1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
<?php
// load our composer file
require_once('../vendor/autoload.php');
// load the client library
$ga = new \CraftBlue\GoogleAuthenticator();
// this demo is insecure and only for demonstration purposes only
// you should NEVER publicly expose your secret key
// check if we generated a 16 character secret for the user yet
if (!empty($_COOKIE['secret'])) {
$secret = $_COOKIE['secret'];
} else {
$secret = $ga->createSecret();
setcookie('secret', $secret);
}
// look for a form submitted code to verify
if (!empty($_POST['code'])) {
$code = $_POST['code'];
$qrCodeUrl = $ga->getQRCodeUrl('example.user@gmail.com', $secret, 'ExampleCompany');
$isExampleCode = false;
} else {
// retrieve the Google QR code URL based on our secret
$qrCodeUrl = $ga->getQRCodeUrl('example.user@gmail.com', $secret, 'ExampleCompany');
// generate an example correct code based on the secret (to be used as an example)
$isExampleCode = true;
$code = $ga->getCode($secret);
}
// check if the secret matches the code (with 60 second window)
$checkResult = $ga->verifyCode($secret, $code, 2);
?>
<html>
<head>
<title>Google Authenticator PHP Client - Example Usage</title>
<style>
body { font-family: "Lucida Grande", "Lucida Sans Unicode", Verdana, Arial, Helvetica, sans-serif; }
blockquote { color:#999;font-style: italic;font-family:Georgia,serif; }
fieldset { padding:20px;border:1px solid #ccc;background:#f9f9f9; }
.container { width: 75%; max-width: 760px; margin: 0 auto; padding: 40px 0; }
.centered { text-align: center; }
.fw { display: inline-block; width: 150px; margin-right: 10px; }
.error { color: #900 }
.success { color: #090 }
</style>
</head>
<body>
<div class="container">
<h1>Google Authenticator PHP Client - Example Usage</h1>
<p>
To test, please first install and open the Google Authenticator app on your iPhone or Android device.
</p>
<p class="centered">
<a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en" target="_blank"><img alt='Get it on Google Play' src='https://play.google.com/intl/en_us/badges/images/generic/en_badge_web_generic.png' height="48" style="vertical-align:middle"/></a>
<a href="https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8" target="_blank"><img alt='Available on the App Store' src="https://upload.wikimedia.org/wikipedia/commons/thumb/5/5d/Available_on_the_App_Store_%28black%29.png/320px-Available_on_the_App_Store_%28black%29.png" height="32" style="vertical-align:middle;padding:8px;" /></a>
</p>
<p>
<em class="error">
CAUTION: This example is for testing purposes only. You should never publicly expose
your secret. Here are <a href="http://tools.ietf.org/html/rfc6238" target="_blank">RFC6238</a>'s security
recommendations:
</em>
</p>
<blockquote>
<p>
We also RECOMMEND storing the keys securely in the validation system,
and, more specifically, encrypting them using tamper-resistant
hardware encryption and exposing them only when required: for
example, the key is decrypted when needed to verify an OTP value, and
re-encrypted immediately to limit exposure in the RAM to a short
period of time.
</p>
<p>
The key store MUST be in a secure area, to avoid, as much as
possible, direct attack on the validation system and secrets
database. Particularly, access to the key material should be limited
to programs and processes required by the validation system only.
</p>
</blockquote>
<ul>
<li><strong class="fw">Secret:</strong> <code><?= $secret ?></code></li>
<li><strong class="fw"><?= $isExampleCode ? 'Example ' : '' ?>Code:</strong> <code><?= $code ?></code></li>
<li>
<strong class="fw">Code Verification:</strong>
<?= $checkResult ? '<code class="success">VERIFIED</code>' : '<code class="error">FAILED</code>' ?>
</li>
</ul>
<h2 style="margin-top:40px">Test Google Authenticator</h2>
<form method="post" id="verify-app-code">
<ol>
<li>Open your Google Authenticator app on your mobile device and scan the QR Code below.</li>
<li>Post the 6 digit code generated by Google Authenticator here and submit to verify/authenticate it.</li>
</ol>
<p class="centered">
<img src="<?= $qrCodeUrl ?>" />
</p>
<fieldset>
<label>Google Authenticator Code:</label>
<input type="text" name="code" id="code" placeholder="As shown on your app" />
<button type="submit">Verify Code ›</button>
<input type="hidden" name="secret" id="secret" value="<?= htmlentities($secret) ?>" />
</fieldset>
<p>
<small>
If code verification fails after repeated retries, a new secret may have been generated for you.
This means you will have to delete the test entry from your Google Authenticator app and add a new one.
</small>
</p>
</form>
</div>
</body>
</html>
|
