From 7d9ad0ded6fb7efc1d04f51ba86e5cf88ead0630 Mon Sep 17 00:00:00 2001 From: paulr Date: Wed, 17 Nov 2010 10:22:17 +1100 Subject: [PATCH] Added a login page example --- doco/TODO.txt | 1 + example/login/index.php | 140 ++++++++++++++++++++++++++++++++++ example/provisioning/dbfunctions.php | 2 +- example/provisioning/index.php | 3 +- example/provisioning/input.php | 3 +- lib/lib.php | 6 +- 6 files changed, 150 insertions(+), 5 deletions(-) create mode 100644 example/login/index.php diff --git a/doco/TODO.txt b/doco/TODO.txt index d0ff031..813d34d 100644 --- a/doco/TODO.txt +++ b/doco/TODO.txt @@ -1,6 +1,7 @@ The Almighty TODO list: 1) Error checking, lots of error checking and sanity checking Then i need to setup error codes and stuff. +1.1) put code comments in all the examples 2) a "hasToken" method for determining if a user has a token or not 3) implement googles key integrity algorithm thing 4) make a better example diff --git a/example/login/index.php b/example/login/index.php new file mode 100644 index 0000000..fc9ef2b --- /dev/null +++ b/example/login/index.php @@ -0,0 +1,140 @@ +query($sql); + + foreach($res as $row) { + $passhash = $row["users_password"]; + } + + // user entered a tokencode, fail the login and tell the user + // if they dont have a token code assigned to them + if($tokencode != "") { + if(!$myga->hasToken($username)) { + $msg = urlencode("Attempted to login with a token when username isnt assigned one"); + header("Location: index.php?failure=$msg"); + } + } + + // check the password hash versus the login password + error_log("checking $passhash against $password (".sha1($password).")"); + if($passhash == sha1($password)) $passright = true; + else { + header("Location: index.php?failure=LoginIncorrect"); + return; + } + + // now get myGA to check the token code + error_log("passed password auth"); + if($myga->hasToken($username)) if(!$myga->authenticateUser($username, $tokencode)) { + header("Location: index.php?failure=LoginIncorrect"); + return; + } + + // and we're loged in + $_SESSION["loginname"] = "$username"; + + header("Location: index.php"); + return; +} + + + + +// and our "your logged in" page +function displayLogedInPage() +{ +?> + +

Welcome

+Welcome , you are logged in. +Click here to log out. + +"; + print_r($_REQUEST); + print_r($_SESSION); + echo ""; + + return; +} + + + + +?> + +

Welcome to Generic Site

+Note: if the user you've provisioned has not got a token code, its not required for login
+Please login: +Login Failure: ".$_REQUEST["failure"]."
"; +} +?> +
+ + + + + +
Username
Password
Pin Code
+
+
+
+
+
+ \ No newline at end of file diff --git a/example/provisioning/dbfunctions.php b/example/provisioning/dbfunctions.php index 2aa2c05..ca90aa0 100644 --- a/example/provisioning/dbfunctions.php +++ b/example/provisioning/dbfunctions.php @@ -14,7 +14,7 @@ function getDatabase() { } catch(PDOException $exep) { error_log("execpt on db open"); } - $sql = 'CREATE TABLE "users" ("users_id" INTEGER PRIMARY KEY AUTOINCREMENT,"users_username" TEXT,"users_fullname" TEXT,"users_tokendata" TEXT);'; + $sql = 'CREATE TABLE "users" ("users_id" INTEGER PRIMARY KEY AUTOINCREMENT,"users_username" TEXT,"users_fullname" TEXT,"users_password" TEXT, "users_tokendata" TEXT);'; $dbobject->query($sql); } diff --git a/example/provisioning/index.php b/example/provisioning/index.php index 0d9fc18..d2cf4f4 100644 --- a/example/provisioning/index.php +++ b/example/provisioning/index.php @@ -33,7 +33,7 @@ if(isset($_REQUEST["failure"])) { ?>
-How to user this page - Create a user with the "Users" form. Once a user is created, then in the "Create Token" form, +How to use this page - Create a user with the "Users" form. Once a user is created, then in the "Create Token" form, select the user from the drop down box and then select a token type, then click "provision". In the main user list section your user should now have a qrcode representing the key for that user. Pull our your mobile phone (with the google authenticator app from the market) and scan in the code. Next, select the user who's authentication you wish to test from @@ -89,6 +89,7 @@ Create a User:
Username/login: Full Name: +Password:
diff --git a/example/provisioning/input.php b/example/provisioning/input.php index 11ab6b7..23ff909 100644 --- a/example/provisioning/input.php +++ b/example/provisioning/input.php @@ -10,7 +10,8 @@ function processInput() { // "users_id" INTEGER PRIMARY KEY AUTOINCREMENT,"users_username" TEXT,"users_fullname" TEXT,"users_tokendata" TEXT $username = $_REQUEST["username"]; $fullname = $_REQUEST["fullname"]; - $sql = "insert into users values (NULL, '$username', '$fullname', '0')"; + $password = sha1($_REQUEST["password"]); + $sql = "insert into users values (NULL, '$username', '$fullname', '$password','0')"; $db = getDatabase(); $db->query($sql); closeDatabase($db); diff --git a/lib/lib.php b/lib/lib.php index 2513ebc..558e215 100644 --- a/lib/lib.php +++ b/lib/lib.php @@ -123,11 +123,12 @@ abstract class GoogleAuthenticator { error_log("dat is $asdf"); switch($ttype) { case "HOTP": + error_log("in hotp"); $st = $tlid; $en = $tlid+20; for($i=$st; $i<$en; $i++) { $stest = $this->oath_hotp($tkey, $i); - //error_log("code: $code, $stest, $tkey, $tid"); + error_log("testing code: $code, $stest, $tkey, $tid"); if($code == $stest) { $tokendata["tokencounter"] = $i; $this->internalPutData($username, $tokendata); @@ -137,6 +138,7 @@ abstract class GoogleAuthenticator { return false; break; case "TOTP": + error_log("in totp"); $t_now = time(); $t_ear = $t_now - 45; $t_lat = $t_now + 60; @@ -145,7 +147,7 @@ abstract class GoogleAuthenticator { //error_log("kmac: $t_now, $t_ear, $t_lat, $t_st, $t_en"); for($i=$t_st; $i<=$t_en; $i++) { $stest = $this->oath_hotp($tkey, $i); - //error_log("code: $code, $stest, $tkey\n"); + error_log("testing code: $code, $stest, $tkey\n"); if($code == $stest) { return true; } -- 1.7.0.4