diff options
| author | François Kooman <fkooman@tuxed.net> | 2017-03-16 15:43:03 +0100 |
|---|---|---|
| committer | François Kooman <fkooman@tuxed.net> | 2017-03-16 15:43:03 +0100 |
| commit | a149b0c420dc19dc35a91fb45ea1fc06ecb4d811 (patch) | |
| tree | ddcb5c9741087ea576e880dd40e0ae5c55758c06 | |
| parent | a55a09b05bf3dd65a8e8e6ed8890165ba2c91a45 (diff) | |
| download | otp-a149b0c420dc19dc35a91fb45ea1fc06ecb4d811.zip otp-a149b0c420dc19dc35a91fb45ea1fc06ecb4d811.tar.gz otp-a149b0c420dc19dc35a91fb45ea1fc06ecb4d811.tar.bz2 | |
switch to paragonie/constant_time_encoding for Base32 handling
| -rw-r--r-- | README.md | 12 | ||||
| -rw-r--r-- | composer.json | 2 | ||||
| -rw-r--r-- | example/index.php | 6 | ||||
| -rw-r--r-- | src/GoogleAuthenticator.php | 2 |
4 files changed, 11 insertions, 11 deletions
@@ -26,9 +26,7 @@ Usage use Otp\Otp; use Otp\GoogleAuthenticator; - -// Seperate class, see https://github.com/ChristianRiesen/base32, requirement for this one -use Base32\Base32; +use ParagonIE\ConstantTime\Encoding; // Get a Pseudo Secret // Defaults to 16 characters @@ -48,7 +46,7 @@ $otp = new Otp(); // Assuming this is present and sanitized // Allows for a 1 code time drift by default // Third parameter can alter that behavior -if ($otp->checkTotp(Base32::decode($secret), $key)) { +if ($otp->checkTotp(Encoding::base32Decode($secret), $key)) { // Correct key // IMPORTANT! Note this key as being used // so nobody could launch a replay attack. @@ -59,7 +57,7 @@ if ($otp->checkTotp(Base32::decode($secret), $key)) { } // Just to create a key for display (testing) -$key = $otp->totp(Base32::decode($secret)); +$key = $otp->totp(Encoding::base32Decode($secret)); ``` @@ -77,7 +75,7 @@ Static function class to generate a correct url for the QR code, so you can easy There are also older open source versions of the Google Authenticator app for both [iPhone](https://github.com/google/google-authenticator) and [Android](https://github.com/google/google-authenticator-android) -This helper class uses the random_int function from PHP7, or the polyfill method from [paragonie/random_compat](https://packagist.org/packages/paragonie/random_compat) if present and falls back on other (less "secure") random generators. +This helper class uses the random_int function from PHP7, or the polyfill method from [paragonie/random_compat](https://packagist.org/packages/paragonie/random_compat) if present. About ===== @@ -87,7 +85,7 @@ Requirements PHP 5.4.x+ -Uses [Base32 class](https://github.com/ChristianRiesen/base32). +Uses [paragonie/random_compat](https://github.com/paragonie/random_compat) and [paragonie/constant_time_encoding](https://github.com/paragonie/constant_time_encoding). If you want to run the tests, PHPUnit 3.6 or up is required. diff --git a/composer.json b/composer.json index f6ffeda..b3e78c3 100644 --- a/composer.json +++ b/composer.json @@ -15,7 +15,7 @@ ], "require": { "php": ">=5.4.0", - "christian-riesen/base32": "^1.0", + "paragonie/constant_time_encoding": "^1|^2", "paragonie/random_compat": "^1|^2" }, "require-dev": { diff --git a/example/index.php b/example/index.php index 4da362c..e5e9b7f 100644 --- a/example/index.php +++ b/example/index.php @@ -6,7 +6,7 @@ require_once __DIR__ . '/../vendor/autoload.php'; use Otp\Otp; use Otp\GoogleAuthenticator; -use Base32\Base32; +use ParagonIE\ConstantTime\Encoding; // Getting a secret, either by generating or from storage // DON'T use sessions as storage for this in production!!! @@ -25,7 +25,7 @@ if (strlen($secret) != 16) { // To use it in totp though we need to decode it into the original $otp = new Otp(); -$currentTotp = $otp->totp(Base32::decode($secret)); +$currentTotp = $otp->totp(Encoding::base32DecodeUpper($secret)); $qrCode = GoogleAuthenticator::getQrCodeUrl('totp', 'otpsample@cr', $secret); $keyUri = GoogleAuthenticator::getKeyUri('totp', 'otpsample@cr', $secret); @@ -79,7 +79,7 @@ if (isset($_POST['otpkey'])) { if (strlen($key) == 6) { // Remember that the secret is a base32 string that needs decoding // to use it here! - if ($otp->checkTotp(Base32::decode($secret), $key)) { + if ($otp->checkTotp(Encoding::base32DecodeUpper($secret), $key)) { echo 'Key correct!'; // Add here something that makes note of this key and will not allow // the use of it, for this user for the next 2 minutes. This way you diff --git a/src/GoogleAuthenticator.php b/src/GoogleAuthenticator.php index 8e90532..48b0a6f 100644 --- a/src/GoogleAuthenticator.php +++ b/src/GoogleAuthenticator.php @@ -2,6 +2,8 @@ namespace Otp; +use ParagonIE\ConstantTime\Encoding; + /** * Google Authenticator * |