diff options
Diffstat (limited to 'example')
| -rw-r--r-- | example/index.php | 126 | ||||
| -rwxr-xr-x | example/server.sh | 5 |
2 files changed, 131 insertions, 0 deletions
diff --git a/example/index.php b/example/index.php new file mode 100644 index 0000000..ebbd063 --- /dev/null +++ b/example/index.php @@ -0,0 +1,126 @@ +<?php +// load our composer file +require_once('../vendor/autoload.php'); + +// load the client library +$ga = new \CraftBlue\GoogleAuthenticator(); + +// this demo is insecure and only for demonstration purposes only +// you should NEVER publicly expose your secret key + +// check if we generated a 16 character secret for the user yet +if (!empty($_COOKIE['secret'])) { + $secret = $_COOKIE['secret']; +} else { + $secret = $ga->createSecret(); + setcookie('secret', $secret); +} + +// look for a form submitted code to verify +if (!empty($_POST['code'])) { + $code = $_POST['code']; + $qrCodeUrl = $ga->getQRCodeUrl('example.user@gmail.com', $secret, 'ExampleCompany'); + $isExampleCode = false; +} else { + // retrieve the Google QR code URL based on our secret + $qrCodeUrl = $ga->getQRCodeUrl('example.user@gmail.com', $secret, 'ExampleCompany'); + + // generate an example correct code based on the secret (to be used as an example) + $isExampleCode = true; + $code = $ga->getCode($secret); +} + +// check if the secret matches the code (with 60 second window) +$checkResult = $ga->verifyCode($secret, $code, 2); +?> +<html> + <head> + <title>Google Authenticator PHP Client - Example Usage</title> + <style> + body { font-family: "Lucida Grande", "Lucida Sans Unicode", Verdana, Arial, Helvetica, sans-serif; } + blockquote { color:#999;font-style: italic;font-family:Georgia,serif; } + fieldset { padding:20px;border:1px solid #ccc;background:#f9f9f9; } + .container { width: 75%; max-width: 760px; margin: 0 auto; padding: 40px 0; } + .centered { text-align: center; } + .fw { display: inline-block; width: 150px; margin-right: 10px; } + .error { color: #900 } + .success { color: #090 } + </style> + </head> + <body> + <div class="container"> + <h1>Google Authenticator PHP Client - Example Usage</h1> + + <p> + To test, please first install and open the Google Authenticator app on your iPhone or Android device. + </p> + + <p class="centered"> + <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en" target="_blank"><img alt='Get it on Google Play' src='https://play.google.com/intl/en_us/badges/images/generic/en_badge_web_generic.png' height="48" style="vertical-align:middle"/></a> + <a href="https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8" target="_blank"><img alt='Available on the App Store' src="https://upload.wikimedia.org/wikipedia/commons/thumb/5/5d/Available_on_the_App_Store_%28black%29.png/320px-Available_on_the_App_Store_%28black%29.png" height="32" style="vertical-align:middle;padding:8px;" /></a> + </p> + + <p> + <em class="error"> + CAUTION: This example is for testing purposes only. You should never publicly expose + your secret. Here are <a href="http://tools.ietf.org/html/rfc6238" target="_blank">RFC6238</a>'s security + recommendations: + </em> + </p> + + <blockquote> + <p> + We also RECOMMEND storing the keys securely in the validation system, + and, more specifically, encrypting them using tamper-resistant + hardware encryption and exposing them only when required: for + example, the key is decrypted when needed to verify an OTP value, and + re-encrypted immediately to limit exposure in the RAM to a short + period of time. + </p> + <p> + The key store MUST be in a secure area, to avoid, as much as + possible, direct attack on the validation system and secrets + database. Particularly, access to the key material should be limited + to programs and processes required by the validation system only. + </p> + </blockquote> + + <ul> + <li><strong class="fw">Secret:</strong> <code><?= $secret ?></code></li> + <li><strong class="fw"><?= $isExampleCode ? 'Example ' : '' ?>Code:</strong> <code><?= $code ?></code></li> + <li> + <strong class="fw">Code Verification:</strong> + <?= $checkResult ? '<code class="success">VERIFIED</code>' : '<code class="error">FAILED</code>' ?> + </li> + </ul> + + <h2 style="margin-top:40px">Test Google Authenticator</h2> + + <form method="post" id="verify-app-code"> + <ol> + <li>Open your Google Authenticator app on your mobile device and scan the QR Code below.</li> + <li>Post the 6 digit code generated by Google Authenticator here and submit to verify/authenticate it.</li> + + </ol> + + <p class="centered"> + <img src="<?= $qrCodeUrl ?>" /> + </p> + + <fieldset> + <label>Google Authenticator Code:</label> + <input type="text" name="code" id="code" placeholder="As shown on your app" /> + <button type="submit">Verify Code ›</button> + <input type="hidden" name="secret" id="secret" value="<?= htmlentities($secret) ?>" /> + </fieldset> + + <p> + <small> + If code verification fails after repeated retries, a new secret may have been generated for you. + This means you will have to delete the test entry from your Google Authenticator app and add a new one. + </small> + </p> + </form> + </div> + </body> +</html>
\ No newline at end of file diff --git a/example/server.sh b/example/server.sh new file mode 100755 index 0000000..c96172e --- /dev/null +++ b/example/server.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +php -S 127.0.0.1:8000 + +echo "Open 127.0.0.1:8000 in your browser to test"
\ No newline at end of file |