AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

2FA QR Codes 

Move away from the Google Charts API for generating QR codes as this is currently broken and not a security best practice.
This commit is contained in:
Marcus Hill 2024-05-26 16:08:06 +01:00
parent c02d6d4cf0
commit 8b1ba7028e
4 changed files with 3355 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
force_mfa.php
View File

@ -36,8 +36,9 @@ require_once "header.php";
if (!empty($session_token)) {
//Generate QR Code based off the generated key
print sprintf('<img src="%s"/>', TokenAuth6238::getBarCodeUrl($session_name, ' ', $session_token, $_SERVER['SERVER_NAME']));
// Generate QR Code
$data = "otpauth://totp/ITFlow:$session_email?secret=$session_token";
print "<img src='plugins/barcode/barcode.php?f=png&s=qr&d=$data'>";
echo "<p class='text-secondary'>$session_token</p>";
}

3348
plugins/barcode/barcode.php Normal file
View File

File diff suppressed because it is too large Load Diff

8
rfc6238.php
View File

@ -58,14 +58,6 @@ class TokenAuth6238 {
return $result;
}
public static function getBarCodeUrl($username, $domain, $secretkey, $issuer) {
$url = "https://chart.apis.google.com/chart";
$url = $url."?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/";
$url = $url.$username . "@" . $domain . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
return $url;
}
private static function oath_hotp ($key, $counter, $debug=false) {
$result = "";
$orgcounter = $counter;

6
user_security.php
View File

@ -59,10 +59,12 @@ $remember_token_count = mysqli_num_rows($sql_remember_tokens);
if (!empty($session_token)) {
//Generate QR Code based off the generated key
print sprintf('<img src="%s"/>', TokenAuth6238::getBarCodeUrl($session_name, ' ', $session_token, $_SERVER['SERVER_NAME']));
// Generate QR Code
$data = "otpauth://totp/ITFlow:$session_email?secret=$session_token";
print "<img src='plugins/barcode/barcode.php?f=png&s=qr&d=$data'>";
echo "<p class='text-secondary'>$session_token</p>";
}
?>