totp enhancements

- added 2 config vars (`totp_two_step_login_active`, `totp_two_step_login_redirect`) - changed `login()` to set session data if totp is required and two_step_login is active and skip default - fixed `control()` to check if totp verification is required, if required then it redirects to `totp_two_step_login_redirect` - fixed `control()` to check if is_loggedin not with totp verification is required - changed `is_allowed()` to check if totp verification is required, if required then it redirects to `totp_two_step_login_redirect` - added 2 functions `verify_user_totp_code($totp_code, $user_id = FALSE)` & `is_totp_required()` reference to #131 (tutorial follows)
emreakay · May 18, 2016 · 37a731d · 37a731d
1 parent bf04633
commit 37a731d
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 9 deletions.
diff --git a/application/config/aauth.php b/application/config/aauth.php
@@ -50,6 +50,7 @@
 | 	['totp_active']                    	The Time-based One-time Password Algorithm
 | 	['totp_only_on_ip_change']         	TOTP only on IP Change
 | 	['totp_reset_over_reset_password'] 	TOTP reset over reset Password
+| 	['totp_two_step_login'] 			enables TOTP two step login 
 |
 | 	['max_login_attempt']              	Login attempts time interval (default 10 times in one hour)
 | 	['max_login_attempt_time_period']   Period of time for max login attempts (default "5 minutes")
@@ -111,6 +112,8 @@
 	'totp_active'                    => false,
 	'totp_only_on_ip_change'         => false,
 	'totp_reset_over_reset_password' => false,
+	'totp_two_step_login_active'     => false,
+	'totp_two_step_login_redirect'   => '/account/twofactor_verification/',
 
 	'max_login_attempt'              => 10,
 	'max_login_attempt_time_period'  => "5 minutes",

diff --git a/application/libraries/Aauth.php b/application/libraries/Aauth.php
@@ -232,8 +232,13 @@ public function login($identifier, $pass, $remember = FALSE, $totp_code = NULL)
 				}
 			}
 		}
+
 
-	 	if($this->config_vars['totp_active'] == TRUE AND $this->config_vars['totp_only_on_ip_change'] == FALSE){
+	 	if($this->config_vars['totp_active'] == TRUE AND $this->config_vars['totp_only_on_ip_change'] == FALSE AND $this->config_vars['totp_two_step_login_active'] == FALSE){
+			if($this->config_vars['totp_two_step_login_active'] == TRUE){
+				$this->CI->session->set_userdata('totp_required', true);
+			}
+
 			$query = null;
 			$query = $this->aauth_db->where($db_identifier, $identifier);
 			$query = $this->aauth_db->get($this->config_vars['users']);
@@ -260,10 +265,15 @@ public function login($identifier, $pass, $remember = FALSE, $totp_code = NULL)
 			$totp_secret =  $query->row()->totp_secret;
 			$ip_address = $query->row()->ip_address;
 			$current_ip_address = $this->CI->input->ip_address();
+
 			if ($query->num_rows() > 0 AND !$totp_code) {
 				if($ip_address != $current_ip_address ){
-					$this->error($this->CI->lang->line('aauth_error_totp_code_required'));
-					return FALSE;
+					if($this->config_vars['totp_two_step_login_active'] == FALSE){
+						$this->error($this->CI->lang->line('aauth_error_totp_code_required'));
+						return FALSE;
+					} else if($this->config_vars['totp_two_step_login_active'] == TRUE){
+						$this->CI->session->set_userdata('totp_required', true);
+					}
 				}
 			}else {
 				if(!empty($totp_secret)){
@@ -440,17 +450,16 @@ public function is_loggedin() {
 	 * @param bool $perm_par If not given just control user logged in or not
 	 */
 	public function control( $perm_par = FALSE ){
+		if($this->CI->session->userdata('totp_required')){
+			$this->error($this->CI->lang->line('aauth_error_totp_verification_required'));
+			redirect($this->config_vars['totp_two_step_login_redirect']);			
+		}
 
 		$perm_id = $this->get_perm_id($perm_par);
 		$this->update_activity();
 		if($perm_par == FALSE){
 			if($this->is_loggedin()){
-				if($this->CI->session->userdata('totp_required')){
-					$this->error($this->CI->lang->line('aauth_error_no_access'));
-					redirect($this->config_vars['totp_two_step_login_redirect']);			
-				}else{
-					return TRUE;				
-				}
+				return TRUE;				
 			}else if(!$this->is_loggedin()){
 				$this->error($this->CI->lang->line('aauth_error_no_access'));
 				if($this->config_vars['no_permission'] !== FALSE){
@@ -1592,6 +1601,11 @@ public function delete_perm($perm_par) {
 	 */
 	public function is_allowed($perm_par, $user_id=FALSE){
 
+		if($this->CI->session->userdata('totp_required')){
+			$this->error($this->CI->lang->line('aauth_error_totp_verification_required'));
+			redirect($this->config_vars['totp_two_step_login_redirect']);			
+		}
+
 		if( $user_id == FALSE){
 			$user_id = $this->CI->session->userdata('id');
 		}
@@ -2361,6 +2375,39 @@ public function generate_totp_qrcode($secret){
 		return $ga->getQRCodeGoogleUrl($this->config_vars['name'], $secret);
 	}
 
+	public function verify_user_totp_code($totp_code, $user_id = FALSE){
+		if ( !$this->is_totp_required()) {
+			return TRUE;
+		}
+		if ($user_id == FALSE) {
+			$user_id = $this->CI->session->userdata('id');
+		}
+		if (empty($totp_code)) {
+			$this->error($this->CI->lang->line('aauth_error_totp_code_required'));
+			return FALSE;
+		}
+		$query = $this->aauth_db->where('id', $user_id);
+		$query = $this->aauth_db->get($this->config_vars['users']);
+		$totp_secret =  $query->row()->totp_secret;
+		$ga = new PHPGangsta_GoogleAuthenticator();
+		$checkResult = $ga->verifyCode($totp_secret, $totp_code, 0);
+		if (!$checkResult) {
+			$this->error($this->CI->lang->line('aauth_error_totp_code_invalid'));
+			return FALSE;
+		}else{
+			$this->CI->session->unset_userdata('totp_required');
+			return TRUE;
+		}
+	}
+
+	public function is_totp_required(){
+		if ( !$this->CI->session->userdata('totp_required')) {
+			return FALSE;
+		}else if ( $this->CI->session->userdata('totp_required')) {
+			return TRUE;
+		}
+	}
+
 } // end class
 
 // $this->CI->session->userdata('id')