Home Explore Help
Register Sign In
biotorrents
/
Gazelle
forked from Oppaitime/Gazelle
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 2 Wiki Activity
BioTorrents.de’s version of Gazelle
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1092 Commits
2 Branches
Tree: dd0c25cf67
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'dd0c25cf67'
${ noResults }
Gazelle/sections/user/2fa.php

2fa.php 9.0KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277 
  1. <?php

  2. declare(strict_types = 1);

  3. 

  4. $ENV = ENV::go();

  5. require_once SERVER_ROOT.'/classes/twofa.class.php';

  6. require_once SERVER_ROOT.'/classes/u2f.class.php';

  7. 

  8. $TwoFA = new TwoFactorAuth($ENV->SITE_NAME);

  9. $U2F = new u2f\U2F('https://'.SITE_DOMAIN);

  10. 

  11. if ($Type = $_POST['type'] ?? false) {

  12.     if ($Type === 'PGP') {

  13.         if (!empty($_POST['publickey']) && (strpos($_POST['publickey'], 'BEGIN PGP PUBLIC KEY BLOCK') === false || strpos($_POST['publickey'], 'END PGP PUBLIC KEY BLOCK') === false)) {

  14.             $Error = "Invalid PGP public key";

  15.         } else {

  16.             $DB->query("

  17.               UPDATE users_main

  18.               SET PublicKey = '".db_string($_POST['publickey'])."'

  19.               WHERE ID = $UserID");

  20.             $Message = 'Public key '.(empty($_POST['publickey']) ? 'removed' : 'updated') ;

  21.         }

  22.     }

  23. 

  24.     if ($Type === '2FA-E') {

  25.         if ($TwoFA->verifyCode($_POST['twofasecret'], $_POST['twofa'])) {

  26.             $DB->query("

  27.               UPDATE users_main

  28.               SET TwoFactor='".db_string($_POST['twofasecret'])."'

  29.               WHERE ID = $UserID");

  30.             $Message = "Two Factor Authentication enabled";

  31.         } else {

  32.             $Error = "Invalid 2FA verification code";

  33.         }

  34.     }

  35. 

  36.     if ($Type === '2FA-D') {

  37.         $DB->query("

  38.           UPDATE users_main

  39.           SET TwoFactor = NULL

  40.           WHERE ID = $UserID");

  41.         $Message = "Two Factor Authentication disabled";

  42.     }

  43. 

  44.     if ($Type === 'U2F-E') {

  45.         try {

  46.             $U2FReg = $U2F->doRegister(json_decode($_POST['u2f-request']), json_decode($_POST['u2f-response']));

  47.             $DB->query("

  48.               INSERT INTO u2f

  49.                 (UserID, KeyHandle, PublicKey, Certificate, Counter, Valid)

  50.               Values ($UserID, '".db_string($U2FReg->keyHandle)."', '".db_string($U2FReg->publicKey)."', '".db_string($U2FReg->certificate)."', '".db_string($U2FReg->counter)."', '1')");

  51.             $Message = "U2F token registered";

  52.         } catch (Exception $e) {

  53.             $Error = "Failed to register U2F token";

  54.         }

  55.     }

  56. 

  57.     if ($Type === 'U2F-D') {

  58.         $DB->query("

  59.           DELETE FROM u2f

  60.           WHERE UserID = $UserID");

  61.         $Message = 'U2F tokens deregistered';

  62.     }

  63. }

  64. 

  65. $U2FRegs = [];

  66. $DB->query("

  67.   SELECT KeyHandle, PublicKey, Certificate, Counter

  68.   FROM u2f

  69.   WHERE UserID = $UserID");

  70. 

  71. // Needs to be an array of objects, so we can't use to_array()

  72. while (list($KeyHandle, $PublicKey, $Certificate, $Counter) = $DB->next_record()) {

  73.     $U2FRegs[] = (object)['keyHandle'=>$KeyHandle, 'publicKey'=>$PublicKey, 'certificate'=>$Certificate, 'counter'=>$Counter];

  74. }

  75. 

  76. $DB->query("

  77.   SELECT PublicKey, TwoFactor

  78.   FROM users_main

  79.   WHERE ID = $UserID");

  80. 

  81. list($PublicKey, $TwoFactor) = $DB->next_record();

  82. list($U2FRequest, $U2FSigs) = $U2F->getRegisterData($U2FRegs);

  83. View::show_header("2FA Settings", 'u2f');

  84. ?>

  85. 

  86. <h2>Additional Account Security Options</h2>

  87. <div>

  88.   <?php if (isset($Message)) { ?>

  89.   <div class="alertbar"><?=$Message?>

  90.   </div>

  91.   <?php }

  92. 

  93.    if (isset($Error)) { ?>

  94.   <div class="alertbar error"><?=$Error?>

  95.   </div>

  96.   <?php } ?>

  97. 

  98.   <div class="box">

  99.     <div class="head">

  100.       <strong>PGP Public Key</strong>

  101.     </div>

  102. 

  103.     <div class="pad">

  104.       <?php if (empty($PublicKey)) {

  105.        if (!empty($TwoFactor) || sizeof($U2FRegs) > 0) { ?>

  106.       <strong class="important_text">

  107.         You have a form of 2FA enabled but no PGP key associated with your account.

  108.         If you lose access to your 2FA device, you will permanently lose access to your account.

  109.       </strong>

  110.       <?php } ?>

  111. 

  112.       <p>

  113.         When setting up any form of second factor authentication, it is strongly recommended that you add your PGP

  114.         public key as a form of secure recovery in the event that you lose access to your second factor device.

  115.       </p>

  116. 

  117.       <p>

  118.         After adding a PGP public key to your account, you will be able to disable your account's second factor

  119.         protection by solving a challenge that only someone with your private key could solve.

  120.       </p>

  121. 

  122.       <p>

  123.         Additionally, being able to solve such a challenge when given manually by staff will suffice to provide proof of

  124.         ownership of your account, provided no revocation certificate has been published for your key.

  125.       </p>

  126. 

  127.       <p>

  128.         Before adding your PGP public key, please make sure that you have taken the necessary precautions to protect it

  129.         from loss (backup) or theft (revocation certificate).

  130.       </p>

  131.       <?php

  132.    } else { ?>

  133.       <p>

  134.         The PGP public key associated with your account is shown below.

  135.       </p>

  136. 

  137.       <p>

  138.         This key can be used to create challenges that are only solvable by the holder of the related private key.

  139.         Successfully solving these challenges is necessary for disabling any form of second factor authentication or

  140.         proving ownership of this account to staff when you are unable to login.

  141.       </p>

  142.       <?php } ?>

  143. 

  144.       <form method="post">

  145.         <input type="hidden" name="type" value="PGP">

  146.         Public Key

  147.         <br />

  148. 

  149.         <textarea name="publickey" id="publickey" spellcheck="false" cols="64"

  150.           rows="8"><?=display_str($PublicKey)?></textarea>

  151.         <br />

  152. 

  153.         <button type="submit" name="type" value="PGP">Update Public Key</button>

  154.       </form>

  155.     </div>

  156.   </div>

  157. 

  158.   <div class="box">

  159.     <div class="head">

  160.       <strong>Two-Factor Authentication (2FA-TOTP)</strong>

  161.     </div>

  162. 

  163.     <div class="pad">

  164.       <?php $TwoFASecret = empty($TwoFactor) ? $TwoFA->createSecret() : $TwoFactor;

  165.       if (empty($TwoFactor)) {

  166.           if (sizeof($U2FRegs) === 0) { ?>

  167.       <p>

  168.         Two Factor Authentication is not currently enabled for this account.

  169.         To enable it, add the secret key below to your 2FA client either manually or by scanning the QR code, then enter

  170.         a verification code generated by your 2FA client and click the "Enable 2FA" button.

  171.       </p>

  172. 

  173.       <form method="post">

  174.         <input type="text" size="60" name="twofasecret" id="twofasecret"

  175.           value="<?=$TwoFASecret?>" readonly><br>

  176.         <img

  177.           src="<?=$TwoFA->getQRCodeImageAsDataUri($ENV->SITE_NAME.':'.$LoggedUser['Username'], $TwoFASecret)?>" />

  178.         <br />

  179. 

  180.         <input type="text" size="20" maxlength="6" pattern="[0-9]{0,6}" name="twofa" id="twofa"

  181.           placeholder="Verification Code" autocomplete="off">

  182.         <br /><br />

  183. 

  184.         <button type="submit" name="type" value="2FA-E">Enable 2FA</button>

  185.       </form>

  186. 

  187.       <?php } else { ?>

  188.       <p>

  189.         Two Factor Authentication is not currently enabled for this account.

  190.         To enable 2FA, you must first disable U2F below.

  191.       </p>

  192.       <?php }

  193.       } else {?>

  194.       <form method="post">

  195.         <input type="hidden" name="type" value="2FA-D">

  196.         <p>

  197.           2FA is enabled for this account with the following secret:

  198.         </p>

  199. 

  200.         <p>

  201.           <input type="text" size="50" name="twofasecret" id="twofasecret"

  202.             value="<?=$TwoFASecret?>" onclick="this.select()"

  203.             readonly />

  204.         </p>

  205. 

  206.         <p>

  207.           <img

  208.             src="<?=$TwoFA->getQRCodeImageAsDataUri($ENV->SITE_NAME.':'.$LoggedUser['Username'], $TwoFASecret)?>" />

  209.         </p>

  210. 

  211.         <p>

  212.           To disable 2FA, click the button below.

  213.         </p>

  214. 

  215.         <button type="submit" name="type" value="2FA-D">Disable 2FA</button>

  216.       </form>

  217.       <?php } ?>

  218.     </div>

  219.   </div>

  220. 

  221.   <div class="box">

  222.     <div class="head">

  223.       <strong>Universal Two Factor (FIDO U2F)</strong>

  224.     </div>

  225. 

  226.     <div class="pad">

  227.       <?php if (sizeof($U2FRegs) === 0) { ?>

  228.       <?php if (empty($TwoFactor)) { ?>

  229.       <form method="post" id="u2f_register_form">

  230.         <input type="hidden" name="u2f-request"

  231.           value='<?=json_encode($U2FRequest)?>' />

  232. 

  233.         <input type="hidden" name="u2f-sigs"

  234.           value='<?=json_encode($U2FSigs)?>' />

  235. 

  236.         <input type="hidden" name="u2f-response" />

  237. 

  238.         <input type="hidden" value="U2F-E" />

  239.       </form>

  240. 

  241.       <p>

  242.         Universal Two Factor is not currently enabled for this account.

  243.         To enable Universal Two Factor, plug in your U2F token and press the button on it.

  244.       </p>

  245. 

  246.       <?php } else { ?>

  247.       <p>

  248.         Universal Two Factor is not currently enabled for this account.

  249.         To enable Universal Two Factor, you must first disable normal 2FA above.

  250.       </p>

  251.       <?php } ?>

  252. 

  253.       <?php } else { ?>

  254.       <form method="post" id="u2f_register_form">

  255.         <input type="hidden" name="u2f-request"

  256.           value='<?=json_encode($U2FRequest)?>' />

  257. 

  258.         <input type="hidden" name="u2f-sigs"

  259.           value='<?=json_encode($U2FSigs)?>' />

  260. 

  261.         <input type="hidden" name="u2f-response" />

  262. 

  263.         <input type="hidden" value="U2F-E" />

  264. 

  265.         <p>

  266.           Universal Two Factor is enabled.

  267.           To add an additional U2F token, plug it in and press the button on it.

  268.           To disable U2F completely and deregister all tokens, press the button below.

  269.         </p>

  270.         <button type="submit" name="type" value="U2F-D">Disable U2F</button>

  271.       </form>

  272.       <?php } ?>

  273.     </div>

  274.   </div>

  275. </div>

  276. <?php

  277. View::show_footer();