1.34.0/php/TOTPKey_8php_source.html

<?php


namespace MediaWiki\Extension\OATHAuth\Key;


use Base32\Base32;

use jakobo\HOTP\HOTP;

use MediaWiki\Extension\OATHAuth\OATHUser;

use Psr\Log\LoggerInterface;

use MediaWiki\Logger\LoggerFactory;

use DomainException;

use Exception;

use MWException;

use CentralIdLookup;

use MediaWiki\MediaWikiServices;

use MediaWiki\Extension\OATHAuth\IAuthKey;


class TOTPKey implements IAuthKey {

    const MAIN_TOKEN = 1;


    const SCRATCH_TOKEN = -1;


    private $secret;


    private $scratchTokens = [];


    public static function newFromRandom() {

        $object = new self(

            Base32::encode( random_bytes( 10 ) ),

            []

        );


        $object->regenerateScratchTokens();


        return $object;

    }


    public static function newFromString( $data ) {

        $data = json_decode( $data, true );

        if ( json_last_error() !== JSON_ERROR_NONE ) {

            return null;

        }

        return static::newFromArray( $data );

    }


    public static function newFromArray( array $data ) {

        if ( !isset( $data['secret'] ) || !isset( $data['scratch_tokens'] ) ) {

            return null;

        }

        return new static( $data['secret'], $data['scratch_tokens'] );

    }


    public function __construct( $secret, array $scratchTokens ) {

        // Currently hardcoded values; might be used in future

        $this->secret = [

            'mode' => 'hotp',

            'secret' => $secret,

            'period' => 30,

            'algorithm' => 'SHA1',

        ];

        $this->scratchTokens = $scratchTokens;

    }


    public function getSecret() {

        return $this->secret['secret'];

    }


    public function getScratchTokens() {

        return $this->scratchTokens;

    }


    public function verify( $data, OATHUser $user ) {

        global $wgOATHAuthWindowRadius;


        $token = $data['token'];


        if ( $this->secret['mode'] !== 'hotp' ) {

            throw new DomainException( 'OATHAuth extension does not support non-HOTP tokens' );

        }


        // Prevent replay attacks

        $store = MediaWikiServices::getInstance()->getMainObjectStash();

        $uid = CentralIdLookup::factory()->centralIdFromLocalUser( $user->getUser() );

        $key = $store->makeKey( 'oathauth-totp', 'usedtokens', $uid );

        $lastWindow = (int)$store->get( $key );


        $retval = false;

        $results = HOTP::generateByTimeWindow(

            Base32::decode( $this->secret['secret'] ),

            $this->secret['period'], -$wgOATHAuthWindowRadius, $wgOATHAuthWindowRadius

        );


        // Remove any whitespace from the received token, which can be an intended group seperator

        // or trimmeable whitespace

        $token = preg_replace( '/\s+/', '', $token );


        $clientIP = $user->getUser()->getRequest()->getIP();


        $logger = $this->getLogger();


        // Check to see if the user's given token is in the list of tokens generated

        // for the time window.

        foreach ( $results as $window => $result ) {

            if ( $window > $lastWindow && $result->toHOTP( 6 ) === $token ) {

                $lastWindow = $window;

                $retval = self::MAIN_TOKEN;


                $logger->info( 'OATHAuth user {user} entered a valid OTP from {clientip}', [

                    'user' => $user->getAccount(),

                    'clientip' => $clientIP,

                ] );

                break;

            }

        }


        // See if the user is using a scratch token

        if ( !$retval ) {

            $length = count( $this->scratchTokens );

            // Detect condition where all scratch tokens have been used

            if ( $length === 1 && $this->scratchTokens[0] === "" ) {

                $retval = false;

            } else {

                for ( $i = 0; $i < $length; $i++ ) {

                    if ( $token === $this->scratchTokens[$i] ) {

                        // If there is a scratch token, remove it from the scratch token list

                        unset( $this->scratchTokens[$i] );


                        $logger->info( 'OATHAuth user {user} used a scratch token from {clientip}', [

                            'user' => $user->getAccount(),

                            'clientip' => $clientIP,

                        ] );


                        $auth = MediaWikiServices::getInstance()->getService( 'OATHAuth' );

                        $module = $auth->getModuleByKey( 'totp' );

                        $userRepo = MediaWikiServices::getInstance()->getService( 'OATHUserRepository' );

                        $user->addKey( $this );

                        $user->setModule( $module );

                        $userRepo->persist( $user, $clientIP );

                        // Only return true if we removed it from the database

                        $retval = self::SCRATCH_TOKEN;

                        break;

                    }

                }

            }

        }


        if ( $retval ) {

            $store->set(

                $key,

                $lastWindow,

                $this->secret['period'] * ( 1 + 2 * $wgOATHAuthWindowRadius )

            );

        } else {

            $logger->info( 'OATHAuth user {user} failed OTP/scratch token from {clientip}', [

                'user' => $user->getAccount(),

                'clientip' => $clientIP,

            ] );


            // Increase rate limit counter for failed request

            $user->getUser()->pingLimiter( 'badoath' );

        }


        return $retval;

    }


    public function regenerateScratchTokens() {

        $scratchTokens = [];

        for ( $i = 0; $i < 10; $i++ ) {

            $scratchTokens[] = Base32::encode( random_bytes( 10 ) );

        }

        $this->scratchTokens = $scratchTokens;

    }


    public function isScratchToken( $token ) {

        $token = preg_replace( '/\s+/', '', $token );

        return in_array( $token, $this->scratchTokens, true );

    }


    private function getLogger() {

        return LoggerFactory::getInstance( 'authentication' );

    }


    public function jsonSerialize() {

        return [

            'secret' => $this->getSecret(),

            'scratch_tokens' => $this->getScratchTokens()

        ];

    }

}