implement one time passwords using TOTP

2 files changed, 127 insertions, 2 deletions

diff --git a/classes/auth/internal.php b/classes/auth/internal.php
index 8890d4455..a4e8b471c 100644
--- a/classes/auth/internal.php
+++ b/classes/auth/internal.php
@@ -6,6 +6,48 @@ class Auth_Internal extends Auth_Base {
 		$pwd_hash1 = encrypt_password($password);
 		$pwd_hash2 = encrypt_password($password, $login);
 		$login = db_escape_string($login);
+		$otp = db_escape_string($_REQUEST["otp"]);
+
+		if (get_schema_version($this->link) > 96) {
+			$result = db_query($this->link, "SELECT otp_enabled,salt FROM ttrss_users WHERE
+				login = '$login'");
+
+			require_once "lib/otphp/vendor/base32.php";
+			require_once "lib/otphp/lib/otp.php";
+			require_once "lib/otphp/lib/totp.php";
+
+			$base32 = new Base32();
+
+			$otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled"));
+			$secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt")));
+
+			$topt = new \OTPHP\TOTP($secret);
+			$otp_check = $topt->now();
+
+			if ($otp_enabled) {
+				if ($otp) {
+					if ($otp != $otp_check) {
+						return false;
+					}
+				} else {
+					?><html>
+						<head><title>Tiny Tiny RSS</title></head>
+					<body>
+					<form method="POST">
+						<input type="hidden" name="login_action" value="do_login">
+						<input type="hidden" name="login" value="<?php echo htmlspecialchars($login) ?>">
+						<input type="hidden" name="password" value="<?php echo htmlspecialchars($password) ?>">
+
+						<label><?php echo __("Please enter your one time password:") ?></label>
+						<input type="password" size="6" name="otp"/>
+						<input type="submit" value="Continue"/>
+					</form>
+					</form>
+					<?php
+					exit;
+				}
+			}
+		}
 
 		if (get_schema_version($this->link) > 87) {
 
@@ -104,7 +146,7 @@ class Auth_Internal extends Auth_Base {
 			$new_password_hash = encrypt_password($new_password, $new_salt, true);
 
 			db_query($this->link, "UPDATE ttrss_users SET
-				pwd_hash = '$new_password_hash', salt = '$new_salt'
+				pwd_hash = '$new_password_hash', salt = '$new_salt', otp_enabled = false
 					WHERE id = '$owner_uid'");
 
 			$_SESSION["pwd_hash"] = $new_password_hash;
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index 705b709fa..c6b109877 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -154,12 +154,15 @@ class Pref_Prefs extends Handler_Protected {
 
 		print "<table width=\"100%\" class=\"prefPrefsList\">";
 
-		$result = db_query($this->link, "SELECT email,full_name,
+		print "<h2>" . __("Personal data") . "</h2>";
+
+		$result = db_query($this->link, "SELECT email,full_name,otp_enabled,
 			access_level FROM ttrss_users
 			WHERE id = ".$_SESSION["uid"]);
 
 		$email = htmlspecialchars(db_fetch_result($result, 0, "email"));
 		$full_name = htmlspecialchars(db_fetch_result($result, 0, "full_name"));
+		$otp_enabled = sql_bool_to_bool(db_fetch_result($result, 0, "otp_enabled"));
 
 		print "<tr><td width=\"40%\">".__('Full name')."</td>";
 		print "<td class=\"prefValue\"><input dojoType=\"dijit.form.ValidationTextBox\" name=\"full_name\" required=\"1\"
@@ -194,6 +197,8 @@ class Pref_Prefs extends Handler_Protected {
 
 		if ($authenticator && method_exists($authenticator, "change_password")) {
 
+			print "<h2>" . __("Password") . "</h2>";
+
 			$result = db_query($this->link, "SELECT id FROM ttrss_users
 				WHERE id = ".$_SESSION["uid"]." AND pwd_hash
 				= 'SHA1:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'");
@@ -249,6 +254,55 @@ class Pref_Prefs extends Handler_Protected {
 
 			print "</form>";
 
+			if ($_SESSION["auth_module"] == "internal") {
+
+				print "<h2>" . __("One time passwords / Authenticator") . "</h2>";
+
+				if ($otp_enabled) {
+
+					print "<p>".__("One time passwords are currently enabled. Change your current password and refresh this page to reconfigure.") . "</p>";
+
+				} else {
+
+					print "<p>".__("You will need a compatible Authenticator to use this. Changing your password would automatically disable OTP.") . "</p>";
+
+					print "<p>".__("Scan the following code by the Authenticator application:")."</p>";
+
+					$csrf_token = $_SESSION["csrf_token"];
+
+					print "<img src=\"backend.php?op=pref-prefs&method=otpqrcode&csrf_token=$csrf_token\">";
+
+					print "<form dojoType=\"dijit.form.Form\" id=\"changeOtpForm\">";
+
+					print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"pref-prefs\">";
+					print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"method\" value=\"changeotp\">";
+
+					print "<script type=\"dojo/method\" event=\"onSubmit\" args=\"evt\">
+					evt.preventDefault();
+					if (this.validate()) {
+						notify_progress('Saving data...', true);
+
+						new Ajax.Request('backend.php', {
+							parameters: dojo.objectToQuery(this.getValues()),
+							onComplete: function(transport) {
+								window.location.reload();
+						} });
+
+					}
+					</script>";
+
+					print "<input dojoType=\"dijit.form.CheckBox\" required=\"1\"
+						type=\"checkbox\" id=\"enable_otp\" name=\"enable_otp\"/> ";
+					print "<label for=\"enable_otp\">".__("I have scanned the code and would like to enable OTP")."</label>";
+
+					print "<p><button dojoType=\"dijit.form.Button\" type=\"submit\">".
+						__("Save OTP setting")."</button>";
+
+					print "</form>";
+
+				}
+
+			}
 		}
 
 		print "</div>"; #pane
@@ -571,5 +625,34 @@ class Pref_Prefs extends Handler_Protected {
 	function toggleAdvanced() {
 		$_SESSION["prefs_show_advanced"] = !$_SESSION["prefs_show_advanced"];
 	}
+
+	function otpqrcode() {
+		require_once "lib/otphp/vendor/base32.php";
+		require_once "lib/otphp/lib/otp.php";
+		require_once "lib/otphp/lib/totp.php";
+		require_once "lib/phpqrcode/phpqrcode.php";
+
+		$result = db_query($this->link, "SELECT login,salt
+			FROM ttrss_users
+			WHERE id = ".$_SESSION["uid"]);
+
+		$base32 = new Base32();
+
+		$login = db_fetch_result($result, 0, "login");
+		$secret = $base32->encode(sha1(db_fetch_result($result, 0, "salt")));
+
+		$topt = new \OTPHP\TOTP($secret);
+
+		print QRcode::png($topt->provisioning_uri($login));
+	}
+
+	function changeotp() {
+		$enable_otp = $_REQUEST["enable_otp"];
+
+		if ($enable_otp == "on") {
+			db_query($this->link, "UPDATE ttrss_users SET otp_enabled = true WHERE
+				id = " . $_SESSION["uid"]);
+		}
+	}
 }
 ?>