nullwert/re_capitulating_queer
1
0
Fork 0
Code Activity
Files
a4b2aece7b44b516ca8349830f01c2eccae22ff0
re_capitulating_queer/kirby/src/Toolkit/Totp.php
Philip Wagner 78b6c0d381 init
2024-08-31 10:01:49 +02:00

145 lines
4.0 KiB
PHP
Raw Blame History

<?php
namespace Kirby\Toolkit;
use Base32\Base32;
use Kirby\Exception\InvalidArgumentException;
use SensitiveParameter;
/**
* The TOTP class handles the generation and verification
* of time-based one-time passwords according to RFC6238
* with the SHA1 algorithm, 30 second intervals and 6 digits
* @since 4.0.0
*
* @package Kirby Toolkit
* @author Lukas Bestle <lukas@getkirby.com>
* @link https://getkirby.com
* @copyright Bastian Allgeier
* @license https://opensource.org/licenses/MIT
*/
class Totp
{
/**
* Binary secret
*/
protected string $secret;
/**
* Class constructor
*
* @param string|null $secret Existing secret in Base32 format
* or `null` to generate a new one
* @param bool $force Whether to skip the secret length validation;
* WARNING: Only ever set this to `true` when
* generating codes for third-party services
*/
public function __construct(
#[SensitiveParameter]
string|null $secret = null,
bool $force = false
) {
// if provided, decode the existing secret into binary
if ($secret !== null) {
$this->secret = Base32::decode($secret);
}
// otherwise generate a new one;
// 20 bytes are the length of the SHA1 HMAC
$this->secret ??= random_bytes(20);
// safety check to avoid accidental insecure secrets
if ($force === false && strlen($this->secret) !== 20) {
throw new InvalidArgumentException('TOTP secrets should be 32 Base32 digits (= 20 bytes)');
}
}
/**
* Generates the current TOTP code
*
* @param int $offset Optional counter offset to generate
* previous or upcoming codes
*/
public function generate(int $offset = 0): string
{
// generate a new code every 30 seconds
$counter = floor(time() / 30) + $offset;
// pack the number into a binary 64-bit unsigned int
$binaryCounter = pack('J', $counter);
// on 32-bit systems, we need to pack into a binary 32-bit
// unsigned int and prepend 4 null bytes to get a 64-bit value
// @codeCoverageIgnoreStart
if (PHP_INT_SIZE < 8) {
$binaryCounter = "\0\0\0\0" . pack('N', $counter);
}
// @codeCoverageIgnoreEnd
// create a binary HMAC from the binary counter and the binary secret
$binaryHmac = hash_hmac('sha1', $binaryCounter, $this->secret, true);
// convert the HMAC into an array of byte values (from 0-255)
$bytes = unpack('C*', $binaryHmac);
// perform dynamic truncation to four bytes according to RFC6238 & RFC4226
$byteOffset = (end($bytes) & 0xF);
$code = (($bytes[$byteOffset + 1] & 0x7F) << 24) |
($bytes[$byteOffset + 2] << 16) |
($bytes[$byteOffset + 3] << 8) |
$bytes[$byteOffset + 4];
// truncate the resulting number to at max six digits
$code %= 1000000;
// format as a six-digit string, left-padded with zeros
return sprintf('%06d', $code);
}
/**
* Returns the secret in human-readable Base32 format
*/
public function secret(): string
{
return Base32::encode($this->secret);
}
/**
* Returns a `otpauth://` URI for use in a setup QR code or link
*
* @param string $issuer Name of the site the code is valid for
* @param string $label Account name the code is valid for
*/
public function uri(string $issuer, string $label): string
{
$query = http_build_query([
'secret' => $this->secret(),
'issuer' => $issuer
], '', '&', PHP_QUERY_RFC3986);
return 'otpauth://totp/' . rawurlencode($issuer) .
':' . rawurlencode($label) . '?' . $query;
}
/**
* Securely checks the provided TOTP code against the
* current, the direct previous and following codes
*/
public function verify(string $totp): bool
{
// strip out any non-numeric character (e.g. spaces)
// from user input to increase UX
$totp = preg_replace('/[^0-9]/', '', $totp);
// also allow the previous and upcoming codes
// to account for time sync issues
foreach ([0, -1, 1] as $offset) {
if (hash_equals($this->generate($offset), $totp) === true) {
return true;
}
}
return false;
}
}
View Git Blame Copy Permalink