lindeas
/
jilo-web
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 6 Wiki Activity
jilo-web/app/classes/twoFactorAuth.php

421 lines
13 KiB
PHP
Raw Blame History

<?php
/**
* Class TwoFactorAuthentication
*
* Handles two-factor authentication functionality using TOTP (Time-based One-Time Password).
* Internal implementation without external dependencies.
*/
class TwoFactorAuthentication {
private $db;
private $secretLength = 20; // 160 bits for SHA1
private $period = 30; // Time step in seconds (T0)
private $digits = 6; // Number of digits in TOTP code
private $algorithm = 'sha1'; // HMAC algorithm
private $issuer = 'TotalMeet';
private $window = 1; // Time window of 1 step before/after
/**
* Constructor
*
* @param PDO $database Database connection
*/
public function __construct($database) {
if ($database instanceof PDO) {
$this->db = $database;
} else {
$this->db = $database->getConnection();
}
}
/**
* Enable 2FA for a user
*
* @param int $userId User ID
* @param string $secret Secret key (base32 encoded)
* @param string $code Verification code
* @return bool True if enabled successfully
*/
public function enable($userId, $secret = null, $code = null) {
try {
// Check if 2FA is already enabled
$stmt = $this->db->prepare('SELECT enabled FROM user_2fa WHERE user_id = ?');
$stmt->execute([$userId]);
$existing = $stmt->fetch(PDO::FETCH_ASSOC);
if ($existing && $existing['enabled']) {
return false;
}
// If no secret provided, generate one and return setup data
if ($secret === null) {
// Generate secret key
$secret = $this->generateSecret();
// Get user's username for the QR code
$stmt = $this->db->prepare('SELECT username FROM user WHERE id = ?');
$stmt->execute([$userId]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);
// Generate backup codes
$backupCodes = $this->generateBackupCodes();
// Store in database without enabling yet
$this->db->beginTransaction();
$stmt = $this->db->prepare('
INSERT INTO user_2fa (user_id, secret_key, backup_codes, enabled, created_at)
VALUES (?, ?, ?, 0, NOW())
ON DUPLICATE KEY UPDATE
secret_key = VALUES(secret_key),
backup_codes = VALUES(backup_codes),
enabled = VALUES(enabled),
created_at = VALUES(created_at)
');
$stmt->execute([
$userId,
$secret,
json_encode($backupCodes)
]);
$this->db->commit();
// Generate otpauth URL for QR code
$otpauthUrl = $this->generateOtpauthUrl($user['username'], $secret);
return [
'success' => true,
'data' => [
'secret' => $secret,
'otpauthUrl' => $otpauthUrl,
'backupCodes' => $backupCodes
]
];
}
// If secret and code provided, verify the code and enable 2FA
if ($code !== null) {
// Verify the setup code
if (!$this->verify($userId, $code)) {
error_log("Code verification failed");
return false;
}
// Enable 2FA
$stmt = $this->db->prepare('
UPDATE user_2fa
SET enabled = 1
WHERE user_id = ? AND secret_key = ?
');
return $stmt->execute([$userId, $secret]);
}
return false;
} catch (Exception $e) {
if ($this->db->inTransaction()) {
$this->db->rollBack();
}
error_log('2FA enable error: ' . $e->getMessage());
return false;
}
}
/**
* Verify a 2FA code
*
* @param int $userId User ID
* @param string $code The verification code
* @return bool True if verified, false otherwise
*/
public function verify($userId, $code) {
try {
// Get user's 2FA settings
$settings = $this->getUserSettings($userId);
if (!$settings) {
return false;
}
// Check if code matches a backup code
if ($this->verifyBackupCode($userId, $code)) {
return true;
}
// Get current Unix timestamp
$currentTime = time();
// Check time window
for ($timeSlot = -$this->window; $timeSlot <= $this->window; $timeSlot++) {
$checkTime = $currentTime + ($timeSlot * $this->period);
$generatedCode = $this->generateCode($settings['secret_key'], $checkTime);
if (hash_equals($generatedCode, $code)) {
return true;
}
}
return false;
} catch (Exception $e) {
error_log('2FA verification error: ' . $e->getMessage());
return false;
}
}
/**
* Generate a random secret key
*
* @return string Base32 encoded secret
*/
private function generateSecret() {
// Generate random bytes (160 bits for SHA1)
$random = random_bytes($this->secretLength);
return $this->base32Encode($random);
}
/**
* Base32 encode data
*
* @param string $data Data to encode
* @return string Base32 encoded string
*/
private function base32Encode($data) {
$alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
$binary = '';
$encoded = '';
// Convert to binary
for ($i = 0; $i < strlen($data); $i++) {
$binary .= str_pad(decbin(ord($data[$i])), 8, '0', STR_PAD_LEFT);
}
// Process 5 bits at a time
for ($i = 0; $i < strlen($binary); $i += 5) {
$chunk = substr($binary, $i, 5);
if (strlen($chunk) < 5) {
$chunk = str_pad($chunk, 5, '0', STR_PAD_RIGHT);
}
$encoded .= $alphabet[bindec($chunk)];
}
// Add padding
$padding = strlen($encoded) % 8;
if ($padding > 0) {
$encoded .= str_repeat('=', 8 - $padding);
}
return $encoded;
}
/**
* Base32 decode data
*
* @param string $data Base32 encoded string
* @return string Decoded data
*/
private function base32Decode($data) {
$alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
// Remove padding and uppercase
$data = rtrim(strtoupper($data), '=');
$binary = '';
// Convert to binary
for ($i = 0; $i < strlen($data); $i++) {
$position = strpos($alphabet, $data[$i]);
if ($position === false) {
continue;
}
$binary .= str_pad(decbin($position), 5, '0', STR_PAD_LEFT);
}
$decoded = '';
// Process 8 bits at a time
for ($i = 0; $i + 7 < strlen($binary); $i += 8) {
$chunk = substr($binary, $i, 8);
$decoded .= chr(bindec($chunk));
}
return $decoded;
}
/**
* Generate a TOTP code for a given secret and time
* RFC 6238 compliant implementation
*/
private function generateCode($secret, $time) {
// Calculate number of time steps since Unix epoch
$timeStep = (int)floor($time / $this->period);
// Pack time into 8 bytes (64-bit big-endian)
$timeBin = pack('J', $timeStep);
// Clean secret of any padding
$secret = rtrim($secret, '=');
// Get binary secret
$secretBin = $this->base32Decode($secret);
// Calculate HMAC
$hash = hash_hmac($this->algorithm, $timeBin, $secretBin, true);
// Get dynamic truncation offset
$offset = ord($hash[strlen($hash) - 1]) & 0xF;
// Generate 31-bit number
$code = (
((ord($hash[$offset]) & 0x7F) << 24) |
((ord($hash[$offset + 1]) & 0xFF) << 16) |
((ord($hash[$offset + 2]) & 0xFF) << 8) |
(ord($hash[$offset + 3]) & 0xFF)
) % pow(10, $this->digits);
$code = str_pad($code, $this->digits, '0', STR_PAD_LEFT);
return $code;
}
/**
* Generate otpauth URL for QR codes
* Format: otpauth://totp/ISSUER:ACCOUNT?secret=SECRET&issuer=ISSUER&algorithm=ALGORITHM&digits=DIGITS&period=PERIOD
*/
private function generateOtpauthUrl($username, $secret) {
$params = [
'secret' => $secret,
'issuer' => $this->issuer,
'algorithm' => strtoupper($this->algorithm),
'digits' => $this->digits,
'period' => $this->period
];
return sprintf(
'otpauth://totp/%s:%s?%s',
rawurlencode($this->issuer),
rawurlencode($username),
http_build_query($params)
);
}
/**
* Generate backup codes
*
* @param int $count Number of backup codes to generate
* @return array Array of backup codes
*/
private function generateBackupCodes($count = 8) {
$codes = [];
for ($i = 0; $i < $count; $i++) {
$codes[] = bin2hex(random_bytes(4));
}
return $codes;
}
/**
* Verify a backup code
*
* @param int $userId User ID
* @param string $code The backup code to verify
* @return bool True if verified, false otherwise
*/
private function verifyBackupCode($userId, $code) {
try {
$stmt = $this->db->prepare('SELECT backup_codes FROM user_2fa WHERE user_id = ?');
$stmt->execute([$userId]);
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if (!$result) {
return false;
}
$backupCodes = json_decode($result['backup_codes'], true);
// Check if the code exists and hasn't been used
$codeIndex = array_search($code, $backupCodes);
if ($codeIndex !== false) {
// Remove the used code
unset($backupCodes[$codeIndex]);
$backupCodes = array_values($backupCodes);
// Update backup codes in database
$stmt = $this->db->prepare('
UPDATE user_2fa
SET backup_codes = ?
WHERE user_id = ?
');
$stmt->execute([json_encode($backupCodes), $userId]);
return true;
}
return false;
} catch (Exception $e) {
error_log('Backup code verification error: ' . $e->getMessage());
return false;
}
}
/**
* Disable 2FA for a user
*
* @param int $userId User ID
* @return bool True if disabled successfully
*/
public function disable($userId) {
try {
// First check if user has 2FA settings
$settings = $this->getUserSettings($userId);
if (!$settings) {
return false;
}
// Delete the 2FA settings entirely instead of just disabling
$stmt = $this->db->prepare('
DELETE FROM user_2fa
WHERE user_id = ?
');
return $stmt->execute([$userId]);
} catch (Exception $e) {
error_log('2FA disable error: ' . $e->getMessage());
return false;
}
}
/**
* Check if 2FA is enabled for a user
*
* @param int $userId User ID
* @return bool True if enabled
*/
public function isEnabled($userId) {
try {
$stmt = $this->db->prepare('SELECT enabled FROM user_2fa WHERE user_id = ?');
$stmt->execute([$userId]);
$result = $stmt->fetch(PDO::FETCH_ASSOC);
return $result && $result['enabled'];
} catch (Exception $e) {
error_log('2FA status check error: ' . $e->getMessage());
return false;
}
}
private function getUserSettings($userId) {
try {
$stmt = $this->db->prepare('
SELECT secret_key, backup_codes, enabled
FROM user_2fa
WHERE user_id = ?
');
$stmt->execute([$userId]);
return $stmt->fetch(PDO::FETCH_ASSOC);
} catch (Exception $e) {
error_log('Failed to get user 2FA settings: ' . $e->getMessage());
return null;
}
}
}
Reference in New Issue View Git Blame Copy Permalink