REL1_33/php/OATHAuthKey_8php_source.html

<?php

use Psr\Log\LoggerInterface;

use \MediaWiki\Logger\LoggerFactory;


class OATHAuthKey {

    const MAIN_TOKEN = 1;


    const SCRATCH_TOKEN = -1;


    private $secret;


    private $scratchTokens;


    public static function newFromRandom() {

        $object = new self(

            Base32::encode( random_bytes( 10 ) ),

            []

        );


        $object->regenerateScratchTokens();


        return $object;

    }


    public function __construct( $secret, array $scratchTokens ) {

        // Currently harcoded values; might be used in future

        $this->secret = [

            'mode' => 'hotp',

            'secret' => $secret,

            'period' => 30,

            'algorithm' => 'SHA1',

        ];

        $this->scratchTokens = $scratchTokens;

    }


    public function getSecret() {

        return $this->secret['secret'];

    }


    public function getScratchTokens() {

        return $this->scratchTokens;

    }


    public function verifyToken( $token, OATHUser $user ) {

        global $wgOATHAuthWindowRadius;


        if ( $this->secret['mode'] !== 'hotp' ) {

            throw new \DomainException( 'OATHAuth extension does not support non-HOTP tokens' );

        }


        // Prevent replay attacks

        $memc = ObjectCache::newAnything( [] );

        $uid = CentralIdLookup::factory()->centralIdFromLocalUser( $user->getUser() );

        $memcKey = wfMemcKey( 'oathauth', 'usedtokens', $uid );

        $lastWindow = (int)$memc->get( $memcKey );


        $retval = false;

        $results = HOTP::generateByTimeWindow(

            Base32::decode( $this->secret['secret'] ),

            $this->secret['period'], -$wgOATHAuthWindowRadius, $wgOATHAuthWindowRadius

        );


        // Remove any whitespace from the received token, which can be an intended group seperator

        // or trimmeable whitespace

        $token = preg_replace( '/\s+/', '', $token );


        $clientIP = $user->getUser()->getRequest()->getIP();


        $logger = $this->getLogger();


        // Check to see if the user's given token is in the list of tokens generated

        // for the time window.

        foreach ( $results as $window => $result ) {

            if ( $window > $lastWindow && $result->toHOTP( 6 ) === $token ) {

                $lastWindow = $window;

                $retval = self::MAIN_TOKEN;


                $logger->info( 'OATHAuth user {user} entered a valid OTP from {clientip}', [

                    'user' => $user->getAccount(),

                    'clientip' => $clientIP,

                ] );

                break;

            }

        }


        // See if the user is using a scratch token

        if ( !$retval ) {

            $length = count( $this->scratchTokens );

            // Detect condition where all scratch tokens have been used

            if ( $length === 1 && $this->scratchTokens[0] === "" ) {

                $retval = false;

            } else {

                for ( $i = 0; $i < $length; $i++ ) {

                    if ( $token === $this->scratchTokens[$i] ) {

                        // If there is a scratch token, remove it from the scratch token list

                        unset( $this->scratchTokens[$i] );


                        $logger->info( 'OATHAuth user {user} used a scratch token from {clientip}', [

                            'user' => $user->getAccount(),

                            'clientip' => $clientIP,

                        ] );


                        $oathrepo = OATHAuthHooks::getOATHUserRepository();

                        $user->setKey( $this );

                        $oathrepo->persist( $user, $clientIP );

                        // Only return true if we removed it from the database

                        $retval = self::SCRATCH_TOKEN;

                        break;

                    }

                }

            }

        }


        if ( $retval ) {

            $memc->set(

                $memcKey,

                $lastWindow,

                $this->secret['period'] * ( 1 + 2 * $wgOATHAuthWindowRadius )

            );

        } else {


            $logger->info( 'OATHAuth user {user} failed OTP/scratch token from {clientip}', [

                'user' => $user->getAccount(),

                'clientip' => $clientIP,

            ] );


            // Increase rate limit counter for failed request

            $user->getUser()->pingLimiter( 'badoath' );

        }


        return $retval;

    }


    public function regenerateScratchTokens() {

        $scratchTokens = [];

        for ( $i = 0; $i < 10; $i++ ) {

            $scratchTokens[] = Base32::encode( random_bytes( 10 ) );

        }

        $this->scratchTokens = $scratchTokens;

    }


    public function isScratchToken( $token ) {

        $token = preg_replace( '/\s+/', '', $token );

        return in_array( $token, $this->scratchTokens, true );

    }


    private function getLogger() {

        return LoggerFactory::getInstance( 'authentication' );

    }


}


and
and that you know you can do these things To protect your we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to certain responsibilities for you if you distribute copies of the or if you modify it For if you distribute copies of such a whether gratis or for a you must give the recipients all the rights that you have You must make sure that receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two and(2) offer you this license which gives you legal permission to copy

wfMemcKey
wfMemcKey(... $args)
Make a cache key for the local wiki.
Definition GlobalFunctions.php:2573

Base32\decode
static decode($b32)
Decodes a base32 string into a binary string according to RFC 4648.
Definition base32.php:48

Base32\encode
static encode($string)
Encodes a binary string into a base32 string according to RFC 4648 (no padding).
Definition base32.php:80

HOTP\generateByTimeWindow
static generateByTimeWindow( $key, $window, $min=-1, $max=1, $timestamp=false)
Generate a HOTP key collection based on a timestamp and window size all keys that could exist between...
Definition hotp.php:72

OATHAuthHooks\getOATHUserRepository
static getOATHUserRepository()
Get the singleton OATH user repository.
Definition OATHAuthHooks.php:34

OATHAuthKey
Class representing a two-factor key.
Definition OATHAuthKey.php:29

OATHAuthKey\newFromRandom
static newFromRandom()
Make a new key from random values.
Definition OATHAuthKey.php:53

OATHAuthKey\getLogger
getLogger()
Definition OATHAuthKey.php:215

OATHAuthKey\regenerateScratchTokens
regenerateScratchTokens()
Definition OATHAuthKey.php:192

OATHAuthKey\getScratchTokens
getScratchTokens()
Definition OATHAuthKey.php:89

OATHAuthKey\getSecret
getSecret()
Definition OATHAuthKey.php:82

OATHAuthKey\isScratchToken
isScratchToken( $token)
Check if a token is one of the scratch tokens for this two factor key.
Definition OATHAuthKey.php:207

OATHAuthKey\SCRATCH_TOKEN
const SCRATCH_TOKEN
Represents that a token corresponds to a scratch token.
Definition OATHAuthKey.php:40

OATHAuthKey\__construct
__construct( $secret, array $scratchTokens)
Definition OATHAuthKey.php:68

OATHAuthKey\$secret
array $secret
Two factor binary secret.
Definition OATHAuthKey.php:43

OATHAuthKey\MAIN_TOKEN
const MAIN_TOKEN
Represents that a token corresponds to the main secret.
Definition OATHAuthKey.php:34

OATHAuthKey\$scratchTokens
string[] $scratchTokens
List of scratch tokens.
Definition OATHAuthKey.php:46

OATHAuthKey\verifyToken
verifyToken( $token, OATHUser $user)
Verify a token against the secret or scratch tokens.
Definition OATHAuthKey.php:102

OATHUser
This program is free software; you can redistribute it and/or modify it under the terms of the GNU Ge...
Definition OATHUser.php:24

array
The wiki should then use memcached to cache various data To use multiple just add more items to the array To increase the weight of a make its entry a array("192.168.0.1:11211", 2))