Home Explore Help
Register Sign In
Oppaitime
/
Gazelle
Watch 9
Star 11
Fork 18
Code Issues 21 Pull Requests 7 Releases 0 Wiki Activity
Oppaitime's version of Gazelle
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
470 Commits
1 Branch
Tree: 83c5b4fae3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '83c5b4fae3'
${ noResults }
Gazelle/sections/user/2fa.php

2fa.php 8.3KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180 
  1. <?

  2. require_once(SERVER_ROOT.'/classes/twofa.class.php');

  3. require_once(SERVER_ROOT.'/classes/u2f.class.php');

  4. 

  5. $TwoFA = new TwoFactorAuth(SITE_NAME);

  6. $U2F = new u2f\U2F('https://'.SITE_DOMAIN);

  7. if ($Type = $_POST['type'] ?? false) {

  8.   if ($Type == 'PGP') {

  9.     if (!empty($_POST['publickey']) && (strpos($_POST['publickey'], 'BEGIN PGP PUBLIC KEY BLOCK') === false || strpos($_POST['publickey'], 'END PGP PUBLIC KEY BLOCK') === false)) {

  10.       $Error = "Invalid PGP public key";

  11.     } else {

  12.       $DB->query("

  13.         UPDATE users_main

  14.         SET PublicKey = '".db_string($_POST['publickey'])."'

  15.         WHERE ID = $UserID");

  16.       $Message = 'Public key '.(empty($_POST['publickey']) ? 'removed' : 'updated') ;

  17.     }

  18.   }

  19.   if ($Type == '2FA-E') {

  20.     if ($TwoFA->verifyCode($_POST['twofasecret'], $_POST['twofa'])) {

  21.       $DB->query("

  22.         UPDATE users_main

  23.         SET TwoFactor='".db_string($_POST['twofasecret'])."'

  24.         WHERE ID = $UserID");

  25.       $Message = "Two Factor Authentication enabled";

  26.     } else {

  27.       $Error = "Invalid 2FA verification code";

  28.     }

  29.   }

  30.   if ($Type == '2FA-D') {

  31.     $DB->query("

  32.       UPDATE users_main

  33.       SET TwoFactor = NULL

  34.       WHERE ID = $UserID");

  35.     $Message = "Two Factor Authentication disabled";

  36.   }

  37.   if ($Type == 'U2F-E') {

  38.     try {

  39.       $U2FReg = $U2F->doRegister(json_decode($_POST['u2f-request']), json_decode($_POST['u2f-response']));

  40.       $DB->query("

  41.       INSERT INTO u2f

  42.       (UserID, KeyHandle, PublicKey, Certificate, Counter, Valid)

  43.       Values ($UserID, '".db_string($U2FReg->keyHandle)."', '".db_string($U2FReg->publicKey)."', '".db_string($U2FReg->certificate)."', '".db_string($U2FReg->counter)."', '1')");

  44.       $Message = "U2F token registered";

  45.     } catch(Exception $e) {

  46.       $Error = "Failed to register U2F token";

  47.     }

  48.   }

  49.   if ($Type == 'U2F-D') {

  50.     $DB->query("

  51.       DELETE FROM u2f

  52.       WHERE UserID = $UserID");

  53.     $Message = 'U2F tokens deregistered';

  54.   }

  55. }

  56. 

  57. $U2FRegs = [];

  58. $DB->query("

  59.   SELECT KeyHandle, PublicKey, Certificate, Counter

  60.   FROM u2f

  61.   WHERE UserID = $UserID");

  62. // Needs to be an array of objects, so we can't use to_array()

  63. while (list($KeyHandle, $PublicKey, $Certificate, $Counter) = $DB->next_record()) {

  64.   $U2FRegs[] = (object)['keyHandle'=>$KeyHandle, 'publicKey'=>$PublicKey, 'certificate'=>$Certificate, 'counter'=>$Counter];

  65. }

  66. 

  67. $DB->query("

  68.   SELECT PublicKey, TwoFactor

  69.   FROM users_main

  70.   WHERE ID = $UserID");

  71. list($PublicKey, $TwoFactor) = $DB->next_record();

  72. 

  73. list($U2FRequest, $U2FSigs) = $U2F->getRegisterData($U2FRegs);

  74. 

  75. View::show_header("Two-factor Authentication Settings", 'u2f');

  76. ?>

  77. <h2>Additional Account Security Options</h2>

  78. <div class="thin">

  79. <? if (isset($Message)) { ?>

  80.     <div class="alertbar"><?=$Message?></div>

  81. <? }

  82.    if (isset($Error)) { ?>

  83.     <div class="alertbar error"><?=$Error?></div>

  84. <? } ?>

  85.     <div class="box">

  86.       <div class="head">

  87.         <strong>PGP Public Key</strong>

  88.       </div>

  89.       <div class="pad">

  90.   <? if (empty($PublicKey)) {

  91.        if (!empty($TwoFactor) || sizeof($U2FRegs) > 0) { ?>

  92.         <strong class="important_text">You have a form of 2FA enabled but no PGP key associated with your account. If you lose access to your 2FA device, you will permanently lose access to your account.</strong>

  93.   <?   } ?>

  94.         <p>When setting up any form of second factor authentication, it is strongly recommended that you add your PGP public key as a form of secure recovery in the event that you lose access to your second factor device.</p>

  95.         <p>After adding a PGP public key to your account, you will be able to disable your account's second factor protection by solving a challenge that only someone with your private key could solve.</p>

  96.         <p>Additionally, being able to solve such a challenge when given manually by staff will suffice to provide proof of ownership of your account, provided no revocation certificate has been published for your key.</p>

  97.         <p>Before adding your PGP public key, please make sure that you have taken the necessary precautions to protect it from loss (backup) or theft (revocation certificate).</p>

  98.   <? } else { ?>

  99.         <p>The PGP public key associated with your account is shown below.</p>

  100.         <p>This key can be used to create challenges that are only solvable by the holder of the related private key. Successfully solving these challenges is necessary for disabling any form of second factor authentication or proving ownership of this account to staff when you are unable to login.</p>

  101.   <? } ?>

  102.         <form method="post">

  103.           <input type="hidden" name="type" value="PGP">

  104.           Public Key:

  105.           <br>

  106.           <textarea name="publickey" id="publickey" spellcheck="false" cols="64" rows="8"><?=display_str($PublicKey)?></textarea>

  107.           <br>

  108.           <button type="submit" name="type" value="PGP">Update Public Key</button>

  109.         </form>

  110.       </div>

  111.     </div>

  112.     <div class="box">

  113.       <div class="head">

  114.         <strong>Two-Factor Authentication (2FA-TOTP)</strong>

  115.       </div>

  116.       <div class="pad">

  117. <?    $TwoFASecret = empty($TwoFactor) ? $TwoFA->createSecret() : $TwoFactor;

  118.       if (empty($TwoFactor)) {

  119.         if (sizeof($U2FRegs) == 0) { ?>

  120.           <p>Two Factor Authentication is not currently enabled for this account.</p>

  121.           <p>To enable it, add the secret key below to your 2FA client either manually or by scanning the QR code, then enter a verification code generated by your 2FA client and click the "Enable 2FA" button.</p>

  122.           <form method="post">

  123.             <input type="text" size="60" name="twofasecret" id="twofasecret" value="<?=$TwoFASecret?>" readonly><br>

  124.             <img src="<?=$TwoFA->getQRCodeImageAsDataUri(SITE_NAME.':'.$LoggedUser['Username'], $TwoFASecret)?>"><br>

  125.             <input type="text" size="20" maxlength="6" pattern="[0-9]{0,6}" name="twofa" id="twofa" placeholder="Verification Code" autocomplete="off"><br><br>

  126.             <button type="submit" name="type" value="2FA-E">Enable 2FA</button>

  127.           </form>

  128. <?      } else { ?>

  129.           <p>Two Factor Authentication is not currently enabled for this account.</p>

  130.           <p>To enable 2FA, you must first disable U2F below.</p>

  131. <?      }

  132.       } else {?>

  133.         <form method="post">

  134.           <input type="hidden" name="type" value="2FA-D">

  135.           <p>2FA is enabled for this account with the following secret:</p>

  136.           <input type="text" size="20" name="twofasecret" id="twofasecret" value="<?=$TwoFASecret?>" readonly><br>

  137.           <img src="<?=$TwoFA->getQRCodeImageAsDataUri(SITE_NAME.':'.$LoggedUser['Username'], $TwoFASecret)?>"><br><br>

  138.           <p>To disable 2FA, click the button below.</p>

  139.           <button type="submit" name="type" value="2FA-D">Disable 2FA</button>

  140.         </form>

  141. <?    } ?>

  142.       </div>

  143.     </div>

  144.     <div class="box">

  145.       <div class="head">

  146.         <strong>Universal Two Factor (FIDO U2F)</strong>

  147.       </div>

  148.       <div class="pad">

  149. <?    if (sizeof($U2FRegs) == 0) { ?>

  150. <?      if (empty($TwoFactor)) { ?>

  151.           <form method="post" id="u2f_register_form">

  152.             <input type="hidden" name="u2f-request" value='<?=json_encode($U2FRequest)?>'>

  153.             <input type="hidden" name="u2f-sigs" value='<?=json_encode($U2FSigs)?>'>

  154.             <input type="hidden" name="u2f-response">

  155.             <input type="hidden" value="U2F-E">

  156.           </form>

  157.           <p>Universal Two Factor is not currently enabled for this account.</p>

  158.           <p>To enable Universal Two Factor, plug in your U2F token and press the button on it.</p>

  159. <?      } else { ?>

  160.           <p>Universal Two Factor is not currently enabled for this account.</p>

  161.           <p>To enable Universal Two Factor, you must first disable normal 2FA above.</p>

  162. <?      } ?>

  163. <?    } else { ?>

  164.         <form method="post" id="u2f_register_form">

  165.           <input type="hidden" name="u2f-request" value='<?=json_encode($U2FRequest)?>'>

  166.           <input type="hidden" name="u2f-sigs" value='<?=json_encode($U2FSigs)?>'>

  167.           <input type="hidden" name="u2f-response">

  168.           <input type="hidden" value="U2F-E">

  169.           <p>Universal Two Factor is enabled.</p>

  170.           <p>To add an additional U2F token, plug it in and press the button on it</p>

  171.           <p>To disable U2F completely and deregister all tokens, press the button below</p>

  172.           <button type="submit" name="type" value="U2F-D">Disable U2F</button>

  173.         </form>

  174. <?    } ?>

  175.       </div>

  176.     </div>

  177. </div>

  178. <?

  179. View::show_footer();

  180. ?>