From 90b322cc876a31bc7b1f57c80bc4e25ed8c4a08c Mon Sep 17 00:00:00 2001
From: Tomasz Wolniewicz <twoln@umk.pl>
Date: Fri, 19 May 2023 09:46:38 +0200
Subject: [PATCH] innitial commits
---
composer.json | 5 ++
config/config-template.php | 4 ++
config/config.php | 4 ++
config/otp_config-template.php | 6 +++
web/otp-server.php | 83 ++++++++++++++++++++++++++++++++++
5 files changed, 102 insertions(+)
create mode 100644 composer.json
create mode 100644 config/config-template.php
create mode 100644 config/config.php
create mode 100644 config/otp_config-template.php
create mode 100644 web/otp-server.php
diff --git a/composer.json b/composer.json
new file mode 100644
index 0000000..f3dbd81
--- /dev/null
+++ b/composer.json
@@ -0,0 +1,5 @@
+{
+ "require": {
+ "spomky-labs/otphp": "^10.0"
+ }
+}
diff --git a/config/config-template.php b/config/config-template.php
new file mode 100644
index 0000000..5927622
--- /dev/null
+++ b/config/config-template.php
@@ -0,0 +1,4 @@
+<?php
+
+define('DB_CONFIG_LOCATION', 'location of otp_config.php');
+
diff --git a/config/config.php b/config/config.php
new file mode 100644
index 0000000..5927622
--- /dev/null
+++ b/config/config.php
@@ -0,0 +1,4 @@
+<?php
+
+define('DB_CONFIG_LOCATION', 'location of otp_config.php');
+
diff --git a/config/otp_config-template.php b/config/otp_config-template.php
new file mode 100644
index 0000000..685d807
--- /dev/null
+++ b/config/otp_config-template.php
@@ -0,0 +1,6 @@
+<?php
+define('DB_HOST','edugain-db');
+define('DB_DATABASE','edugain');
+define('USER', 'otp');
+define('PASSWORD', 'xxxx');
+
diff --git a/web/otp-server.php b/web/otp-server.php
new file mode 100644
index 0000000..be9b75e
--- /dev/null
+++ b/web/otp-server.php
@@ -0,0 +1,83 @@
+<?php
+/*
+ * The server can dwo two things - it can test if the user is defined or it can
+ * validate the otp_code against the secret in the database.
+ *
+ * Return values:
+ * -1 - user not found in the DB
+ * 0 - user exists but there was a missmatch in the code
+ * 1 - there was a success in verification of the code against the user secret
+ * 2 - the code has not been provided - the user has not been verified yet
+ * 3 - the code has not been provided - just confirming that the user is verified
+ * 4 - the code has been used for a second time
+ */
+session_start();
+
+require_once('../vendor/autoload.php');
+require_once('../../config/config.php');
+require_once(DB_CONFIG_LOCATION);
+use OTPHP\TOTP;
+
+$mysqli = new mysqli(DB_HOST, USER, PASSWORD, DB_DATABASE);
+if ($mysqli->connect_error) {
+ die("Not connected");
+}
+$mysqli->set_charset('utf8');
+$mysqli->query("SET time_zone='+00:00'");
+
+if (empty($_GET['user'])) {
+ exit;
+}
+
+$user = filter_var($_GET['user'], FILTER_SANITIZE_EMAIL);
+$out = 0;
+
+$result = $mysqli->query("SELECT secret, last_code, verified from otp where user ='$user'");
+
+if ($result) {
+ if ($result->num_rows == 0) {
+ $out = -1; // the user is not defined
+ } else {
+ $r = $result->fetch_row();
+ $otpSecret = $r[0];
+ $otpLastCode = $r[1];
+ $verified = $r[2];
+ $out = 0; // the user exists in the database - this is a temporary code value
+ }
+} else {
+ exit;
+}
+
+$otpCode = filter_var($_GET['otp'], FILTER_SANITIZE_NUMBER_INT);
+
+// check if any code has been passed and if so update the result code accordingle - again this value is temporary
+
+if ($otpCode == '' && $out == 0) {
+ if ($verified == 1) {
+ $out = 3;
+ } else {
+ $out = 2;
+ }
+}
+
+
+if ($out == 0) { // the otp code must have been provided and the user exists in the DB, the secret is taken form the DB
+ $otpObject = TOTP::create($otpSecret);
+ $otpTestCode = $otpObject->now();
+ if ($otpCode === $otpTestCode) {
+ if($otpCode === $otpLastCode) {
+ $out = 4;
+ } else {
+ $mysqli->query("UPDATE otp SET verified = 1, last_code = $otpCode where user = '$user'");
+ $out = 1;
+ }
+ } else {
+ // there was a missmatch in the codes
+ $out = 0;
+ }
+}
+header('Content-type: application/json; charset=utf-8');
+header('Access-Control-Allow-Origin: *');
+print json_encode($out, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);
+
+
--
GitLab