From 50ec224ca5ec919ee34e4b7482f1fb6c0c9cde75 Mon Sep 17 00:00:00 2001
From: paulr <me@pjr.cc>
Date: Mon, 15 Nov 2010 16:16:10 +1100
Subject: [PATCH] various improvemens

---
 doco/readme.txt   |    3 ++
 example/index.php |   43 +++++++++++++++++++++++--
 lib/lib.php       |   93 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 135 insertions(+), 4 deletions(-)

diff --git a/doco/readme.txt b/doco/readme.txt
index 54c6912..8ee974e 100644
--- a/doco/readme.txt
+++ b/doco/readme.txt
@@ -33,6 +33,9 @@ KEY and should remain secret. You can generate qrcodes anyway you
 like, BUT MAKE SURE ITS SECURE (i.e. never save them on the FS,
 and send them all over ssl).
 
+If your running on linux, most distro's have a program called
+qrencode that you can use.
+
 
 How?
 ====
diff --git a/example/index.php b/example/index.php
index 54d50a5..1699691 100644
--- a/example/index.php
+++ b/example/index.php
@@ -33,24 +33,61 @@ if(isset($_REQUEST["action"])) {
 				echo "<font color=\"red\">Failed!</font>";
 			}
 			break;
+		case "resync":
+			$username = $_REQUEST["username"];
+			$code1 = $_REQUEST["code1"];
+			$code2 = $_REQUEST["code2"];
+			if($ga->resyncCode($username, $code1, $code2)) {
+				echo "<font color=\"green\">Passed!</font>";
+			} else {
+				echo "<font color=\"red\">Failed!</font>";
+			}
+			break;
+		case "destroy":
+			unlink("/tmp/gaexpage.db");
+			break;
 		default:
 			// do nothing
 	}
 }
 
 ?>
-
-Create a User:
+<h2>Destroy the DB</h2>
+<a href="index.php?action=destroy">This is UNDOABLE - but this is a test system, so you dont care</a>
+<h2>Create a User:</h2>
 <form method="post" action="index.php?action=createuser">
 Username: <input type="text" name="username"><br>
 Type (ignored for now): <select name="ttype"><option value="HOTP">HOTP</option><option value="TOTP">TOTP</option></select><br>
 <input type="submit" name="go" value="go"><br>
 </form>
 <hr>
+<h2>Test Token</h2>
 <form method="post" action="index.php?action=authuser">
-Username: <input type="text" name="username"><br>
+Username: <select name="username">
+<?php
+$res = $ga->getUserList();
+foreach($res as $row) {
+	echo "<option value=\"".$row."\">".$row."</option>";
+}
+?>
+</select><br>
 Code: <input type="text" name="code"><br>
 <input type="submit" name="go" value="go"><br>
 </form>
 <hr>
+<h2>Resync Code (only valid for HOTP codes)</h2>
+<form method="post" action="index.php?action=resync">
+Username: <select name="username">
+<?php
+$res = $ga->getUserList();
+foreach($res as $row) {
+	echo "<option value=\"".$row."\">".$row."</option>";
+}
+?>
+</select><br>
+Code one: <input type="text" name="code1"><br>
+Code two: <input type="text" name="code2"><br>
+<input type="submit" name="go" value="go"><br>
+</form>
+<hr>
 </html>
\ No newline at end of file
diff --git a/lib/lib.php b/lib/lib.php
index 01340d9..60ceaa7 100644
--- a/lib/lib.php
+++ b/lib/lib.php
@@ -1,5 +1,11 @@
 <?php
 
+/*
+ * TODO's:
+ * Implement TOTP fully
+ * Error checking, lots of error checking
+ */
+
 class GoogleAuthenticator {
 	
 	// first we init google authenticator by passing it a filename
@@ -61,6 +67,21 @@ class GoogleAuthenticator {
 		return $url;
 	}
 	
+	
+	// this could get ugly for large databases.. we'll worry about that if it ever happens.
+	function getUserList() {
+		$res = $this->dbConnector->query("select user_name from users");
+		$i = 0;
+		$ar = array();
+		foreach($res as $row) {
+			error_log("user: ".$row["user_name"]);
+			$ar[$i] = $row["user_name"];
+			$i++;
+		}
+		
+		return $ar;
+	}
+	
 	// set the token type the user it going to use.
 	// this defaults to HOTP - we only do 30s token
 	// so lets not be able to set that yet
@@ -154,6 +175,22 @@ class GoogleAuthenticator {
 		return true;
 	}
 	
+	
+	// have user?
+	function userExists($username) {
+		$sql = "select * from users where user_name='$username'";
+		$res = $this->dbConnector->query($sql);
+		
+		$tid = -1;
+		foreach($res as $row) {
+			$tid = $row["user_tokenid"];	
+		}
+		
+		if($tid == -1) return false;
+		else return $tid;
+	}
+	
+	
 	// self explanitory?
 	function deleteUser($username) {
 		$sql = "select * from users where user_name='$username'";
@@ -232,7 +269,61 @@ class GoogleAuthenticator {
 	// many codes are called, we only check up to 20 codes in the future
 	// so if the user is at 21, they'll always fail. 
 	function resyncCode($username, $code1, $code2) {
-			
+		// here we'll go from 0 all the way thru to 200k.. if we cant find the code, so be it, they'll need a new one
+		$sql = "select * from users where user_name='$username'";
+		$res = $this->dbConnector->query($sql);
+		
+		$tid = -1;
+		foreach($res as $row) {
+			$tid = $row["user_tokenid"];	
+		}
+		
+		// for HOTP tokens we start at x and go to x+20
+		
+		// for TOTP we go +/-1min TODO = remember that +/- 1min should
+		// be changed based on stepping if we change the expiration time
+		// for keys
+		
+		//		$this->dbConnector->query('CREATE TABLE "tokens" ("token_id" INTEGER PRIMARY KEY AUTOINCREMENT,"token_key" TEXT NOT NULL, "token_type" TEXT NOT NULL, "token_lastid" INTEGER NOT NULL)');
+		
+		$sql = "select * from tokens where token_id='$tid'";
+		$res = $this->dbConnector->query($sql);
+		
+		$tkey = "";
+		$ttype = "";
+		$tlid = "";
+		foreach($res as $row) {
+			$tkey = $row["token_key"];
+			$ttype = $row["token_type"];
+			$tlid = $row["token_lastid"];	
+		}
+		
+		switch($ttype) {
+			case "HOTP":
+				$st = 0;
+				$en = 200000;
+				for($i=$st; $i<$en; $i++) {
+					$stest = $this->oath_hotp($tkey, $i);
+					//echo "code: $code, $stest, $tkey\n";
+					if($code1 == $stest) {
+						$stest2 = $this->oath_hotp($tkey, $i+1);
+						if($code2 == $stest2) {
+							$sql = "update tokens set token_lastid='$i' where token_id='$tid'";
+							$this->dbConnector->query($sql);
+							return true;
+						}
+					}
+				}
+				return false;
+				break;
+			case "TOTP":
+				break;
+			default:
+				echo "how the frig did i end up here?";
+		}
+		
+		return false;
+		
 	}
 	
 	// gets the error text associated with the last error
-- 
1.7.0.4