Nosial/socialbox-php
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add OTP support with implementation for creation, deletion, and verification.

Browse source
This commit is contained in:
netkas 2025-01-07 14:15:07 -05:00
parent d9c8208310
commit 866bb90f2a
8 changed files with 572 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/Socialbox/Classes/Configuration.php
View file

@ -45,6 +45,17 @@
$config->setDefault('security.display_internal_exceptions', false);
$config->setDefault('security.resolved_servers_ttl', 600);
$config->setDefault('security.captcha_ttl', 200);
// Server-side OTP Security options
// The time step in seconds for the OTP generation
// Default: 30 seconds
$config->setDefault('security.otp_secret_key_length', 32);
$config->setDefault('security.otp_time_step', 30);
// The number of digits in the OTP
$config->setDefault('security.otp_digits', 6);
// The hash algorithm to use for the OTP generation (sha1, sha256, sha512)
$config->setDefault('security.otp_hash_algorithm', 'sha512');
// The window of time steps to allow for OTP verification
$config->setDefault('security.otp_window', 1);
// Cryptography Configuration
// The Unix Timestamp for when the host's keypair should expire

59
src/Socialbox/Classes/Configuration/SecurityConfiguration.php
View file

@ -7,6 +7,11 @@
private bool $displayInternalExceptions;
private int $resolvedServersTtl;
private int $captchaTtl;
private int $otpSecretKeyLength;
private int $otpTimeStep;
private int $otpDigits;
private string $otpHashAlgorithm;
private int $otpWindow;
/**
* Constructor method for initializing class properties.
@ -20,6 +25,11 @@
$this->displayInternalExceptions = $data['display_internal_exceptions'];
$this->resolvedServersTtl = $data['resolved_servers_ttl'];
$this->captchaTtl = $data['captcha_ttl'];
$this->otpSecretKeyLength = $data['otp_secret_key_length'];
$this->otpTimeStep = $data['otp_time_step'];
$this->otpDigits = $data['otp_digits'];
$this->otpHashAlgorithm = $data['otp_hash_algorithm'];
$this->otpWindow = $data['otp_window'];
}
/**
@ -52,4 +62,53 @@
return $this->captchaTtl;
}
/**
* Retrieves the length of the secret key used for OTP generation.
*
* @return int The length of the secret key used for OTP generation.
*/
public function getOtpSecretKeyLength(): int
{
return $this->otpSecretKeyLength;
}
/**
* Retrieves the time step value for OTP generation.
*
* @return int The time step value for OTP generation.
*/
public function getOtpTimeStep(): int
{
return $this->otpTimeStep;
}
/**
* Retrieves the number of digits in the OTP.
*
* @return int The number of digits in the OTP.
*/
public function getOtpDigits(): int
{
return $this->otpDigits;
}
/**
* Retrieves the hash algorithm used for OTP generation.
*
* @return string The hash algorithm used for OTP generation.
*/
public function getOtpHashAlgorithm(): string
{
return $this->otpHashAlgorithm;
}
/**
* Retrieves the window value for OTP generation.
*
* @return int The window value for OTP generation.
*/
public function getOtpWindow(): int
{
return $this->otpWindow;
}
}

50
src/Socialbox/Classes/OtpCryptography.php
View file

@ -7,15 +7,17 @@
class OtpCryptography
{
private const string URI_FORMAT = 'otpauth://totp/%s?secret=%s%s&algorithm=%s&digits=%d&period=%d';
/**
* Generates a random secret key of the specified length.
*
* @param int $length The length of the secret key in bytes. Default is 32.
* @return string Returns the generated secret key as a hexadecimal string.
* @throws CryptographyException
* @throws RandomException
* @throws CryptographyException If the length is less than or equal to 0.
* @throws RandomException If an error occurs while generating random bytes.
*/
public static function generateSecretKey(int $length = 32): string
public static function generateSecretKey(int $length=32): string
{
if($length <= 0)
{
@ -32,11 +34,11 @@
* @param int $timeStep The time step in seconds used for OTP generation. Default is 30 seconds.
* @param int $digits The number of digits in the OTP. Default is 6.
* @param int|null $counter Optional counter value. If not provided, it is calculated based on the current time and time step.
* @param string $hashAlgorithm The hash algorithm used for OTP generation. Default is 'sha1'.
* @param string $hashAlgorithm The hash algorithm used for OTP generation. Default is 'sha512'.
* @return string Returns the generated OTP as a string with the specified number of digits.
* @throws CryptographyException If the generated hash length is less than 20 bytes.
*/
public static function generateOTP(string $secretKey, int $timeStep=30, int $digits=6, int $counter=null, string $hashAlgorithm='sha1'): string
public static function generateOTP(string $secretKey, int $timeStep=30, int $digits=6, int $counter=null, string $hashAlgorithm='sha512'): string
{
if ($counter === null)
{
@ -73,6 +75,7 @@
* @param int $digits The number of digits in the OTP. Default is 6.
* @param string $hashAlgorithm The hash algorithm used for OTP generation. Default is 'sha512'.
* @return bool Returns true if the OTP is valid within the provided parameters, otherwise false.
* @throws CryptographyException If the generated hash length is less than 20 bytes.
*/
public static function verifyOTP(string $secretKey, string $otp, int $timeStep=30, int $window=1, int $digits=6, string $hashAlgorithm='sha512'): bool
{
@ -93,28 +96,20 @@
}
/**
* Generates a QR code payload for a TOTP-based authentication system.
* Generates a key URI for use in configuring an authenticator application.
*
* The method constructs a URI in the format compatible with TOTP applications.
*
* @param string $account The account name or identifier associated with the QR code.
* @param string $secretKey The secret key to be included in the payload.
* @param string $issuer The issuer name to identify the organization or service.
*
* @return string A formatted string representing the QR code payload.
*
* @throws CryptographyException If the domain configuration is missing.
* @param string $label A unique label to identify the account (e.g., user or service name).
* @param string $secretKey The secret key used for generating the OTP.
* @param string|null $issuer The name of the organization or service issuing the key. Default is null.
* @param int $timeStep The time step in seconds used for OTP generation. Default is 30 seconds.
* @param int $digits The number of digits in the generated OTP. Default is 6.
* @param string $hashAlgorithm The hash algorithm used for OTP generation. Default is 'sha512'.
* @return string Returns the URI string formatted
*/
public static function generateQrPayload(string $account, string $secretKey, string $issuer): string
public static function generateKeyUri(string $label, string $secretKey, ?string $issuer = null, int $timeStep=30, int $digits=6, string $hashAlgorithm='sha512'): string
{
$domain = Configuration::getInstanceConfiguration()->getDomain();
if (!$domain)
{
throw new CryptographyException("Domain configuration is missing.");
}
return sprintf("otpauth://totp/%s:%s?secret=%s&issuer=%s", rawurlencode($domain), rawurlencode($account), rawurlencode($secretKey), rawurlencode($issuer));
$issuerPart = $issuer ? "&issuer=" . rawurlencode($issuer) : '';
return sprintf(self::URI_FORMAT, rawurlencode($label), $secretKey, $issuerPart, strtoupper($hashAlgorithm), $digits, $timeStep);
}
/**
@ -123,15 +118,14 @@
* @param string $algorithm The hashing algorithm to be used (e.g., 'sha1', 'sha256', 'sha384', 'sha512').
* @param string $data The data to be hashed.
* @param string $key The secret key used for the HMAC generation.
*
* @return string The generated HMAC as a raw binary string.
*
* @*/
* @throws CryptographyException If the algorithm is not supported.
*/
private static function hashHmac(string $algorithm, string $data, string $key): string
{
return match($algorithm)
{
'sha1', 'sha256', 'sha384', 'sha512' => hash_hmac($algorithm, $data, $key, true),
'sha1', 'sha256', 'sha512' => hash_hmac($algorithm, $data, $key, true),
default => throw new CryptographyException('Algorithm not supported')
};
}

93
src/Socialbox/Classes/StandardMethods/SettingsDeleteOtp.php Normal file
View file

@ -0,0 +1,93 @@
<?php
namespace Socialbox\Classes\StandardMethods;
use Exception;
use Socialbox\Abstracts\Method;
use Socialbox\Classes\Configuration;
use Socialbox\Classes\Cryptography;
use Socialbox\Enums\Flags\SessionFlags;
use Socialbox\Enums\StandardError;
use Socialbox\Exceptions\DatabaseOperationException;
use Socialbox\Exceptions\StandardException;
use Socialbox\Interfaces\SerializableInterface;
use Socialbox\Managers\OneTimePasswordManager;
use Socialbox\Managers\PasswordManager;
use Socialbox\Managers\SessionManager;
use Socialbox\Objects\ClientRequest;
use Socialbox\Objects\RpcRequest;
class SettingsDeleteOtp extends Method
{
/**
* @inheritDoc
*/
public static function execute(ClientRequest $request, RpcRequest $rpcRequest): ?SerializableInterface
{
if(Configuration::getRegistrationConfiguration()->isOtpRequired())
{
return $rpcRequest->produceError(StandardError::METHOD_NOT_ALLOWED, 'One Time Password is required for this server');
}
$peer = $request->getPeer();
try
{
if (!OneTimePasswordManager::usesOtp($peer->getUuid()))
{
return $rpcRequest->produceError(StandardError::METHOD_NOT_ALLOWED, "Cannot delete One Time Password when none is set");
}
}
catch (DatabaseOperationException $e)
{
throw new StandardException('Failed to check One Time Password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
}
try
{
$usesPassword = PasswordManager::usesPassword($peer);
}
catch (DatabaseOperationException $e)
{
throw new StandardException('Failed to check password usage due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
}
// Password verification is required to set an OTP if a password is set
if($usesPassword)
{
if(!$rpcRequest->containsParameter('password'))
{
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, 'When a password is set, the current password must be provided to delete an OTP');
}
if(!Cryptography::validateSha512($rpcRequest->getParameter('password')))
{
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, 'The provided password is not a valid SHA-512 hash');
}
try
{
if(!PasswordManager::verifyPassword($peer, $rpcRequest->getParameter('password')))
{
return $rpcRequest->produceError(StandardError::FORBIDDEN, 'The provided password is incorrect');
}
}
catch(Exception $e)
{
throw new StandardException('Failed to verify password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
}
}
try
{
// Delete the OTP
OneTimePasswordManager::deleteOtp($peer);
}
catch(Exception $e)
{
throw new StandardException('Failed to set password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
}
return $rpcRequest->produceResponse(true);
}
}

90
src/Socialbox/Classes/StandardMethods/SettingsSetOtp.php Normal file
View file

@ -0,0 +1,90 @@
<?php
namespace Socialbox\Classes\StandardMethods;
use Exception;
use Socialbox\Abstracts\Method;
use Socialbox\Classes\Cryptography;
use Socialbox\Enums\Flags\SessionFlags;
use Socialbox\Enums\StandardError;
use Socialbox\Exceptions\DatabaseOperationException;
use Socialbox\Exceptions\StandardException;
use Socialbox\Interfaces\SerializableInterface;
use Socialbox\Managers\OneTimePasswordManager;
use Socialbox\Managers\PasswordManager;
use Socialbox\Managers\SessionManager;
use Socialbox\Objects\ClientRequest;
use Socialbox\Objects\RpcRequest;
class SettingsSetOtp extends Method
{
/**
* @inheritDoc
*/
public static function execute(ClientRequest $request, RpcRequest $rpcRequest): ?SerializableInterface
{
$peer = $request->getPeer();
try
{
if (OneTimePasswordManager::usesOtp($peer->getUuid()))
{
return $rpcRequest->produceError(StandardError::METHOD_NOT_ALLOWED, "Cannot set One Time Password when one is already set, use 'settingsUpdateOtp' instead");
}
}
catch (DatabaseOperationException $e)
{
throw new StandardException('Failed to check One Time Password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
}
try
{
$usesPassword = PasswordManager::usesPassword($peer);
}
catch (DatabaseOperationException $e)
{
throw new StandardException('Failed to check password usage due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
}
// Password verification is required to set an OTP if a password is set
if($usesPassword)
{
if(!$rpcRequest->containsParameter('password'))
{
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, 'When a password is set, the current password must be provided to set an OTP');
}
if(!Cryptography::validateSha512($rpcRequest->getParameter('password')))
{
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, 'The provided password is not a valid SHA-512 hash');
}
try
{
if(!PasswordManager::verifyPassword($peer, $rpcRequest->getParameter('password')))
{
return $rpcRequest->produceError(StandardError::FORBIDDEN, 'The provided password is incorrect');
}
}
catch(Exception $e)
{
throw new StandardException('Failed to verify password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
}
}
try
{
// Create a new OTP and return the OTP URI to the client
$totpUri = OneTimePasswordManager::createOtp($peer);
// Remove the SET_PASSWORD flag & update the session flow if necessary
SessionManager::updateFlow($request->getSession(), [SessionFlags::SET_OTP]);
}
catch(Exception $e)
{
throw new StandardException('Failed to set password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
}
return $rpcRequest->produceResponse($totpUri);
}
}

63
src/Socialbox/Classes/StandardMethods/VerificationOtpAuthentication.php Normal file
View file

@ -0,0 +1,63 @@
<?php
namespace Socialbox\Classes\StandardMethods;
use Exception;
use Socialbox\Abstracts\Method;
use Socialbox\Classes\Configuration;
use Socialbox\Enums\Flags\SessionFlags;
use Socialbox\Enums\StandardError;
use Socialbox\Exceptions\CryptographyException;
use Socialbox\Exceptions\StandardException;
use Socialbox\Interfaces\SerializableInterface;
use Socialbox\Managers\OneTimePasswordManager;
use Socialbox\Managers\SessionManager;
use Socialbox\Objects\ClientRequest;
use Socialbox\Objects\RpcRequest;
class VerificationOtpAuthentication extends Method
{
/**
* @inheritDoc
*/
public static function execute(ClientRequest $request, RpcRequest $rpcRequest): ?SerializableInterface
{
if(!$rpcRequest->containsParameter('code'))
{
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, "Missing 'code' parameter");
}
if(strlen($rpcRequest->getParameter('code')) !== Configuration::getSecurityConfiguration()->getOtpDigits())
{
return $rpcRequest->produceError(StandardError::RPC_INVALID_ARGUMENTS, "Invalid 'code' parameter length");
}
$session = $request->getSession();
if(!$session->flagExists(SessionFlags::VER_OTP))
{
return $rpcRequest->produceError(StandardError::FORBIDDEN, 'One Time Password verification is not required at this time');
}
try
{
$result = OneTimePasswordManager::verifyOtp($request->getPeer(), $rpcRequest->getParameter('code'));
if($result)
{
// If the OTP is verified, remove the OTP verification flag
SessionManager::updateFlow($session, [SessionFlags::VER_OTP]);
}
}
catch (CryptographyException)
{
return $rpcRequest->produceResponse(false);
}
catch (Exception $e)
{
throw new StandardException('Failed to verify password due to an internal exception', StandardError::INTERNAL_SERVER_ERROR, $e);
}
return $rpcRequest->produceResponse($result);
}
}