Auth: allow to reverse password / token order in TOTP

PR: https://forum.opnsense.org/index.php?topic=5466.0

Auth: allow to reverse password / token order in TOTP
PR: https://forum.opnsense.org/index.php?topic=5466.0
20ec899a · Franco Fichtner · 738f9983 · 20ec899a
Commit 20ec899a authored Jul 12, 2017 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 2 deletions

TOTP.php src/opnsense/mvc/app/library/OPNsense/Auth/TOTP.php +23 -2

No files found.
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/TOTP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/TOTP.php
@@ -53,6 +53,11 @@ trait TOTP
     */
    private $graceperiod = 10;

+    /**
+     * @var bool token after password
+     */
+    private $passwordFirst = false;
+
    /**
     * @var string method accepting username and returning a simplexml user object
     */
@@ -149,8 +154,14 @@ trait TOTP
        if ($userObject != null && !empty($userObject->otp_seed)) {
            if (strlen($password) > $this->otpLength) {
                // split otp token code and userpassword
-                $code = substr($password, 0, $this->otpLength);
-                $userPassword =  substr($password, $this->otpLength);
+                $pwStart = $this->otpLength;
+                $otpStart = 0;
+                if ($this->passwordFirst) {
+                    $otpStart = strlen($password) - $this->otpLength;
+                    $pwStart = 0;
+                }
+                $userPassword = substr($password, $pwStart, strlen($password) - $this->otpLength);
+                $code = substr($password, $otpStart, $this->otpLength);
                $otp_seed = \Base32\Base32::decode($userObject->otp_seed);
                if ($this->authTOTP($otp_seed, $code)) {
                    // token valid, do parents auth
@@ -176,6 +187,9 @@ trait TOTP
        if (!empty($config['graceperiod'])) {
            $this->graceperiod = $config['graceperiod'];
        }
+        if (array_key_exists('passwordFirst', $config) && !empty($config['passwordFirst'])) {
+            $this->passwordFirst = true;
+        }
    }

    /**
@@ -226,6 +240,13 @@ trait TOTP
                return array();
            }
        };
+        $fields["passwordFirst"] = array();
+        $fields["passwordFirst"]["name"] = gettext("Reverse token order");
+        $fields["passwordFirst"]["help"] = gettext("Require the password in front of the token instead of behind it.");
+        $fields["passwordFirst"]["type"] = "checkbox";
+        $fields["passwordFirst"]["validate"] = function ($value) {
+            return array();
+        };

        return $fields;
    }