY_LEN;
+    // decode the pubKey to make sure it's good
+    $tmpKey = $this->pubkey_to_pem($pubKey);
+    if ($tmpKey === null) {
+      throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
+    }
+    $registration->publicKey = base64_encode($pubKey);
+    $khLen = $regData[$offs++];
+    $kh = substr($rawReg, $offs, $khLen);
+    $offs += $khLen;
+    $registration->keyHandle = $this->base64u_encode($kh);
+
+    // length of certificate is stored in byte 3 and 4 (excluding the first 4 bytes)
+    $certLen = 4;
+    $certLen += ($regData[$offs + 2] << 8);
+    $certLen += $regData[$offs + 3];
+
+    $rawCert = $this->fixSignatureUnusedBits(substr($rawReg, $offs, $certLen));
+    $offs += $certLen;
+    $pemCert  = "-----BEGIN CERTIFICATE-----\r\n";
+    $pemCert .= chunk_split(base64_encode($rawCert), 64);
+    $pemCert .= "-----END CERTIFICATE-----";
+    if ($includeCert) {
+      $registration->certificate = base64_encode($rawCert);
+    }
+    if ($this->attestDir) {
+      if (openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) {
+        throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION );
+      }
+    }
+
+    if (!openssl_pkey_get_public($pemCert)) {
+      throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
+    }
+    $signature = substr($rawReg, $offs);
+
+    $dataToVerify  = chr(0);
+    $dataToVerify .= hash('sha256', $request->appId, true);
+    $dataToVerify .= hash('sha256', $clientData, true);
+    $dataToVerify .= $kh;
+    $dataToVerify .= $pubKey;
+
+    if (openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) {
+      return $registration;
+    } else {
+      throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE );
+    }
+  }
+
+  /**
+   * Called to get an authentication request.
+   *
+   * @param array $registrations An array of the registrations to create authentication requests for.
+   * @return array An array of SignRequest
+   * @throws Error
+   */
+  public function getAuthenticateData(array $registrations) {
+    $sigs = array();
+    $challenge = $this->createChallenge();
+    foreach ($registrations as $reg) {
+      if (!is_object($reg)) {
+        throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.');
+      }
+
+      $sig = new SignRequest();
+      $sig->appId = $this->appId;
+      $sig->keyHandle = $reg->keyHandle;
+      $sig->challenge = $challenge;
+      $sigs[] = $sig;
+    }
+    return $sigs;
+  }
+
+  /**
+   * Called to verify an authentication response
+   *
+   * @param array $requests An array of outstanding authentication requests
+   * @param array $registrations An array of current registrations
+   * @param object $response A response from the authenticator
+   * @return Registration
+   * @throws Error
+   *
+   * The Registration object returned on success contains an updated counter
+   * that should be saved for future authentications.
+   * If the Error returned is ERR_COUNTER_TOO_LOW this is an indication of
+   * token cloning or similar and appropriate action should be taken.
+   */
+  public function doAuthenticate(array $requests, array $registrations, $response) {
+    if (!is_object($response)) {
+      throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.');
+    }
+
+    if (property_exists($response, 'errorCode') && $response->errorCode !== 0) {
+      throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING );
+    }
+
+    $req = null;
+    $reg = null;
+
+    $clientData = $this->base64u_decode($response->clientData);
+    $decodedClient = json_decode($clientData);
+    foreach ($requests as $req) {
+      if (!is_object($req)) {
+        throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.');
+      }
+
+      if ($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) {
+        break;
+      }
+
+      $req = null;
+    }
+    if ($req === null) {
+      throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST );
+    }
+    foreach ($registrations as $reg) {
+      if (!is_object($reg)) {
+        throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.');
+      }
+
+      if ($reg->keyHandle === $response->keyHandle) {
+        break;
+      }
+      $reg = null;
+    }
+    if ($reg === null) {
+      throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION );
+    }
+    $pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey));
+    if ($pemKey === null) {
+      throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
+    }
+
+    $signData = $this->base64u_decode($response->signatureData);
+    $dataToVerify  = hash('sha256', $req->appId, true);
+    $dataToVerify .= substr($signData, 0, 5);
+    $dataToVerify .= hash('sha256', $clientData, true);
+    $signature = substr($signData, 5);
+
+    if (openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) {
+      $ctr = unpack("Nctr", substr($signData, 1, 4));
+      $counter = $ctr['ctr'];
+      /* TODO: wrap-around should be handled somehow.. */
+      if ($counter > $reg->counter) {
+        $reg->counter = $counter;
+        return $reg;
+      } else {
+        throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW );
+      }
+    } else {
+      throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE );
+    }
+  }
+
+  /**
+   * @return array
+   */
+  private function get_certs() {
+    $files = array();
+    $dir = $this->attestDir;
+    if ($dir && $handle = opendir($dir)) {
+      while(false !== ($entry = readdir($handle))) {
+        if (is_file("$dir/$entry")) {
+          $files[] = "$dir/$entry";
+        }
+      }
+      closedir($handle);
+    }
+    return $files;
+  }
+
+  /**
+   * @param string $data
+   * @return string
+   */
+  private function base64u_encode($data) {
+    return trim(strtr(base64_encode($data), '+/', '-_'), '=');
+  }
+
+  /**
+   * @param string $data
+   * @return string
+   */
+  private function base64u_decode($data) {
+    return base64_decode(strtr($data, '-_', '+/'));
+  }
+
+  /**
+   * @param string $key
+   * @return null|string
+   */
+  private function pubkey_to_pem($key) {
+    if (strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") {
+      return null;
+    }
+
+    /*
+     * Convert the public key to binary DER format first
+     * Using the ECC SubjectPublicKeyInfo OIDs from RFC 5480
+     *
+     *  SEQUENCE(2 elem)                        30 59
+     *   SEQUENCE(2 elem)                       30 13
+     *    OID1.2.840.10045.2.1 (id-ecPublicKey) 06 07 2a 86 48 ce 3d 02 01
+     *    OID1.2.840.10045.3.1.7 (secp256r1)    06 08 2a 86 48 ce 3d 03 01 07
+     *   BIT STRING(520 bit)                    03 42 ..key..
+     */
+    $der  = "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01";
+    $der .= "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42";
+    $der .= "\0".$key;
+
+    $pem  = "-----BEGIN PUBLIC KEY-----\r\n";
+    $pem .= chunk_split(base64_encode($der), 64);
+    $pem .= "-----END PUBLIC KEY-----";
+
+    return $pem;
+  }
+
+  /**
+   * @return string
+   * @throws Error
+   */
+  private function createChallenge() {
+    $challenge = openssl_random_pseudo_bytes(32, $crypto_strong );
+    if ($crypto_strong !== true) {
+      throw new Error('Unable to obtain a good source of randomness', ERR_BAD_RANDOM);
+    }
+
+    $challenge = $this->base64u_encode( $challenge );
+
+    return $challenge;
+  }
+
+  /**
+   * Fixes a certificate where the signature contains unused bits.
+   *
+   * @param string $cert
+   * @return mixed
+   */
+  private function fixSignatureUnusedBits($cert) {
+    if (in_array(hash('sha256', $cert), $this->FIXCERTS)) {
+      $cert[strlen($cert) - 257] = "\0";
+    }
+    return $cert;
+  }
+}
+
+/**
+ * Class for building a registration request
+ *
+ * @package u2flib_server
+ */
+class RegisterRequest {
+  public $version = U2F_VERSION;
+
+  public $challenge;
+
+  public $appId;
+
+  /**
+   * @param string $challenge
+   * @param string $appId
+   * @internal
+   */
+  public function __construct($challenge, $appId) {
+    $this->challenge = $challenge;
+    $this->appId = $appId;
+  }
+}
+
+/**
+ * Class for building up an authentication request
+ *
+ * @package u2flib_server
+ */
+class SignRequest {
+  public $version = U2F_VERSION;
+
+  public $challenge;
+
+  public $keyHandle;
+
+  public $appId;
+}
+
+/**
+ * Class returned for successful registrations
+ *
+ * @package u2flib_server
+ */
+class Registration {
+  public $keyHandle;
+
+  public $publicKey;
+
+  public $certificate;
+
+  public $counter = -1;
+}
+
+/**
+ * Error class, returned on errors
+ *
+ * @package u2flib_server
+ */
+class Error extends \Exception {
+  /**
+   * Override constructor and make message and code mandatory
+   * @param string $message
+   * @param int $code
+   * @param \Exception|null $previous
+   */
+  public function __construct($message, $code, \Exception $previous = null) {
+    parent::__construct($message, $code, $previous);
+  }
+}

design/privateheader.php

@@ -533,12 +533,12 @@ if (!empty($Alerts) || !empty($ModBar)) { ?>
 <?
   }
   if (!empty($ModBar)) { ?>
-        <div class="alertbar blend">
-          <?=implode(' | ', $ModBar); echo "\n"?>
+        <div class="alertbar modbar">
+          <?=implode(' ', $ModBar); echo "\n"?>
         </div>
 <?  }
 if (check_perms('site_debug') && !apcu_exists('DBKEY')) { ?>
-        <div class="alertbar" style="color: white; background: #B53939;">
+        <div class="alertbar error">
           Warning: <a href="tools.php?action=database_key">no DB key</a>
         </div>
 <?  } ?>

design/publicheader.php

@@ -11,7 +11,7 @@ define('FOOTER_FILE',SERVER_ROOT.'/design/publicfooter.php');
   <link rel="shortcut icon" href="favicon.ico?v=<?=md5_file('favicon.ico');?>" />
   <link href="<?=STATIC_SERVER ?>styles/public/style.css?v=<?=filemtime(SERVER_ROOT.'/static/styles/public/style.css')?>" rel="stylesheet" type="text/css" />
 <?
-  $Scripts = ['jquery', 'global', 'ajax.class', 'cookie.class', 'storage.class', 'public'];
+  $Scripts = ['jquery', 'global', 'ajax.class', 'cookie.class', 'storage.class', 'public', 'u2f'];
   foreach($Scripts as $Script) {
     if (($ScriptStats = G::$Cache->get_value("script_stats_$Script")) === false || $ScriptStats['mtime'] != filemtime(SERVER_ROOT.STATIC_SERVER."functions/$Script.js")) {
       $ScriptStats['mtime'] = filemtime(SERVER_ROOT.STATIC_SERVER."functions/$Script.js");

gazelle.sql

@@ -1254,6 +1254,16 @@ CREATE TABLE `torrents_tags_votes` (
   PRIMARY KEY (`GroupID`,`TagID`,`UserID`,`Way`)
 ) ENGINE=InnoDB CHARSET=utf8;
 
+CREATE TABLE `u2f` (
+  `UserID` int(10) NOT NULL,
+  `KeyHandle` varchar(255) NOT NULL,
+  `PublicKey` varchar(255) NOT NULL,
+  `Certificate` text,
+  `Counter` int(10) NOT NULL DEFAULT '-1',
+  `Valid` enum('0','1') NOT NULL DEFAULT '1',
+  PRIMARY KEY (`UserID`,`KeyHandle`)
+) ENGINE=InnoDB CHARSET=utf8;
+
 CREATE TABLE `user_questions` (
   `ID` int(10) NOT NULL AUTO_INCREMENT,
   `Question` mediumtext,

sections/login/index.php

@@ -20,10 +20,12 @@ if (Tools::site_ban_ip($_SERVER['REMOTE_ADDR'])) {
 }
 
 require_once SERVER_ROOT.'/classes/twofa.class.php';
+require_once SERVER_ROOT.'/classes/u2f.class.php';
 require_once SERVER_ROOT.'/classes/validate.class.php';
 
 $Validate = new VALIDATE;
 $TwoFA = new TwoFactorAuth(SITE_NAME);
+$U2F = new u2f\U2F('https://'.SITE_DOMAIN);
 
 if (array_key_exists('action', $_GET) && $_GET['action'] == 'disabled') {
   require('disabled.php');
@@ -293,52 +295,100 @@ else {
                 }
               }
 
-              $SessionID = Users::make_secret(64);
-              setcookie('session', $SessionID, (time()+60*60*24*365), '/', '', true, true);
-              setcookie('userid', $UserID, (time()+60*60*24*365), '/', '', true, true);
-
-              // Because we <3 our staff
-              $Permissions = Permissions::get_permissions($PermissionID);
-              $CustomPermissions = unserialize($CustomPermissions);
-              if (isset($Permissions['Permissions']['site_disable_ip_history'])
-                || isset($CustomPermissions['site_disable_ip_history'])
-              ) {
-                $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
+              $U2FRegs = [];
+              $DB->query("
+                SELECT KeyHandle, PublicKey, Certificate, Counter, Valid
+                FROM u2f
+                WHERE UserID = $UserID");
+              // Needs to be an array of objects, so we can't use to_array()
+              while (list($KeyHandle, $PublicKey, $Certificate, $Counter, $Valid) = $DB->next_record()) {
+                $U2FRegs[] = (object)['keyHandle'=>$KeyHandle, 'publicKey'=>$PublicKey, 'certificate'=>$Certificate, 'counter'=>$Counter, 'valid'=>$Valid];
               }
 
-              $DB->query("
-                INSERT INTO users_sessions
-                  (UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate, FullUA)
-                VALUES
-                  ('$UserID', '".db_string($SessionID)."', '1', '$Browser', '$OperatingSystem', '".db_string(apcu_exists('DBKEY')?DBCrypt::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0')."', '".sqltime()."', '".db_string($_SERVER['HTTP_USER_AGENT'])."')");
+              if (sizeof($U2FRegs) > 0) {
+                // U2F is enabled for this account
+                if (isset($_POST['u2f-request']) && isset($_POST['u2f-response'])) {
+                  // Data from the U2F login page is present. Verify it.
+                  try {
+                    $U2FReg = $U2F->doAuthenticate(json_decode($_POST['u2f-request']), $U2FRegs, json_decode($_POST['u2f-response']));
+                    if ($U2FReg->valid != '1') throw new Exception('Token disabled.');
+                    $DB->query("UPDATE u2f
+                                SET Counter = ".($U2FReg->counter)."
+                                WHERE KeyHandle = '".db_string($U2FReg->keyHandle)."'
+                                AND UserID = $UserID");
+                  } catch (Exception $e) {
+                    $U2FErr = 'U2F key invalid. Error: '.($e->getMessage());
+                    if ($e->getMessage() == 'Token disabled.') {
+                      $U2FErr = 'This token was disabled due to suspected cloning. Contact staff for assistance';
+                    }
+                    if ($e->getMessage() == 'Counter too low.') {
+                      $BadHandle = json_decode($_POST['u2f-response'], true)['keyHandle'];
+                      $DB->query("UPDATE u2f
+                                  SET Valid = '0'
+                                  WHERE KeyHandle = '".db_string($BadHandle)."'
+                                  AND UserID = $UserID");
+                      $U2FErr = 'U2F counter too low. This token has been disabled due to suspected cloning. Contact staff for assistance.';
+                    }
+                  }
+                } else {
+                  // Data from the U2F login page is not present. Go there
+                  require('u2f.php');
+                  die();
+                }
+              }
+
+              if (sizeof($U2FRegs) == 0 || !isset($U2FErr)) {
+                $SessionID = Users::make_secret(64);
+                setcookie('session', $SessionID, (time()+60*60*24*365), '/', '', true, true);
+                setcookie('userid', $UserID, (time()+60*60*24*365), '/', '', true, true);
+
+                // Because we <3 our staff
+                $Permissions = Permissions::get_permissions($PermissionID);
+                $CustomPermissions = unserialize($CustomPermissions);
+                if (isset($Permissions['Permissions']['site_disable_ip_history'])
+                  || isset($CustomPermissions['site_disable_ip_history'])
+                ) {
+                  $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
+                }
 
-              $Cache->begin_transaction("users_sessions_$UserID");
-              $Cache->insert_front($SessionID, array(
+                $DB->query("
+                  INSERT INTO users_sessions
+                    (UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate, FullUA)
+                  VALUES
+                    ('$UserID', '".db_string($SessionID)."', '1', '$Browser', '$OperatingSystem', '".db_string(apcu_exists('DBKEY')?DBCrypt::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0')."', '".sqltime()."', '".db_string($_SERVER['HTTP_USER_AGENT'])."')");
+
+                $Cache->begin_transaction("users_sessions_$UserID");
+                $Cache->insert_front($SessionID, [
                   'SessionID' => $SessionID,
                   'Browser' => $Browser,
                   'OperatingSystem' => $OperatingSystem,
                   'IP' => (apcu_exists('DBKEY')?DBCrypt::encrypt($_SERVER['REMOTE_ADDR']):'0.0.0.0'),
                   'LastUpdate' => sqltime()
-                  ));
-              $Cache->commit_transaction(0);
-
-              $Sql = "
-                UPDATE users_main
-                SET
-                  LastLogin = '".sqltime()."',
-                  LastAccess = '".sqltime()."'
-                WHERE ID = '".db_string($UserID)."'";
-
-              $DB->query($Sql);
-
-              if (!empty($_COOKIE['redirect'])) {
-                $URL = $_COOKIE['redirect'];
-                setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false);
-                header("Location: $URL");
-                die();
+                ]);
+                $Cache->commit_transaction(0);
+
+                $Sql = "
+                  UPDATE users_main
+                  SET
+                    LastLogin = '".sqltime()."',
+                    LastAccess = '".sqltime()."'
+                  WHERE ID = '".db_string($UserID)."'";
+
+                $DB->query($Sql);
+
+                if (!empty($_COOKIE['redirect'])) {
+                  $URL = $_COOKIE['redirect'];
+                  setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false);
+                  header("Location: $URL");
+                  die();
+                } else {
+                  header('Location: index.php');
+                  die();
+                }
               } else {
-                header('Location: index.php');
-                die();
+                log_attempt();
+                $Err = $U2FErr;
+                setcookie('keeplogged', '', time() + 60 * 60 * 24 * 365, '/', '', false);
               }
             } else {
               log_attempt();

sections/login/newlocation.php

@@ -9,16 +9,16 @@ View::show_header('Authorize Location');
 if (isset($_REQUEST['act'])) {
 ?>
 
-Your location is now authorized to access this account.<br /><br />
+Your location is now authorized to access this account.<br><br>
 Click <a href="login.php">here</a> to login again.
 
 <? } else { ?>
 
-This appears to be the first time you've logged in from this location.<br /><br />
+This appears to be the first time you've logged in from this location.<br><br>
 
-As a security measure to ensure that you are really the owner of this account,<br />
-an email has been sent to the address in your profile settings. Please<br />
-click the link contained in that email to allow access from<br />
+As a security measure to ensure that you are really the owner of this account,<br>
+an email has been sent to the address in your profile settings. Please<br>
+click the link contained in that email to allow access from<br>
 your location, and then log in again.
 
 <? }

sections/login/u2f.php

@@ -0,0 +1,24 @@
+<?
+if (!empty($LoggedUser['ID'])) {
+  header('Location: login.php');
+  die();
+}
+if (!isset($_POST['username']) || !isset($_POST['password']) || !isset($U2FRegs)) {
+  header('Location: login.php');
+  die();
+}
+
+$U2FReq = json_encode($U2F->getAuthenticateData($U2FRegs));
+
+View::show_header('U2F Authentication'); ?>
+
+<form id="u2f_sign_form" action="login.php" method="post">
+  <input type="hidden" name="username" value="<?=$_POST['username']?>">
+  <input type="hidden" name="password" value="<?=$_POST['password']?>">
+  <input type="hidden" name="u2f-request" value='<?=$U2FReq?>'>
+  <input type="hidden" name="u2f-response">
+</form>
+
+This account is protected by a Universal Two Factor token. To continue logging in, please insert your U2F token and press it if necessary.
+
+<? View::show_footer(); ?>

sections/user/2fa.php

@@ -0,0 +1,176 @@
+<?
+require(SERVER_ROOT.'/classes/twofa.class.php');
+require(SERVER_ROOT.'/classes/u2f.class.php');
+
+$TwoFA = new TwoFactorAuth(SITE_NAME);
+$U2F = new u2f\U2F('https://'.SITE_DOMAIN);
+if ($Type = $_POST['type'] ?? false) {
+  if ($Type == 'PGP') {
+    $DB->query("
+      UPDATE users_main
+      SET PublicKey = '".db_string($_POST['publickey'])."'
+      WHERE ID = $UserID");
+    $Message = 'Public key '.(empty($_POST['publickey']) ? 'removed' : 'updated') ;
+  }
+  if ($Type == '2FA-E') {
+    if ($TwoFA->verifyCode($_POST['twofasecret'], $_POST['twofa'])) {
+      $DB->query("
+        UPDATE users_main
+        SET TwoFactor='".db_string($_POST['twofasecret'])."'
+        WHERE ID = $UserID");
+      $Message = "Two Factor Authentication enabled";
+    } else {
+      $Error = "Invalid 2FA verification code";
+    }
+  }
+  if ($Type == '2FA-D') {
+    $DB->query("
+      UPDATE users_main
+      SET TwoFactor = NULL
+      WHERE ID = $UserID");
+    $Message = "Two Factor Authentication disabled";
+  }
+  if ($Type == 'U2F-E') {
+    try {
+      $U2FReg = $U2F->doRegister(json_decode($_POST['u2f-request']), json_decode($_POST['u2f-response']));
+      $DB->query("
+      INSERT INTO u2f
+      (UserID, KeyHandle, PublicKey, Certificate, Counter, Valid)
+      Values ($UserID, '".db_string($U2FReg->keyHandle)."', '".db_string($U2FReg->publicKey)."', '".db_string($U2FReg->certificate)."', '".db_string($U2FReg->counter)."', '1')");
+      $Message = "U2F token registered";
+    } catch(Exception $e) {
+      $Error = "Failed to register U2F token";
+    }
+  }
+  if ($Type == 'U2F-D') {
+    $DB->query("
+      DELETE FROM u2f
+      WHERE UserID = $UserID");
+    $Message = 'U2F tokens deregistered';
+  }
+}
+
+$U2FRegs = [];
+$DB->query("
+  SELECT KeyHandle, PublicKey, Certificate, Counter
+  FROM u2f
+  WHERE UserID = $UserID");
+// Needs to be an array of objects, so we can't use to_array()
+while (list($KeyHandle, $PublicKey, $Certificate, $Counter) = $DB->next_record()) {
+  $U2FRegs[] = (object)['keyHandle'=>$KeyHandle, 'publicKey'=>$PublicKey, 'certificate'=>$Certificate, 'counter'=>$Counter];
+}
+
+$DB->query("
+  SELECT PublicKey, TwoFactor
+  FROM users_main
+  WHERE ID = $UserID");
+list($PublicKey, $TwoFactor) = $DB->next_record();
+
+list($U2FRequest, $U2FSigs) = $U2F->getRegisterData($U2FRegs);
+
+View::show_header("Two-factor Authentication Settings", 'u2f');
+?>
+<h2>Additional Account Security Options</h2>
+<div class="thin">
+<? if (isset($Message)) { ?>
+    <div class="alertbar"><?=$Message?></div>
+<? }
+   if (isset($Error)) { ?>
+    <div class="alertbar error"><?=$Error?></div>
+<? } ?>
+    <div class="box">
+      <div class="head">
+        <strong>PGP Public Key</strong>
+      </div>
+      <div class="pad">
+  <? if (empty($PublicKey)) {
+       if (!empty($TwoFactor) || sizeof($U2FRegs) > 0) { ?>
+        <strong class="important_text">You have a form of 2FA enabled but no PGP key associated with your account. If you lose access to your 2FA device, you will permanently lose access to your account.</strong>
+  <?   } ?>
+        <p>When setting up any form of second factor authentication, it is strongly recommended that you add your PGP public key as a form of secure recovery in the event that you lose access to your second factor device.</p>
+        <p>After adding a PGP public key to your account, you will be able to disable your account's second factor protection by solving a challenge that only someone with your private key could solve.</p>
+        <p>Additionally, being able to solve such a challenge when given manually by staff will suffice to provide proof of ownership of your account, provided no revocation certificate has been published for your key.</p>
+        <p>Before adding your PGP public key, please make sure that you have taken the necessary precautions to protect it from loss (backup) or theft (revocation certificate).</p>
+  <? } else { ?>
+        <p>The PGP public key associated with your account is shown below.</p>
+        <p>This key can be used to create challenges that are only solvable by the holder of the related private key. Successfully solving these challenges is necessary for disabling any form of second factor authentication or proving ownership of this account to staff when you are unable to login.</p>
+  <? } ?>
+        <form method="post">
+          <input type="hidden" name="type" value="PGP">
+          Public Key:
+          <br>
+          <textarea name="publickey" id="publickey" spellcheck="false" cols="64" rows="8"><?=display_str($PublicKey)?></textarea>
+          <br>
+          <button type="submit" name="type" value="PGP">Update Public Key</button>
+        </form>
+      </div>
+    </div>
+    <div class="box">
+      <div class="head">
+        <strong>Two-Factor Authentication (2FA-TOTP)</strong>
+      </div>
+      <div class="pad">
+<?    $TwoFASecret = empty($TwoFactor) ? $TwoFA->createSecret() : $TwoFactor;
+      if (empty($TwoFactor)) {
+        if (sizeof($U2FRegs) == 0) { ?>
+          <p>Two Factor Authentication is not currently enabled for this account.</p>
+          <p>To enable it, add the secret key below to your 2FA client either manually or by scanning the QR code, then enter a verification code generated by your 2FA client and click the "Enable 2FA" button.</p>
+          <form method="post">
+            <input type="text" size="60" name="twofasecret" id="twofasecret" value="<?=$TwoFASecret?>" readonly><br>
+            <img src="<?=$TwoFA->getQRCodeImageAsDataUri(SITE_NAME, $TwoFASecret)?>"><br>
+            <input type="text" size="20" maxlength="6" pattern="[0-9]{0,6}" name="twofa" id="twofa" placeholder="Verification Code" autocomplete="off"><br><br>
+            <button type="submit" name="type" value="2FA-E">Enable 2FA</button>
+          </form>
+<?      } else { ?>
+          <p>Two Factor Authentication is not currently enabled for this account.</p>
+          <p>To enable 2FA, you must first disable U2F below.</p>
+<?      }
+      } else {?>
+        <form method="post">
+          <input type="hidden" name="type" value="2FA-D">
+          <p>2FA is enabled for this account with the following secret:</p>
+          <input type="text" size="20" name="twofasecret" id="twofasecret" value="<?=$TwoFASecret?>" readonly><br>
+          <img src="<?=$TwoFA->getQRCodeImageAsDataUri(SITE_NAME, $TwoFASecret)?>"><br><br>
+          <p>To disable 2FA, click the button below.</p>
+          <button type="submit" name="type" value="2FA-D">Disable 2FA</button>
+        </form>
+<?    } ?>
+      </div>
+    </div>
+    <div class="box">
+      <div class="head">
+        <strong>Universal Two Factor (FIDO U2F)</strong>
+      </div>
+      <div class="pad">
+<?    if (sizeof($U2FRegs) == 0) { ?>
+<?      if (empty($TwoFactor)) { ?>
+          <form method="post" id="u2f_register_form">
+            <input type="hidden" name="u2f-request" value='<?=json_encode($U2FRequest)?>'>
+            <input type="hidden" name="u2f-sigs" value='<?=json_encode($U2FSigs)?>'>
+            <input type="hidden" name="u2f-response">
+            <input type="hidden" value="U2F-E">
+          </form>
+          <p>Universal Two Factor is not currently enabled for this account.</p>
+          <p>To enable Universal Two Factor, plug in your U2F token and press the button on it.</p>
+<?      } else { ?>
+          <p>Universal Two Factor is not currently enabled for this account.</p>
+          <p>To enable Universal Two Factor, you must first disable normal 2FA above.</p>
+<?      } ?>
+<?    } else { ?>
+        <form method="post" id="u2f_register_form">
+          <input type="hidden" name="u2f-request" value='<?=json_encode($U2FRequest)?>'>
+          <input type="hidden" name="u2f-sigs" value='<?=json_encode($U2FSigs)?>'>
+          <input type="hidden" name="u2f-response">
+          <input type="hidden" value="U2F-E">
+        </form>
+        <p>Universal Two Factor is enabled.</p>
+        <p>To add an additional U2F token, plug it in and press the button on it</p>
+        <p>To disable U2F completely and deregister all tokens, press the button below</p>
+        <button type="submit" name="type" value="U2F-D">Disable U2F</button>
+<?    } ?>
+      </div>
+    </div>
+</div>
+<?
+View::show_footer();
+?>

sections/user/edit.php

@@ -84,7 +84,7 @@ echo $Val->GenerateJS('userform');
   <div class="header">
     <h2><?=Users::format_username($UserID, false, false, false)?> &gt; Settings</h2>
   </div>
-  <form class="edit_form" name="user" id="userform" action="" method="post" autocomplete="off">
+  <form class="edit_form" name="user" id="userform" method="post" autocomplete="off">
   <div class="sidebar settings_sidebar">
     <div class="box box2" id="settings_sections">
       <div class="head">
@@ -739,13 +739,17 @@ list($ArtistsAdded) = $DB->next_record();
           <strong>Access Settings</strong>
         </td>
       </tr>
+      <tr id="acc_2fa_tr">
+        <td class="label tooltip" title="This page contains 2FA, U2F, and PGP settings"><strong>Account Security</strong></td>
+        <td><a href="user.php?action=2fa">Click here to view additional account security options</a></td>
+      </tr>
       <tr id="acc_currentpassword_tr">
         <td class="label"><strong>Current Password</strong></td>
         <td>
           <div class="field_div">
             <input type="password" size="40" name="cur_pass" id="cur_pass" maxlength="307200" value="" />
           </div>
-          <strong class="important_text">When changing any of the settings in this section, you must enter your current password in this field before saving your changes</strong>
+          <strong class="important_text">When changing any of the settings below, you must enter your current password in this field before saving your changes</strong>
         </td>
       </tr>
       <tr id="acc_resetpk_tr">
@@ -779,35 +783,6 @@ list($ArtistsAdded) = $DB->next_record();
           </div>
         </td>
       </tr>
-      <tr id="acc_publickey_tr">
-        <td class="label tooltip" title="This is your PGP public key. The matching private key can be used to prove ownership of your account should you lose access to your password or 2FA key. Only add a PGP key if you have taken proper precautions like creating a revocation certificate"><strong>PGP Public Key</strong></td>
-        <td>
-          <div class="field_div">
-            <textarea name="publickey" id="publickey" cols="64" rows="8"><?=display_str($PublicKey)?></textarea>
-          </div>
-        </td>
-      </tr>
-      <tr id="acc_2fa_tr">
-        <td class="label tooltip" title="This will let you enable 2-Factor Auth for your <?=SITE_NAME?> account. The use of your 2FA client will be required whenever you login after enabling it."><strong>2-Factor Auth</strong></td>
-        <td>
-          <? $TwoFASecret = empty($TwoFactor) ? $TwoFA->createSecret() : $TwoFactor; ?>
-          <div class="field_div">
-            <? if (!empty($TwoFactor)) { ?>
-            <p class="min_padding">2FA is enabled for this account with the following secret:</p>
-            <? } ?>
-            <img src="<?=$TwoFA->getQRCodeImageAsDataUri(SITE_NAME, $TwoFASecret)?>"><br>
-            <input type="text" size="20" name="twofasecret" id="twofasecret" value="<?=$TwoFASecret?>" readonly><br>
-            <? if (empty($TwoFactor)) { ?>
-            <input type="text" size="20" maxlength="6" name="twofa" id="twofa" placeholder="Verification Code">
-            <p class="min_padding">To enable 2FA, scan the above QR code (or add the secret below it) to your 2FA client of choice, and enter a verification code it generates. Note that the verification code must not have expired when you save your profile.</p>
-            <p class="min_padding"><strong class="important_text">WARNING</strong>: Losing your 2FA key can make your account unrecoverable. Only enable it if you're sure you can handle it.
-            <? } else { ?>
-            <label><input type="checkbox" name="disable2fa" id="disable2fa" />
-            Disable 2FA</label>
-            <? } ?>
-          </div>
-        </td>
-      </tr>
       <tr id="acc_password_tr">
         <td class="label"><strong>Password</strong></td>
         <td>

sections/user/index.php

@@ -45,8 +45,11 @@ switch ($_REQUEST['action']) {
   case 'take_edit':
     include('take_edit.php');
     break;
+  case '2fa':
+    include('2fa.php');
+    break;
   case 'invitetree':
-    include(SERVER_ROOT.'/sections/user/invitetree.php');
+    include('invitetree.php');
     break;
   case 'invite':
     include('invite.php');

sections/user/take_edit.php

@@ -29,7 +29,6 @@ $Val->SetFields('postsperpage', 1, "number", "You forgot to select your posts pe
 $Val->SetFields('collagecovers', 1, "number", "You forgot to select your collage option.");
 $Val->SetFields('avatar', 0, "regex", "You did not enter a valid avatar URL.", ['regex' => "/^".IMAGE_REGEX."$/i"]);
 $Val->SetFields('email', 1, "email", "You did not enter a valid email address.");
-$Val->SetFields('twofa', 0, "regex", "You did not enter a valid 2FA verification code.", ['regex' => '/^[0-9]{6}$/']);
 $Val->SetFields('irckey', 0, "string", "You did not enter a valid IRC key. An IRC key must be between 6 and 32 characters long.", ['minlength' => 6, 'maxlength' => 32]);
 $Val->SetFields('new_pass_1', 0, "regex", "You did not enter a valid password. A valid password is 6 characters or longer.", ['regex' => '/(?=^.{6,}$).*$/']);
 $Val->SetFields('new_pass_2', 1, "compare", "Your passwords do not match.", ['comparefield' => 'new_pass_1']);
@@ -134,10 +133,10 @@ if (isset($_POST['p_donor_stats'])) {
 // End building $Paranoia
 
 $DB->query("
-  SELECT Email, PassHash, TwoFactor, PublicKey, IRCKey
+  SELECT Email, PassHash, IRCKey
   FROM users_main
   WHERE ID = $UserID");
-list($CurEmail, $CurPassHash, $CurTwoFA, $CurPublicKey, $CurIRCKey) = $DB->next_record();
+list($CurEmail, $CurPassHash, $CurIRCKey) = $DB->next_record();
 
 function require_password($Setting = false) {
   global $CurPassHash;
@@ -175,39 +174,6 @@ if ($CurEmail != $_POST['email']) {
 
 }
 
-// PGP Key
-if ($CurPublicKey != $_POST['publickey']) {
-  require_password("Change Public Key");
-  $DB->query("
-    UPDATE users_main
-    SET PublicKey = '".db_string($_POST['publickey'])."'
-    WHERE ID = $UserID");
-}
-
-// 2FA activation
-if (!empty($_POST['twofa']) && empty($CurTwoFA)) {
-  require_password("Enable 2-Factor");
-  require_once SERVER_ROOT.'/classes/twofa.class.php';
-  $TwoFA = new TwoFactorAuth(SITE_NAME);
-  if ($TwoFA->verifyCode($_POST['twofasecret'], $_POST['twofa'])) {
-    $DB->query("
-      UPDATE users_main
-      SET TwoFactor='".db_string($_POST['twofasecret'])."'
-      WHERE ID = $UserID");
-  } else {
-    error('Invalid 2FA verification code.');
-  }
-}
-
-// 2FA deactivation
-if (isset($_POST['disable2fa'])) {
-  require_password("Disable 2-Factor");
-  $DB->query("
-    UPDATE users_main
-    SET TwoFactor = NULL
-    WHERE ID = $UserID");
-}
-
 if (!empty($_POST['new_pass_1']) && !empty($_POST['new_pass_2'])) {
   require_password("Change Password");
   $ResetPassword = true;

static/functions/u2f.js

@@ -0,0 +1,500 @@
+// Modified U2F client API by Google (https://demo.yubico.com/js/u2f-api.js)
+
+// Copyright 2014-2015 Google Inc. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file or at
+// https://developers.google.com/open-source/licenses/bsd
+
+'use strict';
+
+// Namespace for the U2F api.
+var u2f = u2f || {};
+
+// The U2F extension id
+u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
+
+// Message types for messsages to/from the extension
+u2f.MessageTypes = {
+    'U2F_REGISTER_REQUEST': 'u2f_register_request',
+    'U2F_SIGN_REQUEST': 'u2f_sign_request',
+    'U2F_REGISTER_RESPONSE': 'u2f_register_response',
+    'U2F_SIGN_RESPONSE': 'u2f_sign_response'
+};
+
+// Response status codes
+u2f.ErrorCodes = {
+    'OK': 0,
+    'OTHER_ERROR': 1,
+    'BAD_REQUEST': 2,
+    'CONFIGURATION_UNSUPPORTED': 3,
+    'DEVICE_INELIGIBLE': 4,
+    'TIMEOUT': 5
+};
+
+// A message type for registration requests
+u2f.Request;
+
+// A message for registration responses
+u2f.Response;
+
+// An error object for responses
+u2f.Error;
+
+// Data object for a single sign request.
+u2f.SignRequest;
+
+// Data object for a sign response.
+u2f.SignResponse;
+
+// Data object for a registration request.
+u2f.RegisterRequest;
+
+// Data object for a registration response.
+u2f.RegisterResponse;
+
+
+// Low level MessagePort API support
+
+// Sets up a MessagePort to the U2F extension using the available mechanisms.
+u2f.getMessagePort = function(callback) {
+    if (typeof chrome != 'undefined' && chrome.runtime) {
+        // The actual message here does not matter, but we need to get a reply
+        // for the callback to run. Thus, send an empty signature request
+        // in order to get a failure response.
+        var msg = {
+            type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+            signRequests: []
+        };
+        chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function() {
+            if (!chrome.runtime.lastError) {
+                // We are on a whitelisted origin and can talk directly
+                // with the extension.
+                u2f.getChromeRuntimePort_(callback);
+            } else {
+                // chrome.runtime was available, but we couldn't message
+                // the extension directly, use iframe
+                u2f.getIframePort_(callback);
+            }
+        });
+    } else if (u2f.isAndroidChrome_()) {
+        u2f.getAuthenticatorPort_(callback);
+    } else {
+        // chrome.runtime was not available at all, which is normal
+        // when this origin doesn't have access to any extensions.
+        u2f.getIframePort_(callback);
+    }
+};
+
+// Detect chrome running on android based on the browser's useragent.
+u2f.isAndroidChrome_ = function() {
+    var userAgent = navigator.userAgent;
+    return userAgent.indexOf('Chrome') != -1 &&
+        userAgent.indexOf('Android') != -1;
+};
+
+// Connects directly to the extension via chrome.runtime.connect
+u2f.getChromeRuntimePort_ = function(callback) {
+    var port = chrome.runtime.connect(u2f.EXTENSION_ID,
+        {'includeTlsChannelId': true});
+    setTimeout(function() {
+        callback(new u2f.WrappedChromeRuntimePort_(port));
+    }, 0);
+};
+
+// Return a 'port' abstraction to the Authenticator app.
+u2f.getAuthenticatorPort_ = function(callback) {
+    setTimeout(function() {
+        callback(new u2f.WrappedAuthenticatorPort_());
+    }, 0);
+};
+
+// A wrapper for chrome.runtime.Port that is compatible with MessagePort.
+u2f.WrappedChromeRuntimePort_ = function(port) {
+    this.port_ = port;
+};
+
+// Format a return a sign request.
+u2f.WrappedChromeRuntimePort_.prototype.formatSignRequest_ =
+    function(signRequests, timeoutSeconds, reqId) {
+        return {
+            type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+            signRequests: signRequests,
+            timeoutSeconds: timeoutSeconds,
+            requestId: reqId
+        };
+    };
+
+// Format a return a register request.
+u2f.WrappedChromeRuntimePort_.prototype.formatRegisterRequest_ =
+    function(signRequests, registerRequests, timeoutSeconds, reqId) {
+        return {
+            type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
+            signRequests: signRequests,
+            registerRequests: registerRequests,
+            timeoutSeconds: timeoutSeconds,
+            requestId: reqId
+        };
+    };
+
+// Posts a message on the underlying channel.
+u2f.WrappedChromeRuntimePort_.prototype.postMessage = function(message) {
+    this.port_.postMessage(message);
+};
+
+// Emulates the HTML 5 addEventListener interface. Works only for the
+// onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
+u2f.WrappedChromeRuntimePort_.prototype.addEventListener =
+    function(eventName, handler) {
+        var name = eventName.toLowerCase();
+        if (name == 'message' || name == 'onmessage') {
+            this.port_.onMessage.addListener(function(message) {
+                // Emulate a minimal MessageEvent object
+                handler({'data': message});
+            });
+        } else {
+            console.error('WrappedChromeRuntimePort only supports onMessage');
+        }
+    };
+
+// Wrap the Authenticator app with a MessagePort interface.
+u2f.WrappedAuthenticatorPort_ = function() {
+    this.requestId_ = -1;
+    this.requestObject_ = null;
+}
+
+// Launch the Authenticator intent.
+u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) {
+    var intentLocation = /** @type {string} */ (message);
+    document.location = intentLocation;
+};
+
+// Emulates the HTML5 addEventListener interface.
+u2f.WrappedAuthenticatorPort_.prototype.addEventListener =
+    function(eventName, handler) {
+        var name = eventName.toLowerCase();
+        if (name == 'message') {
+            var self = this;
+            /* Register a callback to that executes when
+             * chrome injects the response. */
+            window.addEventListener(
+                'message', self.onRequestUpdate_.bind(self, handler), false);
+        } else {
+            console.error('WrappedAuthenticatorPort only supports message');
+        }
+    };
+
+// Callback invoked  when a response is received from the Authenticator.
+u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ =
+    function(callback, message) {
+        var messageObject = JSON.parse(message.data);
+        var intentUrl = messageObject['intentURL'];
+
+        var errorCode = messageObject['errorCode'];
+        var responseObject = null;
+        if (messageObject.hasOwnProperty('data')) {
+            responseObject = /** @type {Object} */ (
+                JSON.parse(messageObject['data']));
+            responseObject['requestId'] = this.requestId_;
+        }
+
+        /* Sign responses from the authenticator do not conform to U2F,
+         * convert to U2F here. */
+        responseObject = this.doResponseFixups_(responseObject);
+        callback({'data': responseObject});
+    };
+
+// Fixup the response provided by the Authenticator to conform with the U2F spec.
+u2f.WrappedAuthenticatorPort_.prototype.doResponseFixups_ =
+    function(responseObject) {
+        if (responseObject.hasOwnProperty('responseData')) {
+            return responseObject;
+        } else if (this.requestObject_['type'] != u2f.MessageTypes.U2F_SIGN_REQUEST) {
+            // Only sign responses require fixups.  If this is not a response
+            // to a sign request, then an internal error has occurred.
+            return {
+                'type': u2f.MessageTypes.U2F_REGISTER_RESPONSE,
+                'responseData': {
+                    'errorCode': u2f.ErrorCodes.OTHER_ERROR,
+                    'errorMessage': 'Internal error: invalid response from Authenticator'
+                }
+            };
+        }
+
+        /* Non-conformant sign response, do fixups. */
+        var encodedChallengeObject = responseObject['challenge'];
+        if (typeof encodedChallengeObject !== 'undefined') {
+            var challengeObject = JSON.parse(atob(encodedChallengeObject));
+            var serverChallenge = challengeObject['challenge'];
+            var challengesList = this.requestObject_['signData'];
+            var requestChallengeObject = null;
+            for (var i = 0; i < challengesList.length; i++) {
+                var challengeObject = challengesList[i];
+                if (challengeObject['keyHandle'] == responseObject['keyHandle']) {
+                    requestChallengeObject = challengeObject;
+                    break;
+                }
+            }
+        }
+        var responseData = {
+            'errorCode': responseObject['resultCode'],
+            'keyHandle': responseObject['keyHandle'],
+            'signatureData': responseObject['signature'],
+            'clientData': encodedChallengeObject
+        };
+        return {
+            'type': u2f.MessageTypes.U2F_SIGN_RESPONSE,
+            'responseData': responseData,
+            'requestId': responseObject['requestId']
+        }
+    };
+
+// Base URL for intents to Authenticator.
+u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ =
+    'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';
+
+// Format a return a sign request.
+u2f.WrappedAuthenticatorPort_.prototype.formatSignRequest_ =
+    function(signRequests, timeoutSeconds, reqId) {
+        if (!signRequests || signRequests.length == 0) {
+            return null;
+        }
+        /* TODO(fixme): stash away requestId, as the authenticator app does
+         * not return it for sign responses. */
+        this.requestId_ = reqId;
+        /* TODO(fixme): stash away the signRequests, to deal with the legacy
+         * response format returned by the Authenticator app. */
+        this.requestObject_ = {
+            'type': u2f.MessageTypes.U2F_SIGN_REQUEST,
+            'signData': signRequests,
+            'requestId': reqId,
+            'timeout': timeoutSeconds
+        };
+
+        var appId = signRequests[0]['appId'];
+        var intentUrl =
+            u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
+            ';S.appId=' + encodeURIComponent(appId) +
+            ';S.eventId=' + reqId +
+            ';S.challenges=' +
+            encodeURIComponent(
+                JSON.stringify(this.getBrowserDataList_(signRequests))) + ';end';
+        return intentUrl;
+    };
+
+// Get the browser data objects from the challenge list
+u2f.WrappedAuthenticatorPort_
+    .prototype.getBrowserDataList_ = function(challenges) {
+    return challenges
+        .map(function(challenge) {
+            var browserData = {
+                'typ': 'navigator.id.getAssertion',
+                'challenge': challenge['challenge']
+            };
+            var challengeObject = {
+                'challenge' : browserData,
+                'keyHandle' : challenge['keyHandle']
+            };
+            return challengeObject;
+        });
+};
+
+// Format a return a register request.
+u2f.WrappedAuthenticatorPort_.prototype.formatRegisterRequest_ =
+    function(signRequests, enrollChallenges, timeoutSeconds, reqId) {
+        if (!enrollChallenges || enrollChallenges.length == 0) {
+            return null;
+        }
+        // Assume the appId is the same for all enroll challenges.
+        var appId = enrollChallenges[0]['appId'];
+        var registerRequests = [];
+        for (var i = 0; i < enrollChallenges.length; i++) {
+            var registerRequest = {
+                'challenge': enrollChallenges[i]['challenge'],
+                'version': enrollChallenges[i]['version']
+            };
+            if (enrollChallenges[i]['appId'] != appId) {
+                // Only include the appId when it differs from the first appId.
+                registerRequest['appId'] = enrollChallenges[i]['appId'];
+            }
+            registerRequests.push(registerRequest);
+        }
+        var registeredKeys = [];
+        if (signRequests) {
+            for (i = 0; i < signRequests.length; i++) {
+                var key = {
+                    'keyHandle': signRequests[i]['keyHandle'],
+                    'version': signRequests[i]['version']
+                };
+                // Only include the appId when it differs from the appId that's
+                // being registered now.
+                if (signRequests[i]['appId'] != appId) {
+                    key['appId'] = signRequests[i]['appId'];
+                }
+                registeredKeys.push(key);
+            }
+        }
+        var request = {
+            'type': u2f.MessageTypes.U2F_REGISTER_REQUEST,
+            'appId': appId,
+            'registerRequests': registerRequests,
+            'registeredKeys': registeredKeys,
+            'requestId': reqId,
+            'timeoutSeconds': timeoutSeconds
+        };
+        var intentUrl =
+            u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
+            ';S.request=' + encodeURIComponent(JSON.stringify(request)) +
+            ';end';
+        /* TODO(fixme): stash away requestId, this is is not necessary for
+         * register requests, but here to keep parity with sign.
+         */
+        this.requestId_ = reqId;
+        return intentUrl;
+    };
+
+
+// Sets up an embedded trampoline iframe, sourced from the extension.
+u2f.getIframePort_ = function(callback) {
+    // Create the iframe
+    var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID;
+    var iframe = document.createElement('iframe');
+    iframe.src = iframeOrigin + '/u2f-comms.html';
+    iframe.setAttribute('style', 'display:none');
+    document.body.appendChild(iframe);
+
+    var channel = new MessageChannel();
+    var ready = function(message) {
+        if (message.data == 'ready') {
+            channel.port1.removeEventListener('message', ready);
+            callback(channel.port1);
+        } else {
+            console.error('First event on iframe port was not "ready"');
+        }
+    };
+    channel.port1.addEventListener('message', ready);
+    channel.port1.start();
+
+    iframe.addEventListener('load', function() {
+        // Deliver the port to the iframe and initialize
+        iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]);
+    });
+};
+
+
+// High-level JS API
+
+// Default extension response timeout in seconds.
+u2f.EXTENSION_TIMEOUT_SEC = 30;
+
+// A singleton instance for a MessagePort to the extension.
+u2f.port_ = null;
+
+// Callbacks waiting for a port
+u2f.waitingForPort_ = [];
+
+// A counter for requestIds.
+u2f.reqCounter_ = 0;
+
+// A map from requestIds to client callbacks
+u2f.callbackMap_ = {};
+
+// Creates or retrieves the MessagePort singleton to use.
+u2f.getPortSingleton_ = function(callback) {
+    if (u2f.port_) {
+        callback(u2f.port_);
+    } else {
+        if (u2f.waitingForPort_.length == 0) {
+            u2f.getMessagePort(function(port) {
+                u2f.port_ = port;
+                u2f.port_.addEventListener('message',
+                    /** @type {function(Event)} */ (u2f.responseHandler_));
+
+                // Careful, here be async callbacks. Maybe.
+                while (u2f.waitingForPort_.length)
+                    u2f.waitingForPort_.shift()(u2f.port_);
+            });
+        }
+        u2f.waitingForPort_.push(callback);
+    }
+};
+
+// Handles response messages from the extension.
+u2f.responseHandler_ = function(message) {
+    var response = message.data;
+    var reqId = response['requestId'];
+    if (!reqId || !u2f.callbackMap_[reqId]) {
+        console.error('Unknown or missing requestId in response.');
+        return;
+    }
+    var cb = u2f.callbackMap_[reqId];
+    delete u2f.callbackMap_[reqId];
+    cb(response['responseData']);
+};
+
+// Dispatches an array of sign requests to available U2F tokens.
+u2f.sign = function(signRequests, callback, opt_timeoutSeconds) {
+    u2f.getPortSingleton_(function(port) {
+        var reqId = ++u2f.reqCounter_;
+        u2f.callbackMap_[reqId] = callback;
+        var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
+            opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
+        var req = port.formatSignRequest_(signRequests, timeoutSeconds, reqId);
+        port.postMessage(req);
+    });
+};
+
+// Dispatches register requests to available U2F tokens. An array of sign
+// requests identifies already registered tokens.
+u2f.register = function(registerRequests, signRequests,
+                        callback, opt_timeoutSeconds) {
+    u2f.getPortSingleton_(function(port) {
+        var reqId = ++u2f.reqCounter_;
+        u2f.callbackMap_[reqId] = callback;
+        var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
+            opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
+        var req = port.formatRegisterRequest_(
+            signRequests, registerRequests, timeoutSeconds, reqId);
+        port.postMessage(req);
+    });
+};
+
+// Everything below is Gazelle-specific and not part of the u2f API
+
+function initU2F() {
+  if (document.querySelector('#u2f_register_form') && document.querySelector('[name="u2f-request"]')) {
+    var req = JSON.parse($('[name="u2f-request"]').raw().value);
+    var sigs = JSON.parse($('[name="u2f-sigs"]').raw().value);
+    if (req) {
+      u2f.register([req], sigs, function(data) {
+        if (data.errorCode) {
+          console.log('U2F Register Error: ' + Object.keys(u2f.ErrorCodes).find(k => u2f.ErrorCodes[k] == data.errorCode));
+          return;
+        }
+        $('[name="u2f-response"]').raw().value = JSON.stringify(data);
+        $('[value="U2F-E"]').raw().name = 'type'
+        $('#u2f_register_form').submit();
+      }, 3600)
+    }
+  }
+
+  if (document.querySelector('#u2f_sign_form') && document.querySelector('[name="u2f-request"]')) {
+    var req = JSON.parse($('[name="u2f-request"]').raw().value);
+    if (req) {
+      u2f.sign(req, function(data) {
+        if (data.errorCode) {
+          console.log('U2F Sign Error: ' + Object.keys(u2f.ErrorCodes).find(k => u2f.ErrorCodes[k] == data.errorCode));
+          return;
+        }
+        $('[name="u2f-response"]').raw().value = JSON.stringify(data);
+        $('#u2f_sign_form').submit();
+      }, 3600)
+    }
+  }
+}
+
+if (document.readyState != 'loading') {
+  initU2F();
+} else {
+  document.addEventListener("DOMContentLoaded", initU2F);
+}

static/styles/beluga/style.css

@@ -503,6 +503,14 @@ p.min_padding {
   vertical-align: middle
 }
 
+.alertbar.error {
+  background-color: #c73f3f;
+}
+
+.alertbar.warning {
+  background-color: #c58b09;
+}
+
 .alertbar a {
   display: inline-block;
   position: relative;
@@ -512,7 +520,11 @@ p.min_padding {
   text-decoration: underline
 }
 
-#alerts a, .alertbar a,.torrent_table .group a,.ui-state-hover,a.ui-state-hover,li.ui-state-hover {
+.alertbar.modbar > a {
+  margin: 0 5px;
+}
+
+.torrent_table .group a, .ui-state-hover, a.ui-state-hover, li.ui-state-hover {
   color: #FFF;
 }
 
@@ -521,10 +533,6 @@ p.min_padding {
   text-decoration: none;
 }
 
-.alertbar {
-  color: transparent;
-}
-
 .alertbar a[href="news.php"] {
   background: linear-gradient(#045362,#0d5968);
 }

static/styles/genaviv/style.css

@@ -111,10 +111,13 @@ span.r99,.r09,.r10,.r20,.r30,.r40,.r50 {
   border-bottom:2px solid #45847e!important
 }
 #header>#menu ul>li.active>a {
-  color:#32867d
+  color:#32867d;
 }
-#header .alertbar a {
-  color:#32867d
+.alertbar a {
+  color:#32867d;
+}
+.alertbar.modbar a {
+  margin: 0px 5px;
 }
 .box.filter_torrents .head,.colhead td,.colhead_dark td,tr.colhead,tr.colhead_dark,#inbox .box .head,#inbox .box .head,#reply_box h3,#inbox form .send_form #quickpost h3,.sidebar .box .head,.main_column .box .head.colhead_dark,.box.news_post .head,tr.colhead,tr.colhead_dark,.head.colhead_dark,.main_column .box .head {
   background:#5aada5;
@@ -200,7 +203,16 @@ span.last_read {
   text-shadow:none!important;color:inherit!important;font-size:inherit!important;font-family:inherit!important;
 }
 .alertbar {
-  padding:7px
+  text-align:center;
+  padding:10px;
+  background:#D0D0D0;
+  text-align:center;
+}
+.alertbar.warning {
+  color:#cc7100;
+}
+.alertbar.error {
+  color:#ff0000;
 }
 .sidebar .stats.nobullet a {
   padding:3px 6px
@@ -828,9 +840,6 @@ div#alerts {
 .forum-post__heading,.forum_post tr.colhead_dark,.forum_post .colhead_dark td {
   max-height:32px;padding-top:0;padding-bottom:0;height:32px;line-height:32px;
 }
-.alertbar {
-  text-align:center
-}
 .colhead td,.colhead_dark td,#inbox .box .head,.box.filter_torrents .head,#reply_box h3,tr .colhead_dark td,.sidebar .box .head,.main_column .box .head.colhead_dark,.box.news_post .head,tr.colhead,tr.colhead_dark,.head.colhead_dark,.main_column .box .head {
 
 }
@@ -1427,11 +1436,6 @@ div.noty_bar {
 table#torrent_table strong {
   color:#313131
 }
-.alertbar {
-  padding:10px;
-  background:#D0D0D0;
-  text-align:center;
-}
 .box.filter_torrents .head,.colhead td,.colhead_dark td,tr.colhead,tr.colhead_dark,#inbox .box .head,#inbox .box .head,#reply_box h3,#inbox form .send_form #quickpost h3,.sidebar .box .head,.main_column .box .head.colhead_dark,.box.news_post .head,tr.colhead,tr.colhead_dark,.head.colhead_dark,.main_column .box .head {
   color:#F7F7F7;
 }

static/styles/global.css

@@ -934,6 +934,11 @@ input[type="search"] {
   max-width: 100%;
 }
 
+#publickey {
+  width: initial;
+  font-family: monospace;
+}
+
 .hidden {
   display: none;
 }

static/styles/oppai/style.css

@@ -360,7 +360,6 @@ ul.thin li { margin:0px 0px; padding:0px; }
 }
 
 .alertbar {
-  /* border: 1px solid #999; */
   background-color: #fbc2e5;
   text-align: center;
   color: #444;
@@ -369,11 +368,21 @@ ul.thin li { margin:0px 0px; padding:0px; }
   width: 350px;
   margin: 0 auto 0px auto;
   padding: 10px;
+  margin-bottom: 8px;
+}
+.alertbar.warning {
+  background-color: #ffe68a;
+}
+.alertbar.error {
+  background-color: #ff8a8a;
 }
 .alertbar a {
   color: #555;
   text-decoration: underline;
 }
+.alertbar.modbar a {
+  margin: 0px 5px;
+}
 .alertbar a:hover {
   color: #777;
   text-decoration: none;