innitial commits

90b322cc · Tomasz Wolniewicz · 1d7f91d3 · 90b322cc · 90b322cc · 90b322cc
Commit 90b322cc authored 2 years ago by Tomasz Wolniewicz
--- a/composer.json
+++ b/composer.json
+{
+    "require": {
+        "spomky-labs/otphp": "^10.0"
+    }
+}
--- a/config/config-template.php
+++ b/config/config-template.php
+<?php
+
+define('DB_CONFIG_LOCATION', 'location of otp_config.php');
+
--- a/config/config.php
+++ b/config/config.php
+<?php
+
+define('DB_CONFIG_LOCATION', 'location of otp_config.php');
+
--- a/config/otp_config-template.php
+++ b/config/otp_config-template.php
+<?php
+define('DB_HOST','edugain-db');
+define('DB_DATABASE','edugain');
+define('USER', 'otp');
+define('PASSWORD', 'xxxx');
+
--- a/web/otp-server.php
+++ b/web/otp-server.php
+<?php
+/*
+ * The server can dwo two things - it can test if the user is defined or it can
+ * validate the otp_code against the secret in the database.
+ * 
+ * Return values:
+ *  -1 - user not found in the DB
+ *   0 - user exists but there was a missmatch in the code
+ *   1 - there was a success in verification of the code against the user secret
+ *   2 - the code has not been provided -  the user has not been verified yet
+ *   3 - the code has not been provided - just confirming that the user is verified
+ *   4 - the code has been used for a second time
+ */
+session_start();
+
+require_once('../vendor/autoload.php');
+require_once('../../config/config.php');
+require_once(DB_CONFIG_LOCATION);
+use OTPHP\TOTP;
+
+$mysqli = new mysqli(DB_HOST, USER, PASSWORD, DB_DATABASE);
+if ($mysqli->connect_error) {
+    die("Not connected");
+}
+$mysqli->set_charset('utf8');
+$mysqli->query("SET time_zone='+00:00'");
+
+if (empty($_GET['user'])) {
+    exit;
+}
+
+$user = filter_var($_GET['user'], FILTER_SANITIZE_EMAIL);
+$out = 0;
+
+$result = $mysqli->query("SELECT secret, last_code, verified from otp where user ='$user'");
+
+if ($result) {
+    if ($result->num_rows == 0) {
+        $out = -1; // the user is not defined
+    } else {
+        $r = $result->fetch_row();
+        $otpSecret = $r[0];
+        $otpLastCode = $r[1];
+        $verified = $r[2];
+        $out = 0; // the user exists in the database - this is a temporary code value
+    }
+} else {
+    exit; 
+}
+
+$otpCode = filter_var($_GET['otp'], FILTER_SANITIZE_NUMBER_INT);
+
+// check if any code has been passed and if so update the result code accordingle - again this value is temporary
+
+if ($otpCode == '' && $out == 0) {
+    if ($verified == 1) {
+        $out = 3;
+    } else {
+        $out = 2;
+    }
+}
+
+
+if ($out == 0) { // the otp code must have been provided and the user exists in the DB, the secret is taken form the DB
+    $otpObject = TOTP::create($otpSecret);
+    $otpTestCode = $otpObject->now();
+    if ($otpCode === $otpTestCode) {
+        if($otpCode === $otpLastCode) {
+            $out = 4;
+        } else {
+            $mysqli->query("UPDATE otp SET verified = 1, last_code = $otpCode where user = '$user'");
+            $out = 1;
+        }
+    } else {
+        // there was a missmatch in the codes
+        $out = 0;
+    }
+}
+header('Content-type: application/json; charset=utf-8');
+header('Access-Control-Allow-Origin: *');
+print json_encode($out, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+
+