<li> Passwords are *ONLY* for this page, if you assign a password to a user they can login here
and edit anyone, including you
<li> OTK/One-Time-Keys are the QRcode for provisioning a GA token, it can only be viewed once
-and once viewed is deleted. If you need a new one, you need to delete the user and re-create.
+and once viewed is deleted. If you need a new one, you need to re-create a key.
<li> TOTP tokens are time based tokens that change every 30 seconds, HOTP tokens are event tokens
that change everytime they are used or generated
+<li> In the OTK, the "Get (User URL)" link is a link you can send to a user to retrieve their key
<?php
}
else $haspass = "No";
if($user["otk"]=="deleted") $otk = "OTK Was Not Picked Up";
- else if($user["otk"]!="") $otk = "<a href=\"?action=getotk&username=$username&otk=".$user["otk"]."\">Get</a>";
+ else if($user["otk"]!="") $otk = "<a href=\"?action=getotk&username=$username&otk=".$user["otk"]."\">Get (admin)</a> <a href=\"index.php?gettoken&username=$username&otkid=".$user["otk"]."\">Get (User URL)</a>";
else $otk = "Already Claimed";
if($user["hastoken"]) $hastoken = "Yes <a href=\"?action=recreatehotptoken&username=$username\">Re-Create (HOTP)</a> <a href=\"?action=recreatetotptoken&username=$username\">Re-Create (TOTP)</a> <a href=\"?action=deletetoken&username=$username\">Delete</a>";
}
?>
</table><br>
-<form method="post" action="?action=createuser">Create User(s) - Enter a comma seperated list of names: <input type="text" name="username" size="120"> <input type="submit" value="Create"></form>
+<form method="post" action="?action=createuser">Create User(s) - Enter a comma seperated list of usernames: <input type="text" name="username" size="120"> <input type="submit" value="Create"></form>
<?php
require_once("user_actions.php");
+// first check for a token retreival
+if(isset($_REQUEST["gettoken"])) {
+ $username = $_REQUEST["username"];
+ $otkid = $_REQUEST["otkid"];
+ $users = $myAC->getUsers();
+ $realname = "";
+ $otk = "";
+ foreach($users as $user) {
+ if($user["username"] == $username) {
+ $realname = $user["realname"];
+ $otk = $user["otk"];
+ }
+ }
+
+ if($realname == "") $realname = $username;
+ if($otk == "") {
?>
<html>
-<h1>Welcome to the GAAS User Self Admin Site</h1>
+Hello <?php echo $realname?>, we're sorry, but your One Time Key has already been picked up or you
+dont currently have a token. If you believe this in error, please contact the site admin immediately
+as it could mean your key has been compromised.
+</html>
+<?php
+ exit(0);
+ }
+
+ if($otk != $otkid) {
+?>
+<html>
+Hello <?php echo $realname?>, we're sorry, but your One Time Key ID is not
+the correct one, the URL you have been sent may be in error, please check with the site admin
+</html>
+<?php
+ }
+
+ // now actually pick up the key
+ if(isset($_REQUEST["ready"])) {
+?>
+<html>
+Hello <?php echo $realname?>, welcome to the One Time Key retreival site. Here is your<br>
+One Time Key. Do not save this anywhere as it will compromise your account<br>
+<li> Point your phones camera at the screen
+<li> Watch the display until it locks onto the code
+<li> Once the code has been scanned, the phone should return to the Google Authenticator with a 6 digit number presented, or a "get code" button.<br><hr>
+<img src="?action=actuallygettoken&username=<?php echo $username?>&otkid=<?php echo $otkid ?>"><br>
+
+Once you have the key, you may try logging into the user site <a href="index.php">here</a>
+</html>
+<?php
+ } else {
+?>
+<html>
+Hello <?php echo $realname?>, welcome to the One Time Key retreival site. Before we present<br>
+your key, you must have your phone ready to accept it as the key will only be presented once.<br>
+If your phone is not ready to accept the key, the key needs to be regenerated, so only proceed<br>
+if you phone is on, you have clicked on "scan account barcode" and the phone is ready to<br>
+scan, please proceed.<br>
+<br>
+If you are ready to proceed, click <a href="index.php?gettoken&username=<?php echo $username?>&ready=true&otkid=<?php echo $otkid?>">here</a>.
+</html>
+<?php
+ }
+ exit(0);
+}
+
+
+?>
+<html>
+<h1>Welcome to the GAAS User Site</h1>
<?php
if(isset($_REQUEST["message"])) {
echo "<font color=\"red\"><i>Login Failure</i></font>";
if(isset($_REQUEST["action"])) {
error_log("action set: ".$_REQUEST["action"]);
switch($_REQUEST["action"]) {
+ case "actuallygettoken":
+ $otkid = $_REQUEST["otkid"];
+ $username = $_REQUEST["username"];
+ error_log("requesting otk, $otk");
+ $otk_img = $myAC->getOtkPng($username,$otkid);
+ header("Content-type: image/png");
+ echo $otk_img;
+ exit(0);
+ break;
case "login":
error_log("being login");
$username = $_REQUEST["username"];
case "logout":
$_SESSION["user_loggedin"] = false;
$_SESSION["username"] = "";
- header("Location: admin.php");
+ header("Location: index.php?message=".urlencode("logged out"));
exit(0);
break;
projects / ga4php.git / commitdiff