use separate database column for OTP secrets (migrate previous format if needed)
This commit is contained in:
parent
2aed79d729
commit
2cd159e2ce
|
@ -352,10 +352,6 @@ class Pref_Prefs extends Handler_Protected {
|
||||||
}
|
}
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
<?php if ($otp_enabled) {
|
|
||||||
print_notice(__("Changing your current password will disable OTP."));
|
|
||||||
} ?>
|
|
||||||
|
|
||||||
<fieldset>
|
<fieldset>
|
||||||
<label><?= __("Old password:") ?></label>
|
<label><?= __("Old password:") ?></label>
|
||||||
<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='old_password'>
|
<input dojoType='dijit.form.ValidationTextBox' type='password' required='1' name='old_password'>
|
||||||
|
@ -458,7 +454,6 @@ class Pref_Prefs extends Handler_Protected {
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
print_warning("You will need a compatible Authenticator to use this. Changing your password would automatically disable OTP.");
|
|
||||||
print_notice("You will need to generate app passwords for the API clients if you enable OTP.");
|
print_notice("You will need to generate app passwords for the API clients if you enable OTP.");
|
||||||
|
|
||||||
if (function_exists("imagecreatefromstring")) {
|
if (function_exists("imagecreatefromstring")) {
|
||||||
|
@ -479,7 +474,7 @@ class Pref_Prefs extends Handler_Protected {
|
||||||
|
|
||||||
<fieldset>
|
<fieldset>
|
||||||
<label><?= __("OTP Key:") ?></label>
|
<label><?= __("OTP Key:") ?></label>
|
||||||
<input dojoType='dijit.form.ValidationTextBox' disabled='disabled' value="<?= $otp_secret ?>" size='32'>
|
<input dojoType='dijit.form.ValidationTextBox' disabled='disabled' value="<?= $otp_secret ?>" style='width : 215px'>
|
||||||
</fieldset>
|
</fieldset>
|
||||||
|
|
||||||
<!-- TODO: return JSON from the backend call -->
|
<!-- TODO: return JSON from the backend call -->
|
||||||
|
|
|
@ -119,6 +119,11 @@ class Pref_Users extends Handler_Administrative {
|
||||||
$user->email = clean($_REQUEST["email"]);
|
$user->email = clean($_REQUEST["email"]);
|
||||||
$user->otp_enabled = checkbox_to_sql_bool($_REQUEST["otp_enabled"]);
|
$user->otp_enabled = checkbox_to_sql_bool($_REQUEST["otp_enabled"]);
|
||||||
|
|
||||||
|
// force new OTP secret when next enabled
|
||||||
|
if (Config::get_schema_version() >= 143 && !$user->otp_enabled) {
|
||||||
|
$user->otp_secret = null;
|
||||||
|
}
|
||||||
|
|
||||||
$user->save();
|
$user->save();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -240,6 +240,12 @@ class UserHelper {
|
||||||
|
|
||||||
if ($user) {
|
if ($user) {
|
||||||
$user->otp_enabled = false;
|
$user->otp_enabled = false;
|
||||||
|
|
||||||
|
// force new OTP secret when next enabled
|
||||||
|
if (Config::get_schema_version() >= 143) {
|
||||||
|
$user->otp_secret = null;
|
||||||
|
}
|
||||||
|
|
||||||
$user->save();
|
$user->save();
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
@ -281,8 +287,32 @@ class UserHelper {
|
||||||
$user = ORM::for_table('ttrss_users')->find_one($owner_uid);
|
$user = ORM::for_table('ttrss_users')->find_one($owner_uid);
|
||||||
|
|
||||||
if ($user) {
|
if ($user) {
|
||||||
if (!$user->otp_enabled || $show_if_enabled)
|
|
||||||
return \ParagonIE\ConstantTime\Base32::encodeUpperUnpadded(mb_substr(sha1($user->salt), 0, 12));
|
$salt_based_secret = mb_substr(sha1($user->salt), 0, 12);
|
||||||
|
|
||||||
|
if (Config::get_schema_version() >= 143) {
|
||||||
|
$secret = $user->otp_secret;
|
||||||
|
|
||||||
|
if (empty($secret)) {
|
||||||
|
|
||||||
|
/* migrate secret if OTP is already enabled, otherwise make a new one */
|
||||||
|
if ($user->otp_enabled) {
|
||||||
|
$user->otp_secret = $salt_based_secret;
|
||||||
|
} else {
|
||||||
|
$user->otp_secret = bin2hex(get_random_bytes(6));
|
||||||
|
}
|
||||||
|
|
||||||
|
$user->save();
|
||||||
|
|
||||||
|
$secret = $user->otp_secret;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$secret = $salt_based_secret;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$user->otp_enabled || $show_if_enabled) {
|
||||||
|
return \ParagonIE\ConstantTime\Base32::encodeUpperUnpadded($secret);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
|
|
Loading…
Reference in New Issue