Skip to content

O
OpnSense
Commit 37f92da4 authored by Franco Fichtner's avatar Franco Fichtner
Browse files
Options

Auth: allow to reverse password / token order in TOTP 

PR: https://forum.opnsense.org/index.php?topic=5466.0

(cherry picked from commit 20ec899a)
(cherry picked from commit 865b2731)
parent c77aa994
Hide whitespace changes
Inline Side-by-side
Showing with 24 additions and 2 deletions
src/opnsense/mvc/app/library/OPNsense/Auth/TOTP.php
View file @ 37f92da4
...@@ -53,6 +53,11 @@ trait TOTP ...@@ -53,6 +53,11 @@ trait TOTP
*/ */
private $graceperiod = 10; private $graceperiod = 10;
/**
* @var bool token after password
*/
private $passwordFirst = false;
/** /**
* @var string method accepting username and returning a simplexml user object * @var string method accepting username and returning a simplexml user object
*/ */
...@@ -149,8 +154,15 @@ trait TOTP ...@@ -149,8 +154,15 @@ trait TOTP
if ($userObject != null && !empty($userObject->otp_seed)) { if ($userObject != null && !empty($userObject->otp_seed)) {
if (strlen($password) > $this->otpLength) { if (strlen($password) > $this->otpLength) {
// split otp token code and userpassword // split otp token code and userpassword
$code = substr($password, 0, $this->otpLength); $pwLength = strlen($password) - $this->otpLength;
$userPassword = substr($password, $this->otpLength); $pwStart = $this->otpLength;
$otpStart = 0;
if ($this->passwordFirst) {
$otpStart = $pwLength;
$pwStart = 0;
}
$userPassword = substr($password, $pwStart, $pwLength);
$code = substr($password, $otpStart, $this->otpLength);
$otp_seed = \Base32\Base32::decode($userObject->otp_seed); $otp_seed = \Base32\Base32::decode($userObject->otp_seed);
if ($this->authTOTP($otp_seed, $code)) { if ($this->authTOTP($otp_seed, $code)) {
// token valid, do parents auth // token valid, do parents auth
...@@ -176,6 +188,9 @@ trait TOTP ...@@ -176,6 +188,9 @@ trait TOTP
if (!empty($config['graceperiod'])) { if (!empty($config['graceperiod'])) {
$this->graceperiod = $config['graceperiod']; $this->graceperiod = $config['graceperiod'];
} }
if (array_key_exists('passwordFirst', $config) && !empty($config['passwordFirst'])) {
$this->passwordFirst = true;
}
} }
/** /**
...@@ -226,6 +241,13 @@ trait TOTP ...@@ -226,6 +241,13 @@ trait TOTP
return array(); return array();
} }
}; };
$fields["passwordFirst"] = array();
$fields["passwordFirst"]["name"] = gettext("Reverse token order");
$fields["passwordFirst"]["help"] = gettext("Require the password in front of the token instead of behind it.");
$fields["passwordFirst"]["type"] = "checkbox";
$fields["passwordFirst"]["validate"] = function ($value) {
return array();
};
return $fields; return $fields;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023