installed plugin Two Factor
version 0.7.3
280
wp-content/plugins/two-factor/LICENSE.md
Normal file
@ -0,0 +1,280 @@
|
|||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
Version 2, June 1991
|
||||||
|
|
||||||
|
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||||
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The licenses for most software are designed to take away your
|
||||||
|
freedom to share and change it. By contrast, the GNU General Public
|
||||||
|
License is intended to guarantee your freedom to share and change free
|
||||||
|
software--to make sure the software is free for all its users. This
|
||||||
|
General Public License applies to most of the Free Software
|
||||||
|
Foundation's software and to any other program whose authors commit to
|
||||||
|
using it. (Some other Free Software Foundation software is covered by
|
||||||
|
the GNU Lesser General Public License instead.) You can apply it to
|
||||||
|
your programs, too.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
this service if you wish), that you receive source code or can get it
|
||||||
|
if you want it, that you can change the software or use pieces of it
|
||||||
|
in new free programs; and that you know you can do these things.
|
||||||
|
|
||||||
|
To protect your rights, we need to make restrictions that forbid
|
||||||
|
anyone to deny you these rights or to ask you to surrender the rights.
|
||||||
|
These restrictions translate to certain responsibilities for you if you
|
||||||
|
distribute copies of the software, or if you modify it.
|
||||||
|
|
||||||
|
For example, if you distribute copies of such a program, whether
|
||||||
|
gratis or for a fee, you must give the recipients all the rights that
|
||||||
|
you have. You must make sure that they, too, receive or can get the
|
||||||
|
source code. And you must show them these terms so they know their
|
||||||
|
rights.
|
||||||
|
|
||||||
|
We protect your rights with two steps: (1) copyright the software, and
|
||||||
|
(2) offer you this license which gives you legal permission to copy,
|
||||||
|
distribute and/or modify the software.
|
||||||
|
|
||||||
|
Also, for each author's protection and ours, we want to make certain
|
||||||
|
that everyone understands that there is no warranty for this free
|
||||||
|
software. If the software is modified by someone else and passed on, we
|
||||||
|
want its recipients to know that what they have is not the original, so
|
||||||
|
that any problems introduced by others will not reflect on the original
|
||||||
|
authors' reputations.
|
||||||
|
|
||||||
|
Finally, any free program is threatened constantly by software
|
||||||
|
patents. We wish to avoid the danger that redistributors of a free
|
||||||
|
program will individually obtain patent licenses, in effect making the
|
||||||
|
program proprietary. To prevent this, we have made it clear that any
|
||||||
|
patent must be licensed for everyone's free use or not licensed at all.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||||
|
|
||||||
|
0. This License applies to any program or other work which contains
|
||||||
|
a notice placed by the copyright holder saying it may be distributed
|
||||||
|
under the terms of this General Public License. The "Program", below,
|
||||||
|
refers to any such program or work, and a "work based on the Program"
|
||||||
|
means either the Program or any derivative work under copyright law:
|
||||||
|
that is to say, a work containing the Program or a portion of it,
|
||||||
|
either verbatim or with modifications and/or translated into another
|
||||||
|
language. (Hereinafter, translation is included without limitation in
|
||||||
|
the term "modification".) Each licensee is addressed as "you".
|
||||||
|
|
||||||
|
Activities other than copying, distribution and modification are not
|
||||||
|
covered by this License; they are outside its scope. The act of
|
||||||
|
running the Program is not restricted, and the output from the Program
|
||||||
|
is covered only if its contents constitute a work based on the
|
||||||
|
Program (independent of having been made by running the Program).
|
||||||
|
Whether that is true depends on what the Program does.
|
||||||
|
|
||||||
|
1. You may copy and distribute verbatim copies of the Program's
|
||||||
|
source code as you receive it, in any medium, provided that you
|
||||||
|
conspicuously and appropriately publish on each copy an appropriate
|
||||||
|
copyright notice and disclaimer of warranty; keep intact all the
|
||||||
|
notices that refer to this License and to the absence of any warranty;
|
||||||
|
and give any other recipients of the Program a copy of this License
|
||||||
|
along with the Program.
|
||||||
|
|
||||||
|
You may charge a fee for the physical act of transferring a copy, and
|
||||||
|
you may at your option offer warranty protection in exchange for a fee.
|
||||||
|
|
||||||
|
2. You may modify your copy or copies of the Program or any portion
|
||||||
|
of it, thus forming a work based on the Program, and copy and
|
||||||
|
distribute such modifications or work under the terms of Section 1
|
||||||
|
above, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) You must cause the modified files to carry prominent notices
|
||||||
|
stating that you changed the files and the date of any change.
|
||||||
|
|
||||||
|
b) You must cause any work that you distribute or publish, that in
|
||||||
|
whole or in part contains or is derived from the Program or any
|
||||||
|
part thereof, to be licensed as a whole at no charge to all third
|
||||||
|
parties under the terms of this License.
|
||||||
|
|
||||||
|
c) If the modified program normally reads commands interactively
|
||||||
|
when run, you must cause it, when started running for such
|
||||||
|
interactive use in the most ordinary way, to print or display an
|
||||||
|
announcement including an appropriate copyright notice and a
|
||||||
|
notice that there is no warranty (or else, saying that you provide
|
||||||
|
a warranty) and that users may redistribute the program under
|
||||||
|
these conditions, and telling the user how to view a copy of this
|
||||||
|
License. (Exception: if the Program itself is interactive but
|
||||||
|
does not normally print such an announcement, your work based on
|
||||||
|
the Program is not required to print an announcement.)
|
||||||
|
|
||||||
|
These requirements apply to the modified work as a whole. If
|
||||||
|
identifiable sections of that work are not derived from the Program,
|
||||||
|
and can be reasonably considered independent and separate works in
|
||||||
|
themselves, then this License, and its terms, do not apply to those
|
||||||
|
sections when you distribute them as separate works. But when you
|
||||||
|
distribute the same sections as part of a whole which is a work based
|
||||||
|
on the Program, the distribution of the whole must be on the terms of
|
||||||
|
this License, whose permissions for other licensees extend to the
|
||||||
|
entire whole, and thus to each and every part regardless of who wrote it.
|
||||||
|
|
||||||
|
Thus, it is not the intent of this section to claim rights or contest
|
||||||
|
your rights to work written entirely by you; rather, the intent is to
|
||||||
|
exercise the right to control the distribution of derivative or
|
||||||
|
collective works based on the Program.
|
||||||
|
|
||||||
|
In addition, mere aggregation of another work not based on the Program
|
||||||
|
with the Program (or with a work based on the Program) on a volume of
|
||||||
|
a storage or distribution medium does not bring the other work under
|
||||||
|
the scope of this License.
|
||||||
|
|
||||||
|
3. You may copy and distribute the Program (or a work based on it,
|
||||||
|
under Section 2) in object code or executable form under the terms of
|
||||||
|
Sections 1 and 2 above provided that you also do one of the following:
|
||||||
|
|
||||||
|
a) Accompany it with the complete corresponding machine-readable
|
||||||
|
source code, which must be distributed under the terms of Sections
|
||||||
|
1 and 2 above on a medium customarily used for software interchange; or,
|
||||||
|
|
||||||
|
b) Accompany it with a written offer, valid for at least three
|
||||||
|
years, to give any third party, for a charge no more than your
|
||||||
|
cost of physically performing source distribution, a complete
|
||||||
|
machine-readable copy of the corresponding source code, to be
|
||||||
|
distributed under the terms of Sections 1 and 2 above on a medium
|
||||||
|
customarily used for software interchange; or,
|
||||||
|
|
||||||
|
c) Accompany it with the information you received as to the offer
|
||||||
|
to distribute corresponding source code. (This alternative is
|
||||||
|
allowed only for noncommercial distribution and only if you
|
||||||
|
received the program in object code or executable form with such
|
||||||
|
an offer, in accord with Subsection b above.)
|
||||||
|
|
||||||
|
The source code for a work means the preferred form of the work for
|
||||||
|
making modifications to it. For an executable work, complete source
|
||||||
|
code means all the source code for all modules it contains, plus any
|
||||||
|
associated interface definition files, plus the scripts used to
|
||||||
|
control compilation and installation of the executable. However, as a
|
||||||
|
special exception, the source code distributed need not include
|
||||||
|
anything that is normally distributed (in either source or binary
|
||||||
|
form) with the major components (compiler, kernel, and so on) of the
|
||||||
|
operating system on which the executable runs, unless that component
|
||||||
|
itself accompanies the executable.
|
||||||
|
|
||||||
|
If distribution of executable or object code is made by offering
|
||||||
|
access to copy from a designated place, then offering equivalent
|
||||||
|
access to copy the source code from the same place counts as
|
||||||
|
distribution of the source code, even though third parties are not
|
||||||
|
compelled to copy the source along with the object code.
|
||||||
|
|
||||||
|
4. You may not copy, modify, sublicense, or distribute the Program
|
||||||
|
except as expressly provided under this License. Any attempt
|
||||||
|
otherwise to copy, modify, sublicense or distribute the Program is
|
||||||
|
void, and will automatically terminate your rights under this License.
|
||||||
|
However, parties who have received copies, or rights, from you under
|
||||||
|
this License will not have their licenses terminated so long as such
|
||||||
|
parties remain in full compliance.
|
||||||
|
|
||||||
|
5. You are not required to accept this License, since you have not
|
||||||
|
signed it. However, nothing else grants you permission to modify or
|
||||||
|
distribute the Program or its derivative works. These actions are
|
||||||
|
prohibited by law if you do not accept this License. Therefore, by
|
||||||
|
modifying or distributing the Program (or any work based on the
|
||||||
|
Program), you indicate your acceptance of this License to do so, and
|
||||||
|
all its terms and conditions for copying, distributing or modifying
|
||||||
|
the Program or works based on it.
|
||||||
|
|
||||||
|
6. Each time you redistribute the Program (or any work based on the
|
||||||
|
Program), the recipient automatically receives a license from the
|
||||||
|
original licensor to copy, distribute or modify the Program subject to
|
||||||
|
these terms and conditions. You may not impose any further
|
||||||
|
restrictions on the recipients' exercise of the rights granted herein.
|
||||||
|
You are not responsible for enforcing compliance by third parties to
|
||||||
|
this License.
|
||||||
|
|
||||||
|
7. If, as a consequence of a court judgment or allegation of patent
|
||||||
|
infringement or for any other reason (not limited to patent issues),
|
||||||
|
conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot
|
||||||
|
distribute so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you
|
||||||
|
may not distribute the Program at all. For example, if a patent
|
||||||
|
license would not permit royalty-free redistribution of the Program by
|
||||||
|
all those who receive copies directly or indirectly through you, then
|
||||||
|
the only way you could satisfy both it and this License would be to
|
||||||
|
refrain entirely from distribution of the Program.
|
||||||
|
|
||||||
|
If any portion of this section is held invalid or unenforceable under
|
||||||
|
any particular circumstance, the balance of the section is intended to
|
||||||
|
apply and the section as a whole is intended to apply in other
|
||||||
|
circumstances.
|
||||||
|
|
||||||
|
It is not the purpose of this section to induce you to infringe any
|
||||||
|
patents or other property right claims or to contest validity of any
|
||||||
|
such claims; this section has the sole purpose of protecting the
|
||||||
|
integrity of the free software distribution system, which is
|
||||||
|
implemented by public license practices. Many people have made
|
||||||
|
generous contributions to the wide range of software distributed
|
||||||
|
through that system in reliance on consistent application of that
|
||||||
|
system; it is up to the author/donor to decide if he or she is willing
|
||||||
|
to distribute software through any other system and a licensee cannot
|
||||||
|
impose that choice.
|
||||||
|
|
||||||
|
This section is intended to make thoroughly clear what is believed to
|
||||||
|
be a consequence of the rest of this License.
|
||||||
|
|
||||||
|
8. If the distribution and/or use of the Program is restricted in
|
||||||
|
certain countries either by patents or by copyrighted interfaces, the
|
||||||
|
original copyright holder who places the Program under this License
|
||||||
|
may add an explicit geographical distribution limitation excluding
|
||||||
|
those countries, so that distribution is permitted only in or among
|
||||||
|
countries not thus excluded. In such case, this License incorporates
|
||||||
|
the limitation as if written in the body of this License.
|
||||||
|
|
||||||
|
9. The Free Software Foundation may publish revised and/or new versions
|
||||||
|
of the General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the Program
|
||||||
|
specifies a version number of this License which applies to it and "any
|
||||||
|
later version", you have the option of following the terms and conditions
|
||||||
|
either of that version or of any later version published by the Free
|
||||||
|
Software Foundation. If the Program does not specify a version number of
|
||||||
|
this License, you may choose any version ever published by the Free Software
|
||||||
|
Foundation.
|
||||||
|
|
||||||
|
10. If you wish to incorporate parts of the Program into other free
|
||||||
|
programs whose distribution conditions are different, write to the author
|
||||||
|
to ask for permission. For software which is copyrighted by the Free
|
||||||
|
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||||
|
make exceptions for this. Our decision will be guided by the two goals
|
||||||
|
of preserving the free status of all derivatives of our free software and
|
||||||
|
of promoting the sharing and reuse of software generally.
|
||||||
|
|
||||||
|
NO WARRANTY
|
||||||
|
|
||||||
|
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||||
|
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||||
|
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||||
|
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||||
|
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||||
|
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||||
|
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||||
|
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||||
|
REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||||
|
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||||
|
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||||
|
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||||
|
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||||
|
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||||
|
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||||
|
POSSIBILITY OF SUCH DAMAGES.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
BIN
wp-content/plugins/two-factor/assets/banner-1544x500.png
Normal file
After Width: | Height: | Size: 4.7 KiB |
BIN
wp-content/plugins/two-factor/assets/banner-772x250.png
Normal file
After Width: | Height: | Size: 2.2 KiB |
BIN
wp-content/plugins/two-factor/assets/icon-128x128.png
Normal file
After Width: | Height: | Size: 1.2 KiB |
BIN
wp-content/plugins/two-factor/assets/icon-256x256.png
Normal file
After Width: | Height: | Size: 2.3 KiB |
6
wp-content/plugins/two-factor/assets/icon.svg
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
<svg xmlns="http://www.w3.org/2000/svg" width="256" height="256">
|
||||||
|
<g fill="none" fill-rule="evenodd">
|
||||||
|
<path fill="#CCC" d="M98 150a60 60 0 1 1 60 0v60a8 8 0 0 1-8 8h-44a8 8 0 0 1-8-8v-60z"/>
|
||||||
|
<path fill="#0073AA" d="M116 132a36 36 0 1 1 24 0v64.7a4 4 0 0 1-4 4h-16a4 4 0 0 1-4-4v-64-.7z"/>
|
||||||
|
</g>
|
||||||
|
</svg>
|
After Width: | Height: | Size: 313 B |
BIN
wp-content/plugins/two-factor/assets/screenshot-1.png
Normal file
After Width: | Height: | Size: 171 KiB |
BIN
wp-content/plugins/two-factor/assets/screenshot-2.png
Normal file
After Width: | Height: | Size: 160 KiB |
BIN
wp-content/plugins/two-factor/assets/screenshot-3.png
Normal file
After Width: | Height: | Size: 6.0 KiB |
55
wp-content/plugins/two-factor/class-two-factor-compat.php
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* A compatibility layer for some of the most popular plugins.
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A compatibility layer for some of the most popular plugins.
|
||||||
|
*
|
||||||
|
* Should be used with care because ideally we wouldn't need
|
||||||
|
* any integration specific code for this plugin. Everything should
|
||||||
|
* be handled through clever use of hooks and best practices.
|
||||||
|
*/
|
||||||
|
class Two_Factor_Compat {
|
||||||
|
/**
|
||||||
|
* Initialize all the custom hooks as necessary.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function init() {
|
||||||
|
/**
|
||||||
|
* Jetpack
|
||||||
|
*
|
||||||
|
* @see https://wordpress.org/plugins/jetpack/
|
||||||
|
*/
|
||||||
|
add_filter( 'two_factor_rememberme', array( $this, 'jetpack_rememberme' ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Jetpack single sign-on wants long-lived sessions for users.
|
||||||
|
*
|
||||||
|
* @param boolean $rememberme Current state of the "remember me" toggle.
|
||||||
|
*
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function jetpack_rememberme( $rememberme ) {
|
||||||
|
$action = filter_input( INPUT_GET, 'action', FILTER_CALLBACK, array( 'options' => 'sanitize_key' ) );
|
||||||
|
|
||||||
|
if ( 'jetpack-sso' === $action && $this->jetpack_is_sso_active() ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $rememberme;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Helper to detect the presence of the active SSO module.
|
||||||
|
*
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function jetpack_is_sso_active() {
|
||||||
|
return ( method_exists( 'Jetpack', 'is_module_active' ) && Jetpack::is_module_active( 'sso' ) );
|
||||||
|
}
|
||||||
|
}
|
1071
wp-content/plugins/two-factor/class-two-factor-core.php
Normal file
748
wp-content/plugins/two-factor/includes/Google/u2f-api.js
Normal file
@ -0,0 +1,748 @@
|
|||||||
|
//Copyright 2014-2015 Google Inc. All rights reserved.
|
||||||
|
|
||||||
|
//Use of this source code is governed by a BSD-style
|
||||||
|
//license that can be found in the LICENSE file or at
|
||||||
|
//https://developers.google.com/open-source/licenses/bsd
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @fileoverview The U2F api.
|
||||||
|
*/
|
||||||
|
'use strict';
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Namespace for the U2F api.
|
||||||
|
* @type {Object}
|
||||||
|
*/
|
||||||
|
var u2f = u2f || {};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* FIDO U2F Javascript API Version
|
||||||
|
* @number
|
||||||
|
*/
|
||||||
|
var js_api_version;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The U2F extension id
|
||||||
|
* @const {string}
|
||||||
|
*/
|
||||||
|
// The Chrome packaged app extension ID.
|
||||||
|
// Uncomment this if you want to deploy a server instance that uses
|
||||||
|
// the package Chrome app and does not require installing the U2F Chrome extension.
|
||||||
|
u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
|
||||||
|
// The U2F Chrome extension ID.
|
||||||
|
// Uncomment this if you want to deploy a server instance that uses
|
||||||
|
// the U2F Chrome extension to authenticate.
|
||||||
|
// u2f.EXTENSION_ID = 'pfboblefjcgdjicmnffhdgionmgcdmne';
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Message types for messages to/from the extension
|
||||||
|
* @const
|
||||||
|
* @enum {string}
|
||||||
|
*/
|
||||||
|
u2f.MessageTypes = {
|
||||||
|
'U2F_REGISTER_REQUEST': 'u2f_register_request',
|
||||||
|
'U2F_REGISTER_RESPONSE': 'u2f_register_response',
|
||||||
|
'U2F_SIGN_REQUEST': 'u2f_sign_request',
|
||||||
|
'U2F_SIGN_RESPONSE': 'u2f_sign_response',
|
||||||
|
'U2F_GET_API_VERSION_REQUEST': 'u2f_get_api_version_request',
|
||||||
|
'U2F_GET_API_VERSION_RESPONSE': 'u2f_get_api_version_response'
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Response status codes
|
||||||
|
* @const
|
||||||
|
* @enum {number}
|
||||||
|
*/
|
||||||
|
u2f.ErrorCodes = {
|
||||||
|
'OK': 0,
|
||||||
|
'OTHER_ERROR': 1,
|
||||||
|
'BAD_REQUEST': 2,
|
||||||
|
'CONFIGURATION_UNSUPPORTED': 3,
|
||||||
|
'DEVICE_INELIGIBLE': 4,
|
||||||
|
'TIMEOUT': 5
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A message for registration requests
|
||||||
|
* @typedef {{
|
||||||
|
* type: u2f.MessageTypes,
|
||||||
|
* appId: ?string,
|
||||||
|
* timeoutSeconds: ?number,
|
||||||
|
* requestId: ?number
|
||||||
|
* }}
|
||||||
|
*/
|
||||||
|
u2f.U2fRequest;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A message for registration responses
|
||||||
|
* @typedef {{
|
||||||
|
* type: u2f.MessageTypes,
|
||||||
|
* responseData: (u2f.Error | u2f.RegisterResponse | u2f.SignResponse),
|
||||||
|
* requestId: ?number
|
||||||
|
* }}
|
||||||
|
*/
|
||||||
|
u2f.U2fResponse;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* An error object for responses
|
||||||
|
* @typedef {{
|
||||||
|
* errorCode: u2f.ErrorCodes,
|
||||||
|
* errorMessage: ?string
|
||||||
|
* }}
|
||||||
|
*/
|
||||||
|
u2f.Error;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Data object for a single sign request.
|
||||||
|
* @typedef {enum {BLUETOOTH_RADIO, BLUETOOTH_LOW_ENERGY, USB, NFC}}
|
||||||
|
*/
|
||||||
|
u2f.Transport;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Data object for a single sign request.
|
||||||
|
* @typedef {Array<u2f.Transport>}
|
||||||
|
*/
|
||||||
|
u2f.Transports;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Data object for a single sign request.
|
||||||
|
* @typedef {{
|
||||||
|
* version: string,
|
||||||
|
* challenge: string,
|
||||||
|
* keyHandle: string,
|
||||||
|
* appId: string
|
||||||
|
* }}
|
||||||
|
*/
|
||||||
|
u2f.SignRequest;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Data object for a sign response.
|
||||||
|
* @typedef {{
|
||||||
|
* keyHandle: string,
|
||||||
|
* signatureData: string,
|
||||||
|
* clientData: string
|
||||||
|
* }}
|
||||||
|
*/
|
||||||
|
u2f.SignResponse;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Data object for a registration request.
|
||||||
|
* @typedef {{
|
||||||
|
* version: string,
|
||||||
|
* challenge: string
|
||||||
|
* }}
|
||||||
|
*/
|
||||||
|
u2f.RegisterRequest;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Data object for a registration response.
|
||||||
|
* @typedef {{
|
||||||
|
* version: string,
|
||||||
|
* keyHandle: string,
|
||||||
|
* transports: Transports,
|
||||||
|
* appId: string
|
||||||
|
* }}
|
||||||
|
*/
|
||||||
|
u2f.RegisterResponse;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Data object for a registered key.
|
||||||
|
* @typedef {{
|
||||||
|
* version: string,
|
||||||
|
* keyHandle: string,
|
||||||
|
* transports: ?Transports,
|
||||||
|
* appId: ?string
|
||||||
|
* }}
|
||||||
|
*/
|
||||||
|
u2f.RegisteredKey;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Data object for a get API register response.
|
||||||
|
* @typedef {{
|
||||||
|
* js_api_version: number
|
||||||
|
* }}
|
||||||
|
*/
|
||||||
|
u2f.GetJsApiVersionResponse;
|
||||||
|
|
||||||
|
|
||||||
|
//Low level MessagePort API support
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets up a MessagePort to the U2F extension using the
|
||||||
|
* available mechanisms.
|
||||||
|
* @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
|
||||||
|
*/
|
||||||
|
u2f.getMessagePort = function(callback) {
|
||||||
|
if (typeof chrome != 'undefined' && chrome.runtime) {
|
||||||
|
// The actual message here does not matter, but we need to get a reply
|
||||||
|
// for the callback to run. Thus, send an empty signature request
|
||||||
|
// in order to get a failure response.
|
||||||
|
var msg = {
|
||||||
|
type: u2f.MessageTypes.U2F_SIGN_REQUEST,
|
||||||
|
signRequests: []
|
||||||
|
};
|
||||||
|
chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function() {
|
||||||
|
if (!chrome.runtime.lastError) {
|
||||||
|
// We are on a whitelisted origin and can talk directly
|
||||||
|
// with the extension.
|
||||||
|
u2f.getChromeRuntimePort_(callback);
|
||||||
|
} else {
|
||||||
|
// chrome.runtime was available, but we couldn't message
|
||||||
|
// the extension directly, use iframe
|
||||||
|
u2f.getIframePort_(callback);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} else if (u2f.isAndroidChrome_()) {
|
||||||
|
u2f.getAuthenticatorPort_(callback);
|
||||||
|
} else if (u2f.isIosChrome_()) {
|
||||||
|
u2f.getIosPort_(callback);
|
||||||
|
} else {
|
||||||
|
// chrome.runtime was not available at all, which is normal
|
||||||
|
// when this origin doesn't have access to any extensions.
|
||||||
|
u2f.getIframePort_(callback);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Detect chrome running on android based on the browser's useragent.
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.isAndroidChrome_ = function() {
|
||||||
|
var userAgent = navigator.userAgent;
|
||||||
|
return userAgent.indexOf('Chrome') != -1 &&
|
||||||
|
userAgent.indexOf('Android') != -1;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Detect chrome running on iOS based on the browser's platform.
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.isIosChrome_ = function() {
|
||||||
|
return ["iPhone", "iPad", "iPod"].indexOf(navigator.platform) > -1;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Connects directly to the extension via chrome.runtime.connect.
|
||||||
|
* @param {function(u2f.WrappedChromeRuntimePort_)} callback
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.getChromeRuntimePort_ = function(callback) {
|
||||||
|
var port = chrome.runtime.connect(u2f.EXTENSION_ID,
|
||||||
|
{'includeTlsChannelId': true});
|
||||||
|
setTimeout(function() {
|
||||||
|
callback(new u2f.WrappedChromeRuntimePort_(port));
|
||||||
|
}, 0);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return a 'port' abstraction to the Authenticator app.
|
||||||
|
* @param {function(u2f.WrappedAuthenticatorPort_)} callback
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.getAuthenticatorPort_ = function(callback) {
|
||||||
|
setTimeout(function() {
|
||||||
|
callback(new u2f.WrappedAuthenticatorPort_());
|
||||||
|
}, 0);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return a 'port' abstraction to the iOS client app.
|
||||||
|
* @param {function(u2f.WrappedIosPort_)} callback
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.getIosPort_ = function(callback) {
|
||||||
|
setTimeout(function() {
|
||||||
|
callback(new u2f.WrappedIosPort_());
|
||||||
|
}, 0);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A wrapper for chrome.runtime.Port that is compatible with MessagePort.
|
||||||
|
* @param {Port} port
|
||||||
|
* @constructor
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.WrappedChromeRuntimePort_ = function(port) {
|
||||||
|
this.port_ = port;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Format and return a sign request compliant with the JS API version supported by the extension.
|
||||||
|
* @param {Array<u2f.SignRequest>} signRequests
|
||||||
|
* @param {number} timeoutSeconds
|
||||||
|
* @param {number} reqId
|
||||||
|
* @return {Object}
|
||||||
|
*/
|
||||||
|
u2f.formatSignRequest_ =
|
||||||
|
function(appId, challenge, registeredKeys, timeoutSeconds, reqId) {
|
||||||
|
if (js_api_version === undefined || js_api_version < 1.1) {
|
||||||
|
// Adapt request to the 1.0 JS API.
|
||||||
|
var signRequests = [];
|
||||||
|
for (var i = 0; i < registeredKeys.length; i++) {
|
||||||
|
signRequests[i] = {
|
||||||
|
version: registeredKeys[i].version,
|
||||||
|
challenge: challenge,
|
||||||
|
keyHandle: registeredKeys[i].keyHandle,
|
||||||
|
appId: appId
|
||||||
|
};
|
||||||
|
}
|
||||||
|
return {
|
||||||
|
type: u2f.MessageTypes.U2F_SIGN_REQUEST,
|
||||||
|
signRequests: signRequests,
|
||||||
|
timeoutSeconds: timeoutSeconds,
|
||||||
|
requestId: reqId
|
||||||
|
};
|
||||||
|
}
|
||||||
|
// JS 1.1 API.
|
||||||
|
return {
|
||||||
|
type: u2f.MessageTypes.U2F_SIGN_REQUEST,
|
||||||
|
appId: appId,
|
||||||
|
challenge: challenge,
|
||||||
|
registeredKeys: registeredKeys,
|
||||||
|
timeoutSeconds: timeoutSeconds,
|
||||||
|
requestId: reqId
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Format and return a register request compliant with the JS API version supported by the extension..
|
||||||
|
* @param {Array<u2f.SignRequest>} signRequests
|
||||||
|
* @param {Array<u2f.RegisterRequest>} signRequests
|
||||||
|
* @param {number} timeoutSeconds
|
||||||
|
* @param {number} reqId
|
||||||
|
* @return {Object}
|
||||||
|
*/
|
||||||
|
u2f.formatRegisterRequest_ =
|
||||||
|
function(appId, registeredKeys, registerRequests, timeoutSeconds, reqId) {
|
||||||
|
if (js_api_version === undefined || js_api_version < 1.1) {
|
||||||
|
// Adapt request to the 1.0 JS API.
|
||||||
|
for (var i = 0; i < registerRequests.length; i++) {
|
||||||
|
registerRequests[i].appId = appId;
|
||||||
|
}
|
||||||
|
var signRequests = [];
|
||||||
|
for (var i = 0; i < registeredKeys.length; i++) {
|
||||||
|
signRequests[i] = {
|
||||||
|
version: registeredKeys[i].version,
|
||||||
|
challenge: registerRequests[0],
|
||||||
|
keyHandle: registeredKeys[i].keyHandle,
|
||||||
|
appId: appId
|
||||||
|
};
|
||||||
|
}
|
||||||
|
return {
|
||||||
|
type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
|
||||||
|
signRequests: signRequests,
|
||||||
|
registerRequests: registerRequests,
|
||||||
|
timeoutSeconds: timeoutSeconds,
|
||||||
|
requestId: reqId
|
||||||
|
};
|
||||||
|
}
|
||||||
|
// JS 1.1 API.
|
||||||
|
return {
|
||||||
|
type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
|
||||||
|
appId: appId,
|
||||||
|
registerRequests: registerRequests,
|
||||||
|
registeredKeys: registeredKeys,
|
||||||
|
timeoutSeconds: timeoutSeconds,
|
||||||
|
requestId: reqId
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Posts a message on the underlying channel.
|
||||||
|
* @param {Object} message
|
||||||
|
*/
|
||||||
|
u2f.WrappedChromeRuntimePort_.prototype.postMessage = function(message) {
|
||||||
|
this.port_.postMessage(message);
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Emulates the HTML 5 addEventListener interface. Works only for the
|
||||||
|
* onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
|
||||||
|
* @param {string} eventName
|
||||||
|
* @param {function({data: Object})} handler
|
||||||
|
*/
|
||||||
|
u2f.WrappedChromeRuntimePort_.prototype.addEventListener =
|
||||||
|
function(eventName, handler) {
|
||||||
|
var name = eventName.toLowerCase();
|
||||||
|
if (name == 'message' || name == 'onmessage') {
|
||||||
|
this.port_.onMessage.addListener(function(message) {
|
||||||
|
// Emulate a minimal MessageEvent object.
|
||||||
|
handler({'data': message});
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
console.error('WrappedChromeRuntimePort only supports onMessage');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Wrap the Authenticator app with a MessagePort interface.
|
||||||
|
* @constructor
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.WrappedAuthenticatorPort_ = function() {
|
||||||
|
this.requestId_ = -1;
|
||||||
|
this.requestObject_ = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Launch the Authenticator intent.
|
||||||
|
* @param {Object} message
|
||||||
|
*/
|
||||||
|
u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) {
|
||||||
|
var intentUrl =
|
||||||
|
u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
|
||||||
|
';S.request=' + encodeURIComponent(JSON.stringify(message)) +
|
||||||
|
';end';
|
||||||
|
document.location = intentUrl;
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tells what type of port this is.
|
||||||
|
* @return {String} port type
|
||||||
|
*/
|
||||||
|
u2f.WrappedAuthenticatorPort_.prototype.getPortType = function() {
|
||||||
|
return "WrappedAuthenticatorPort_";
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Emulates the HTML 5 addEventListener interface.
|
||||||
|
* @param {string} eventName
|
||||||
|
* @param {function({data: Object})} handler
|
||||||
|
*/
|
||||||
|
u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function(eventName, handler) {
|
||||||
|
var name = eventName.toLowerCase();
|
||||||
|
if (name == 'message') {
|
||||||
|
var self = this;
|
||||||
|
/* Register a callback to that executes when
|
||||||
|
* chrome injects the response. */
|
||||||
|
window.addEventListener(
|
||||||
|
'message', self.onRequestUpdate_.bind(self, handler), false);
|
||||||
|
} else {
|
||||||
|
console.error('WrappedAuthenticatorPort only supports message');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Callback invoked when a response is received from the Authenticator.
|
||||||
|
* @param function({data: Object}) callback
|
||||||
|
* @param {Object} message message Object
|
||||||
|
*/
|
||||||
|
u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ =
|
||||||
|
function(callback, message) {
|
||||||
|
var messageObject = JSON.parse(message.data);
|
||||||
|
var intentUrl = messageObject['intentURL'];
|
||||||
|
|
||||||
|
var errorCode = messageObject['errorCode'];
|
||||||
|
var responseObject = null;
|
||||||
|
if (messageObject.hasOwnProperty('data')) {
|
||||||
|
responseObject = /** @type {Object} */ (
|
||||||
|
JSON.parse(messageObject['data']));
|
||||||
|
}
|
||||||
|
|
||||||
|
callback({'data': responseObject});
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Base URL for intents to Authenticator.
|
||||||
|
* @const
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ =
|
||||||
|
'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Wrap the iOS client app with a MessagePort interface.
|
||||||
|
* @constructor
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.WrappedIosPort_ = function() {};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Launch the iOS client app request
|
||||||
|
* @param {Object} message
|
||||||
|
*/
|
||||||
|
u2f.WrappedIosPort_.prototype.postMessage = function(message) {
|
||||||
|
var str = JSON.stringify(message);
|
||||||
|
var url = "u2f://auth?" + encodeURI(str);
|
||||||
|
location.replace(url);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tells what type of port this is.
|
||||||
|
* @return {String} port type
|
||||||
|
*/
|
||||||
|
u2f.WrappedIosPort_.prototype.getPortType = function() {
|
||||||
|
return "WrappedIosPort_";
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Emulates the HTML 5 addEventListener interface.
|
||||||
|
* @param {string} eventName
|
||||||
|
* @param {function({data: Object})} handler
|
||||||
|
*/
|
||||||
|
u2f.WrappedIosPort_.prototype.addEventListener = function(eventName, handler) {
|
||||||
|
var name = eventName.toLowerCase();
|
||||||
|
if (name !== 'message') {
|
||||||
|
console.error('WrappedIosPort only supports message');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets up an embedded trampoline iframe, sourced from the extension.
|
||||||
|
* @param {function(MessagePort)} callback
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.getIframePort_ = function(callback) {
|
||||||
|
// Create the iframe
|
||||||
|
var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID;
|
||||||
|
var iframe = document.createElement('iframe');
|
||||||
|
iframe.src = iframeOrigin + '/u2f-comms.html';
|
||||||
|
iframe.setAttribute('style', 'display:none');
|
||||||
|
document.body.appendChild(iframe);
|
||||||
|
|
||||||
|
var channel = new MessageChannel();
|
||||||
|
var ready = function(message) {
|
||||||
|
if (message.data == 'ready') {
|
||||||
|
channel.port1.removeEventListener('message', ready);
|
||||||
|
callback(channel.port1);
|
||||||
|
} else {
|
||||||
|
console.error('First event on iframe port was not "ready"');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
channel.port1.addEventListener('message', ready);
|
||||||
|
channel.port1.start();
|
||||||
|
|
||||||
|
iframe.addEventListener('load', function() {
|
||||||
|
// Deliver the port to the iframe and initialize
|
||||||
|
iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]);
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
//High-level JS API
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Default extension response timeout in seconds.
|
||||||
|
* @const
|
||||||
|
*/
|
||||||
|
u2f.EXTENSION_TIMEOUT_SEC = 30;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A singleton instance for a MessagePort to the extension.
|
||||||
|
* @type {MessagePort|u2f.WrappedChromeRuntimePort_}
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.port_ = null;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Callbacks waiting for a port
|
||||||
|
* @type {Array<function((MessagePort|u2f.WrappedChromeRuntimePort_))>}
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.waitingForPort_ = [];
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A counter for requestIds.
|
||||||
|
* @type {number}
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.reqCounter_ = 0;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A map from requestIds to client callbacks
|
||||||
|
* @type {Object.<number,(function((u2f.Error|u2f.RegisterResponse))
|
||||||
|
* |function((u2f.Error|u2f.SignResponse)))>}
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.callbackMap_ = {};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Creates or retrieves the MessagePort singleton to use.
|
||||||
|
* @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.getPortSingleton_ = function(callback) {
|
||||||
|
if (u2f.port_) {
|
||||||
|
callback(u2f.port_);
|
||||||
|
} else {
|
||||||
|
if (u2f.waitingForPort_.length == 0) {
|
||||||
|
u2f.getMessagePort(function(port) {
|
||||||
|
u2f.port_ = port;
|
||||||
|
u2f.port_.addEventListener('message',
|
||||||
|
/** @type {function(Event)} */ (u2f.responseHandler_));
|
||||||
|
|
||||||
|
// Careful, here be async callbacks. Maybe.
|
||||||
|
while (u2f.waitingForPort_.length)
|
||||||
|
u2f.waitingForPort_.shift()(u2f.port_);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
u2f.waitingForPort_.push(callback);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Handles response messages from the extension.
|
||||||
|
* @param {MessageEvent.<u2f.Response>} message
|
||||||
|
* @private
|
||||||
|
*/
|
||||||
|
u2f.responseHandler_ = function(message) {
|
||||||
|
var response = message.data;
|
||||||
|
var reqId = response['requestId'];
|
||||||
|
if (!reqId || !u2f.callbackMap_[reqId]) {
|
||||||
|
console.error('Unknown or missing requestId in response.');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
var cb = u2f.callbackMap_[reqId];
|
||||||
|
delete u2f.callbackMap_[reqId];
|
||||||
|
cb(response['responseData']);
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Dispatches an array of sign requests to available U2F tokens.
|
||||||
|
* If the JS API version supported by the extension is unknown, it first sends a
|
||||||
|
* message to the extension to find out the supported API version and then it sends
|
||||||
|
* the sign request.
|
||||||
|
* @param {string=} appId
|
||||||
|
* @param {string=} challenge
|
||||||
|
* @param {Array<u2f.RegisteredKey>} registeredKeys
|
||||||
|
* @param {function((u2f.Error|u2f.SignResponse))} callback
|
||||||
|
* @param {number=} opt_timeoutSeconds
|
||||||
|
*/
|
||||||
|
u2f.sign = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
|
||||||
|
if (js_api_version === undefined) {
|
||||||
|
// Send a message to get the extension to JS API version, then send the actual sign request.
|
||||||
|
u2f.getApiVersion(
|
||||||
|
function (response) {
|
||||||
|
js_api_version = response['js_api_version'] === undefined ? 0 : response['js_api_version'];
|
||||||
|
console.log("Extension JS API Version: ", js_api_version);
|
||||||
|
u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
// We know the JS API version. Send the actual sign request in the supported API version.
|
||||||
|
u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Dispatches an array of sign requests to available U2F tokens.
|
||||||
|
* @param {string=} appId
|
||||||
|
* @param {string=} challenge
|
||||||
|
* @param {Array<u2f.RegisteredKey>} registeredKeys
|
||||||
|
* @param {function((u2f.Error|u2f.SignResponse))} callback
|
||||||
|
* @param {number=} opt_timeoutSeconds
|
||||||
|
*/
|
||||||
|
u2f.sendSignRequest = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
|
||||||
|
u2f.getPortSingleton_(function(port) {
|
||||||
|
var reqId = ++u2f.reqCounter_;
|
||||||
|
u2f.callbackMap_[reqId] = callback;
|
||||||
|
var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
|
||||||
|
opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
|
||||||
|
var req = u2f.formatSignRequest_(appId, challenge, registeredKeys, timeoutSeconds, reqId);
|
||||||
|
port.postMessage(req);
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Dispatches register requests to available U2F tokens. An array of sign
|
||||||
|
* requests identifies already registered tokens.
|
||||||
|
* If the JS API version supported by the extension is unknown, it first sends a
|
||||||
|
* message to the extension to find out the supported API version and then it sends
|
||||||
|
* the register request.
|
||||||
|
* @param {string=} appId
|
||||||
|
* @param {Array<u2f.RegisterRequest>} registerRequests
|
||||||
|
* @param {Array<u2f.RegisteredKey>} registeredKeys
|
||||||
|
* @param {function((u2f.Error|u2f.RegisterResponse))} callback
|
||||||
|
* @param {number=} opt_timeoutSeconds
|
||||||
|
*/
|
||||||
|
u2f.register = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
|
||||||
|
if (js_api_version === undefined) {
|
||||||
|
// Send a message to get the extension to JS API version, then send the actual register request.
|
||||||
|
u2f.getApiVersion(
|
||||||
|
function (response) {
|
||||||
|
js_api_version = response['js_api_version'] === undefined ? 0: response['js_api_version'];
|
||||||
|
console.log("Extension JS API Version: ", js_api_version);
|
||||||
|
u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
|
||||||
|
callback, opt_timeoutSeconds);
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
// We know the JS API version. Send the actual register request in the supported API version.
|
||||||
|
u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
|
||||||
|
callback, opt_timeoutSeconds);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Dispatches register requests to available U2F tokens. An array of sign
|
||||||
|
* requests identifies already registered tokens.
|
||||||
|
* @param {string=} appId
|
||||||
|
* @param {Array<u2f.RegisterRequest>} registerRequests
|
||||||
|
* @param {Array<u2f.RegisteredKey>} registeredKeys
|
||||||
|
* @param {function((u2f.Error|u2f.RegisterResponse))} callback
|
||||||
|
* @param {number=} opt_timeoutSeconds
|
||||||
|
*/
|
||||||
|
u2f.sendRegisterRequest = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
|
||||||
|
u2f.getPortSingleton_(function(port) {
|
||||||
|
var reqId = ++u2f.reqCounter_;
|
||||||
|
u2f.callbackMap_[reqId] = callback;
|
||||||
|
var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
|
||||||
|
opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
|
||||||
|
var req = u2f.formatRegisterRequest_(
|
||||||
|
appId, registeredKeys, registerRequests, timeoutSeconds, reqId);
|
||||||
|
port.postMessage(req);
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Dispatches a message to the extension to find out the supported
|
||||||
|
* JS API version.
|
||||||
|
* If the user is on a mobile phone and is thus using Google Authenticator instead
|
||||||
|
* of the Chrome extension, don't send the request and simply return 0.
|
||||||
|
* @param {function((u2f.Error|u2f.GetJsApiVersionResponse))} callback
|
||||||
|
* @param {number=} opt_timeoutSeconds
|
||||||
|
*/
|
||||||
|
u2f.getApiVersion = function(callback, opt_timeoutSeconds) {
|
||||||
|
u2f.getPortSingleton_(function(port) {
|
||||||
|
// If we are using Android Google Authenticator or iOS client app,
|
||||||
|
// do not fire an intent to ask which JS API version to use.
|
||||||
|
if (port.getPortType) {
|
||||||
|
var apiVersion;
|
||||||
|
switch (port.getPortType()) {
|
||||||
|
case 'WrappedIosPort_':
|
||||||
|
case 'WrappedAuthenticatorPort_':
|
||||||
|
apiVersion = 1.1;
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
apiVersion = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
callback({ 'js_api_version': apiVersion });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
var reqId = ++u2f.reqCounter_;
|
||||||
|
u2f.callbackMap_[reqId] = callback;
|
||||||
|
var req = {
|
||||||
|
type: u2f.MessageTypes.U2F_GET_API_VERSION_REQUEST,
|
||||||
|
timeoutSeconds: (typeof opt_timeoutSeconds !== 'undefined' ?
|
||||||
|
opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC),
|
||||||
|
requestId: reqId
|
||||||
|
};
|
||||||
|
port.postMessage(req);
|
||||||
|
});
|
||||||
|
};
|
507
wp-content/plugins/two-factor/includes/Yubico/U2F.php
Normal file
@ -0,0 +1,507 @@
|
|||||||
|
<?php
|
||||||
|
/* Copyright (c) 2014 Yubico AB
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions are
|
||||||
|
* met:
|
||||||
|
*
|
||||||
|
* * Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
*
|
||||||
|
* * Redistributions in binary form must reproduce the above
|
||||||
|
* copyright notice, this list of conditions and the following
|
||||||
|
* disclaimer in the documentation and/or other materials provided
|
||||||
|
* with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||||
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||||
|
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||||
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace u2flib_server;
|
||||||
|
|
||||||
|
/** Constant for the version of the u2f protocol */
|
||||||
|
const U2F_VERSION = "U2F_V2";
|
||||||
|
|
||||||
|
/** Error for the authentication message not matching any outstanding
|
||||||
|
* authentication request */
|
||||||
|
const ERR_NO_MATCHING_REQUEST = 1;
|
||||||
|
|
||||||
|
/** Error for the authentication message not matching any registration */
|
||||||
|
const ERR_NO_MATCHING_REGISTRATION = 2;
|
||||||
|
|
||||||
|
/** Error for the signature on the authentication message not verifying with
|
||||||
|
* the correct key */
|
||||||
|
const ERR_AUTHENTICATION_FAILURE = 3;
|
||||||
|
|
||||||
|
/** Error for the challenge in the registration message not matching the
|
||||||
|
* registration challenge */
|
||||||
|
const ERR_UNMATCHED_CHALLENGE = 4;
|
||||||
|
|
||||||
|
/** Error for the attestation signature on the registration message not
|
||||||
|
* verifying */
|
||||||
|
const ERR_ATTESTATION_SIGNATURE = 5;
|
||||||
|
|
||||||
|
/** Error for the attestation verification not verifying */
|
||||||
|
const ERR_ATTESTATION_VERIFICATION = 6;
|
||||||
|
|
||||||
|
/** Error for not getting good random from the system */
|
||||||
|
const ERR_BAD_RANDOM = 7;
|
||||||
|
|
||||||
|
/** Error when the counter is lower than expected */
|
||||||
|
const ERR_COUNTER_TOO_LOW = 8;
|
||||||
|
|
||||||
|
/** Error decoding public key */
|
||||||
|
const ERR_PUBKEY_DECODE = 9;
|
||||||
|
|
||||||
|
/** Error user-agent returned error */
|
||||||
|
const ERR_BAD_UA_RETURNING = 10;
|
||||||
|
|
||||||
|
/** Error old OpenSSL version */
|
||||||
|
const ERR_OLD_OPENSSL = 11;
|
||||||
|
|
||||||
|
/** @internal */
|
||||||
|
const PUBKEY_LEN = 65;
|
||||||
|
|
||||||
|
class U2F
|
||||||
|
{
|
||||||
|
/** @var string */
|
||||||
|
private $appId;
|
||||||
|
|
||||||
|
/** @var null|string */
|
||||||
|
private $attestDir;
|
||||||
|
|
||||||
|
/** @internal */
|
||||||
|
private $FIXCERTS = array(
|
||||||
|
'349bca1031f8c82c4ceca38b9cebf1a69df9fb3b94eed99eb3fb9aa3822d26e8',
|
||||||
|
'dd574527df608e47ae45fbba75a2afdd5c20fd94a02419381813cd55a2a3398f',
|
||||||
|
'1d8764f0f7cd1352df6150045c8f638e517270e8b5dda1c63ade9c2280240cae',
|
||||||
|
'd0edc9a91a1677435a953390865d208c55b3183c6759c9b5a7ff494c322558eb',
|
||||||
|
'6073c436dcd064a48127ddbf6032ac1a66fd59a0c24434f070d4e564c124c897',
|
||||||
|
'ca993121846c464d666096d35f13bf44c1b05af205f9b4a1e00cf6cc10c5e511'
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $appId Application id for the running application
|
||||||
|
* @param string|null $attestDir Directory where trusted attestation roots may be found
|
||||||
|
* @throws Error If OpenSSL older than 1.0.0 is used
|
||||||
|
*/
|
||||||
|
public function __construct($appId, $attestDir = null)
|
||||||
|
{
|
||||||
|
if(OPENSSL_VERSION_NUMBER < 0x10000000) {
|
||||||
|
throw new Error('OpenSSL has to be at least version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL);
|
||||||
|
}
|
||||||
|
$this->appId = $appId;
|
||||||
|
$this->attestDir = $attestDir;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Called to get a registration request to send to a user.
|
||||||
|
* Returns an array of one registration request and a array of sign requests.
|
||||||
|
*
|
||||||
|
* @param array $registrations List of current registrations for this
|
||||||
|
* user, to prevent the user from registering the same authenticator several
|
||||||
|
* times.
|
||||||
|
* @return array An array of two elements, the first containing a
|
||||||
|
* RegisterRequest the second being an array of SignRequest
|
||||||
|
* @throws Error
|
||||||
|
*/
|
||||||
|
public function getRegisterData(array $registrations = array())
|
||||||
|
{
|
||||||
|
$challenge = $this->createChallenge();
|
||||||
|
$request = new RegisterRequest($challenge, $this->appId);
|
||||||
|
$signs = $this->getAuthenticateData($registrations);
|
||||||
|
return array($request, $signs);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Called to verify and unpack a registration message.
|
||||||
|
*
|
||||||
|
* @param RegisterRequest $request this is a reply to
|
||||||
|
* @param object $response response from a user
|
||||||
|
* @param bool $includeCert set to true if the attestation certificate should be
|
||||||
|
* included in the returned Registration object
|
||||||
|
* @return Registration
|
||||||
|
* @throws Error
|
||||||
|
*/
|
||||||
|
public function doRegister($request, $response, $includeCert = true)
|
||||||
|
{
|
||||||
|
if( !is_object( $request ) ) {
|
||||||
|
throw new \InvalidArgumentException('$request of doRegister() method only accepts object.');
|
||||||
|
}
|
||||||
|
|
||||||
|
if( !is_object( $response ) ) {
|
||||||
|
throw new \InvalidArgumentException('$response of doRegister() method only accepts object.');
|
||||||
|
}
|
||||||
|
|
||||||
|
if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) {
|
||||||
|
throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( !is_bool( $includeCert ) ) {
|
||||||
|
throw new \InvalidArgumentException('$include_cert of doRegister() method only accepts boolean.');
|
||||||
|
}
|
||||||
|
|
||||||
|
$rawReg = $this->base64u_decode($response->registrationData);
|
||||||
|
$regData = array_values(unpack('C*', $rawReg));
|
||||||
|
$clientData = $this->base64u_decode($response->clientData);
|
||||||
|
$cli = json_decode($clientData);
|
||||||
|
|
||||||
|
if($cli->challenge !== $request->challenge) {
|
||||||
|
throw new Error('Registration challenge does not match', ERR_UNMATCHED_CHALLENGE );
|
||||||
|
}
|
||||||
|
|
||||||
|
$registration = new Registration();
|
||||||
|
$offs = 1;
|
||||||
|
$pubKey = substr($rawReg, $offs, PUBKEY_LEN);
|
||||||
|
$offs += PUBKEY_LEN;
|
||||||
|
// Decode the pubKey to make sure it's good.
|
||||||
|
$tmpKey = $this->pubkey_to_pem($pubKey);
|
||||||
|
if($tmpKey === null) {
|
||||||
|
throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
|
||||||
|
}
|
||||||
|
$registration->publicKey = base64_encode($pubKey);
|
||||||
|
$khLen = $regData[$offs++];
|
||||||
|
$kh = substr($rawReg, $offs, $khLen);
|
||||||
|
$offs += $khLen;
|
||||||
|
$registration->keyHandle = $this->base64u_encode($kh);
|
||||||
|
|
||||||
|
// length of certificate is stored in byte 3 and 4 (excluding the first 4 bytes).
|
||||||
|
$certLen = 4;
|
||||||
|
$certLen += ($regData[$offs + 2] << 8);
|
||||||
|
$certLen += $regData[$offs + 3];
|
||||||
|
|
||||||
|
$rawCert = $this->fixSignatureUnusedBits(substr($rawReg, $offs, $certLen));
|
||||||
|
$offs += $certLen;
|
||||||
|
$pemCert = "-----BEGIN CERTIFICATE-----\r\n";
|
||||||
|
$pemCert .= chunk_split(base64_encode($rawCert), 64);
|
||||||
|
$pemCert .= "-----END CERTIFICATE-----";
|
||||||
|
if($includeCert) {
|
||||||
|
$registration->certificate = base64_encode($rawCert);
|
||||||
|
}
|
||||||
|
if($this->attestDir) {
|
||||||
|
if(openssl_x509_checkpurpose($pemCert, -1, $this->get_certs()) !== true) {
|
||||||
|
throw new Error('Attestation certificate can not be validated', ERR_ATTESTATION_VERIFICATION );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!openssl_pkey_get_public($pemCert)) {
|
||||||
|
throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
|
||||||
|
}
|
||||||
|
$signature = substr($rawReg, $offs);
|
||||||
|
|
||||||
|
$dataToVerify = chr(0);
|
||||||
|
$dataToVerify .= hash('sha256', $request->appId, true);
|
||||||
|
$dataToVerify .= hash('sha256', $clientData, true);
|
||||||
|
$dataToVerify .= $kh;
|
||||||
|
$dataToVerify .= $pubKey;
|
||||||
|
|
||||||
|
if(openssl_verify($dataToVerify, $signature, $pemCert, 'sha256') === 1) {
|
||||||
|
return $registration;
|
||||||
|
} else {
|
||||||
|
throw new Error('Attestation signature does not match', ERR_ATTESTATION_SIGNATURE );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Called to get an authentication request.
|
||||||
|
*
|
||||||
|
* @param array $registrations An array of the registrations to create authentication requests for.
|
||||||
|
* @return array An array of SignRequest
|
||||||
|
* @throws Error
|
||||||
|
*/
|
||||||
|
public function getAuthenticateData(array $registrations)
|
||||||
|
{
|
||||||
|
$sigs = array();
|
||||||
|
$challenge = $this->createChallenge();
|
||||||
|
foreach ($registrations as $reg) {
|
||||||
|
if( !is_object( $reg ) ) {
|
||||||
|
throw new \InvalidArgumentException('$registrations of getAuthenticateData() method only accepts array of object.');
|
||||||
|
}
|
||||||
|
|
||||||
|
$sig = new SignRequest();
|
||||||
|
$sig->appId = $this->appId;
|
||||||
|
$sig->keyHandle = $reg->keyHandle;
|
||||||
|
$sig->challenge = $challenge;
|
||||||
|
$sigs[] = $sig;
|
||||||
|
}
|
||||||
|
return $sigs;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Called to verify an authentication response
|
||||||
|
*
|
||||||
|
* @param array $requests An array of outstanding authentication requests
|
||||||
|
* @param array $registrations An array of current registrations
|
||||||
|
* @param object $response A response from the authenticator
|
||||||
|
* @return Registration
|
||||||
|
* @throws Error
|
||||||
|
*
|
||||||
|
* The Registration object returned on success contains an updated counter
|
||||||
|
* that should be saved for future authentications.
|
||||||
|
* If the Error returned is ERR_COUNTER_TOO_LOW this is an indication of
|
||||||
|
* token cloning or similar and appropriate action should be taken.
|
||||||
|
*/
|
||||||
|
public function doAuthenticate(array $requests, array $registrations, $response)
|
||||||
|
{
|
||||||
|
if( !is_object( $response ) ) {
|
||||||
|
throw new \InvalidArgumentException('$response of doAuthenticate() method only accepts object.');
|
||||||
|
}
|
||||||
|
|
||||||
|
if( property_exists( $response, 'errorCode') && $response->errorCode !== 0 ) {
|
||||||
|
throw new Error('User-agent returned error. Error code: ' . $response->errorCode, ERR_BAD_UA_RETURNING );
|
||||||
|
}
|
||||||
|
|
||||||
|
/** @var object|null $req */
|
||||||
|
$req = null;
|
||||||
|
|
||||||
|
/** @var object|null $reg */
|
||||||
|
$reg = null;
|
||||||
|
|
||||||
|
$clientData = $this->base64u_decode($response->clientData);
|
||||||
|
$decodedClient = json_decode($clientData);
|
||||||
|
foreach ($requests as $req) {
|
||||||
|
if( !is_object( $req ) ) {
|
||||||
|
throw new \InvalidArgumentException('$requests of doAuthenticate() method only accepts array of object.');
|
||||||
|
}
|
||||||
|
|
||||||
|
if($req->keyHandle === $response->keyHandle && $req->challenge === $decodedClient->challenge) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
$req = null;
|
||||||
|
}
|
||||||
|
if($req === null) {
|
||||||
|
throw new Error('No matching request found', ERR_NO_MATCHING_REQUEST );
|
||||||
|
}
|
||||||
|
foreach ($registrations as $reg) {
|
||||||
|
if( !is_object( $reg ) ) {
|
||||||
|
throw new \InvalidArgumentException('$registrations of doAuthenticate() method only accepts array of object.');
|
||||||
|
}
|
||||||
|
|
||||||
|
if($reg->keyHandle === $response->keyHandle) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
$reg = null;
|
||||||
|
}
|
||||||
|
if($reg === null) {
|
||||||
|
throw new Error('No matching registration found', ERR_NO_MATCHING_REGISTRATION );
|
||||||
|
}
|
||||||
|
$pemKey = $this->pubkey_to_pem($this->base64u_decode($reg->publicKey));
|
||||||
|
if($pemKey === null) {
|
||||||
|
throw new Error('Decoding of public key failed', ERR_PUBKEY_DECODE );
|
||||||
|
}
|
||||||
|
|
||||||
|
$signData = $this->base64u_decode($response->signatureData);
|
||||||
|
$dataToVerify = hash('sha256', $req->appId, true);
|
||||||
|
$dataToVerify .= substr($signData, 0, 5);
|
||||||
|
$dataToVerify .= hash('sha256', $clientData, true);
|
||||||
|
$signature = substr($signData, 5);
|
||||||
|
|
||||||
|
if(openssl_verify($dataToVerify, $signature, $pemKey, 'sha256') === 1) {
|
||||||
|
$ctr = unpack("Nctr", substr($signData, 1, 4));
|
||||||
|
$counter = $ctr['ctr'];
|
||||||
|
/* TODO: wrap-around should be handled somehow.. */
|
||||||
|
if($counter > $reg->counter) {
|
||||||
|
$reg->counter = $counter;
|
||||||
|
return $reg;
|
||||||
|
} else {
|
||||||
|
throw new Error('Counter too low.', ERR_COUNTER_TOO_LOW );
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
throw new Error('Authentication failed', ERR_AUTHENTICATION_FAILURE );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
private function get_certs()
|
||||||
|
{
|
||||||
|
$files = array();
|
||||||
|
$dir = $this->attestDir;
|
||||||
|
if($dir && $handle = opendir($dir)) {
|
||||||
|
while(false !== ($entry = readdir($handle))) {
|
||||||
|
if(is_file("$dir/$entry")) {
|
||||||
|
$files[] = "$dir/$entry";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
closedir($handle);
|
||||||
|
}
|
||||||
|
return $files;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $data
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
private function base64u_encode($data)
|
||||||
|
{
|
||||||
|
return trim(strtr(base64_encode($data), '+/', '-_'), '=');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $data
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
private function base64u_decode($data)
|
||||||
|
{
|
||||||
|
return base64_decode(strtr($data, '-_', '+/'));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $key
|
||||||
|
* @return null|string
|
||||||
|
*/
|
||||||
|
private function pubkey_to_pem($key)
|
||||||
|
{
|
||||||
|
if(strlen($key) !== PUBKEY_LEN || $key[0] !== "\x04") {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Convert the public key to binary DER format first
|
||||||
|
* Using the ECC SubjectPublicKeyInfo OIDs from RFC 5480
|
||||||
|
*
|
||||||
|
* SEQUENCE(2 elem) 30 59
|
||||||
|
* SEQUENCE(2 elem) 30 13
|
||||||
|
* OID1.2.840.10045.2.1 (id-ecPublicKey) 06 07 2a 86 48 ce 3d 02 01
|
||||||
|
* OID1.2.840.10045.3.1.7 (secp256r1) 06 08 2a 86 48 ce 3d 03 01 07
|
||||||
|
* BIT STRING(520 bit) 03 42 ..key..
|
||||||
|
*/
|
||||||
|
$der = "\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01";
|
||||||
|
$der .= "\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42";
|
||||||
|
$der .= "\0".$key;
|
||||||
|
|
||||||
|
$pem = "-----BEGIN PUBLIC KEY-----\r\n";
|
||||||
|
$pem .= chunk_split(base64_encode($der), 64);
|
||||||
|
$pem .= "-----END PUBLIC KEY-----";
|
||||||
|
|
||||||
|
return $pem;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
* @throws Error
|
||||||
|
*/
|
||||||
|
private function createChallenge()
|
||||||
|
{
|
||||||
|
$challenge = openssl_random_pseudo_bytes(32, $crypto_strong );
|
||||||
|
if( $crypto_strong !== true ) {
|
||||||
|
throw new Error('Unable to obtain a good source of randomness', ERR_BAD_RANDOM);
|
||||||
|
}
|
||||||
|
|
||||||
|
$challenge = $this->base64u_encode( $challenge );
|
||||||
|
|
||||||
|
return $challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fixes a certificate where the signature contains unused bits.
|
||||||
|
*
|
||||||
|
* @param string $cert
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
private function fixSignatureUnusedBits($cert)
|
||||||
|
{
|
||||||
|
if(in_array(hash('sha256', $cert), $this->FIXCERTS)) {
|
||||||
|
$cert[strlen($cert) - 257] = "\0";
|
||||||
|
}
|
||||||
|
return $cert;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class for building a registration request
|
||||||
|
*
|
||||||
|
* @package u2flib_server
|
||||||
|
*/
|
||||||
|
class RegisterRequest
|
||||||
|
{
|
||||||
|
/** Protocol version */
|
||||||
|
public $version = U2F_VERSION;
|
||||||
|
|
||||||
|
/** Registration challenge */
|
||||||
|
public $challenge;
|
||||||
|
|
||||||
|
/** Application id */
|
||||||
|
public $appId;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $challenge
|
||||||
|
* @param string $appId
|
||||||
|
* @internal
|
||||||
|
*/
|
||||||
|
public function __construct($challenge, $appId)
|
||||||
|
{
|
||||||
|
$this->challenge = $challenge;
|
||||||
|
$this->appId = $appId;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class for building up an authentication request
|
||||||
|
*
|
||||||
|
* @package u2flib_server
|
||||||
|
*/
|
||||||
|
class SignRequest
|
||||||
|
{
|
||||||
|
/** Protocol version */
|
||||||
|
public $version = U2F_VERSION;
|
||||||
|
|
||||||
|
/** Authentication challenge */
|
||||||
|
public $challenge;
|
||||||
|
|
||||||
|
/** Key handle of a registered authenticator */
|
||||||
|
public $keyHandle;
|
||||||
|
|
||||||
|
/** Application id */
|
||||||
|
public $appId;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class returned for successful registrations
|
||||||
|
*
|
||||||
|
* @package u2flib_server
|
||||||
|
*/
|
||||||
|
class Registration
|
||||||
|
{
|
||||||
|
/** The key handle of the registered authenticator */
|
||||||
|
public $keyHandle;
|
||||||
|
|
||||||
|
/** The public key of the registered authenticator */
|
||||||
|
public $publicKey;
|
||||||
|
|
||||||
|
/** The attestation certificate of the registered authenticator */
|
||||||
|
public $certificate;
|
||||||
|
|
||||||
|
/** The counter associated with this registration */
|
||||||
|
public $counter = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Error class, returned on errors
|
||||||
|
*
|
||||||
|
* @package u2flib_server
|
||||||
|
*/
|
||||||
|
class Error extends \Exception
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Override constructor and make message and code mandatory
|
||||||
|
* @param string $message
|
||||||
|
* @param int $code
|
||||||
|
* @param \Exception|null $previous
|
||||||
|
*/
|
||||||
|
public function __construct($message, $code, \Exception $previous = null) {
|
||||||
|
parent::__construct($message, $code, $previous);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,87 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Extracted from wp-login.php since that file also loads WP core which we already have.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Outputs the footer for the login page.
|
||||||
|
*
|
||||||
|
* @since 3.1.0
|
||||||
|
*
|
||||||
|
* @global bool|string $interim_login Whether interim login modal is being displayed. String 'success'
|
||||||
|
* upon successful login.
|
||||||
|
*
|
||||||
|
* @param string $input_id Which input to auto-focus.
|
||||||
|
*/
|
||||||
|
function login_footer( $input_id = '' ) {
|
||||||
|
global $interim_login;
|
||||||
|
|
||||||
|
// Don't allow interim logins to navigate away from the page.
|
||||||
|
if ( ! $interim_login ) {
|
||||||
|
?>
|
||||||
|
<p id="backtoblog">
|
||||||
|
<?php
|
||||||
|
$html_link = sprintf(
|
||||||
|
'<a href="%s">%s</a>',
|
||||||
|
esc_url( home_url( '/' ) ),
|
||||||
|
sprintf(
|
||||||
|
/* translators: %s: Site title. */
|
||||||
|
_x( '← Go to %s', 'site' ),
|
||||||
|
get_bloginfo( 'title', 'display' )
|
||||||
|
)
|
||||||
|
);
|
||||||
|
/**
|
||||||
|
* Filter the "Go to site" link displayed in the login page footer.
|
||||||
|
*
|
||||||
|
* @since 5.7.0
|
||||||
|
*
|
||||||
|
* @param string $link HTML link to the home URL of the current site.
|
||||||
|
*/
|
||||||
|
echo apply_filters( 'login_site_html_link', $html_link );
|
||||||
|
?>
|
||||||
|
</p>
|
||||||
|
<?php
|
||||||
|
|
||||||
|
the_privacy_policy_link( '<div class="privacy-policy-page-link">', '</div>' );
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
||||||
|
</div><?php // End of <div id="login">. ?>
|
||||||
|
|
||||||
|
<?php
|
||||||
|
|
||||||
|
if ( ! empty( $input_id ) ) {
|
||||||
|
?>
|
||||||
|
<script type="text/javascript">
|
||||||
|
try{document.getElementById('<?php echo $input_id; ?>').focus();}catch(e){}
|
||||||
|
if(typeof wpOnload==='function')wpOnload();
|
||||||
|
</script>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fires in the login page footer.
|
||||||
|
*
|
||||||
|
* @since 3.1.0
|
||||||
|
*/
|
||||||
|
do_action( 'login_footer' );
|
||||||
|
|
||||||
|
?>
|
||||||
|
<div class="clear"></div>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Outputs the JavaScript to handle the form shaking on the login page.
|
||||||
|
*
|
||||||
|
* @since 3.0.0
|
||||||
|
*/
|
||||||
|
function wp_shake_js() {
|
||||||
|
?>
|
||||||
|
<script type="text/javascript">
|
||||||
|
document.querySelector('form').classList.add('shake');
|
||||||
|
</script>
|
||||||
|
<?php
|
||||||
|
}
|
259
wp-content/plugins/two-factor/includes/function.login-header.php
Normal file
@ -0,0 +1,259 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Extracted from wp-login.php since that file also loads WP core which we already have.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Output the login page header.
|
||||||
|
*
|
||||||
|
* @since 2.1.0
|
||||||
|
*
|
||||||
|
* @global string $error Login error message set by deprecated pluggable wp_login() function
|
||||||
|
* or plugins replacing it.
|
||||||
|
* @global bool|string $interim_login Whether interim login modal is being displayed. String 'success'
|
||||||
|
* upon successful login.
|
||||||
|
* @global string $action The action that brought the visitor to the login page.
|
||||||
|
*
|
||||||
|
* @param string $title Optional. WordPress login Page title to display in the `<title>` element.
|
||||||
|
* Default 'Log In'.
|
||||||
|
* @param string $message Optional. Message to display in header. Default empty.
|
||||||
|
* @param WP_Error $wp_error Optional. The error to pass. Default is a WP_Error instance.
|
||||||
|
*/
|
||||||
|
function login_header( $title = 'Log In', $message = '', $wp_error = null ) {
|
||||||
|
global $error, $interim_login, $action;
|
||||||
|
|
||||||
|
// Don't index any of these forms.
|
||||||
|
add_filter( 'wp_robots', 'wp_robots_sensitive_page' );
|
||||||
|
add_action( 'login_head', 'wp_strict_cross_origin_referrer' );
|
||||||
|
|
||||||
|
add_action( 'login_head', 'wp_login_viewport_meta' );
|
||||||
|
|
||||||
|
if ( ! is_wp_error( $wp_error ) ) {
|
||||||
|
$wp_error = new WP_Error();
|
||||||
|
}
|
||||||
|
|
||||||
|
// Shake it!
|
||||||
|
$shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password', 'retrieve_password_email_failure' );
|
||||||
|
/**
|
||||||
|
* Filters the error codes array for shaking the login form.
|
||||||
|
*
|
||||||
|
* @since 3.0.0
|
||||||
|
*
|
||||||
|
* @param array $shake_error_codes Error codes that shake the login form.
|
||||||
|
*/
|
||||||
|
$shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
|
||||||
|
|
||||||
|
if ( $shake_error_codes && $wp_error->has_errors() && in_array( $wp_error->get_error_code(), $shake_error_codes, true ) ) {
|
||||||
|
add_action( 'login_footer', 'wp_shake_js', 12 );
|
||||||
|
}
|
||||||
|
|
||||||
|
$login_title = get_bloginfo( 'name', 'display' );
|
||||||
|
|
||||||
|
/* translators: Login screen title. 1: Login screen name, 2: Network or site name. */
|
||||||
|
$login_title = sprintf( __( '%1$s ‹ %2$s — WordPress' ), $title, $login_title );
|
||||||
|
|
||||||
|
if ( wp_is_recovery_mode() ) {
|
||||||
|
/* translators: %s: Login screen title. */
|
||||||
|
$login_title = sprintf( __( 'Recovery Mode — %s' ), $login_title );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filters the title tag content for login page.
|
||||||
|
*
|
||||||
|
* @since 4.9.0
|
||||||
|
*
|
||||||
|
* @param string $login_title The page title, with extra context added.
|
||||||
|
* @param string $title The original page title.
|
||||||
|
*/
|
||||||
|
$login_title = apply_filters( 'login_title', $login_title, $title );
|
||||||
|
|
||||||
|
?><!DOCTYPE html>
|
||||||
|
<html <?php language_attributes(); ?>>
|
||||||
|
<head>
|
||||||
|
<meta http-equiv="Content-Type" content="<?php bloginfo( 'html_type' ); ?>; charset=<?php bloginfo( 'charset' ); ?>" />
|
||||||
|
<title><?php echo $login_title; ?></title>
|
||||||
|
<?php
|
||||||
|
|
||||||
|
wp_enqueue_style( 'login' );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Remove all stored post data on logging out.
|
||||||
|
* This could be added by add_action('login_head'...) like wp_shake_js(),
|
||||||
|
* but maybe better if it's not removable by plugins.
|
||||||
|
*/
|
||||||
|
if ( 'loggedout' === $wp_error->get_error_code() ) {
|
||||||
|
?>
|
||||||
|
<script>if("sessionStorage" in window){try{for(var key in sessionStorage){if(key.indexOf("wp-autosave-")!=-1){sessionStorage.removeItem(key)}}}catch(e){}};</script>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enqueue scripts and styles for the login page.
|
||||||
|
*
|
||||||
|
* @since 3.1.0
|
||||||
|
*/
|
||||||
|
do_action( 'login_enqueue_scripts' );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fires in the login page header after scripts are enqueued.
|
||||||
|
*
|
||||||
|
* @since 2.1.0
|
||||||
|
*/
|
||||||
|
do_action( 'login_head' );
|
||||||
|
|
||||||
|
$login_header_url = __( 'https://wordpress.org/' );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filters link URL of the header logo above login form.
|
||||||
|
*
|
||||||
|
* @since 2.1.0
|
||||||
|
*
|
||||||
|
* @param string $login_header_url Login header logo URL.
|
||||||
|
*/
|
||||||
|
$login_header_url = apply_filters( 'login_headerurl', $login_header_url );
|
||||||
|
|
||||||
|
$login_header_title = '';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filters the title attribute of the header logo above login form.
|
||||||
|
*
|
||||||
|
* @since 2.1.0
|
||||||
|
* @deprecated 5.2.0 Use {@see 'login_headertext'} instead.
|
||||||
|
*
|
||||||
|
* @param string $login_header_title Login header logo title attribute.
|
||||||
|
*/
|
||||||
|
$login_header_title = apply_filters_deprecated(
|
||||||
|
'login_headertitle',
|
||||||
|
array( $login_header_title ),
|
||||||
|
'5.2.0',
|
||||||
|
'login_headertext',
|
||||||
|
__( 'Usage of the title attribute on the login logo is not recommended for accessibility reasons. Use the link text instead.' )
|
||||||
|
);
|
||||||
|
|
||||||
|
$login_header_text = empty( $login_header_title ) ? __( 'Powered by WordPress' ) : $login_header_title;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filters the link text of the header logo above the login form.
|
||||||
|
*
|
||||||
|
* @since 5.2.0
|
||||||
|
*
|
||||||
|
* @param string $login_header_text The login header logo link text.
|
||||||
|
*/
|
||||||
|
$login_header_text = apply_filters( 'login_headertext', $login_header_text );
|
||||||
|
|
||||||
|
$classes = array( 'login-action-' . $action, 'wp-core-ui' );
|
||||||
|
|
||||||
|
if ( is_rtl() ) {
|
||||||
|
$classes[] = 'rtl';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $interim_login ) {
|
||||||
|
$classes[] = 'interim-login';
|
||||||
|
|
||||||
|
?>
|
||||||
|
<style type="text/css">html{background-color: transparent;}</style>
|
||||||
|
<?php
|
||||||
|
|
||||||
|
if ( 'success' === $interim_login ) {
|
||||||
|
$classes[] = 'interim-login-success';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$classes[] = ' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filters the login page body classes.
|
||||||
|
*
|
||||||
|
* @since 3.5.0
|
||||||
|
*
|
||||||
|
* @param array $classes An array of body classes.
|
||||||
|
* @param string $action The action that brought the visitor to the login page.
|
||||||
|
*/
|
||||||
|
$classes = apply_filters( 'login_body_class', $classes, $action );
|
||||||
|
|
||||||
|
?>
|
||||||
|
</head>
|
||||||
|
<body class="login no-js <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
|
||||||
|
<script type="text/javascript">
|
||||||
|
document.body.className = document.body.className.replace('no-js','js');
|
||||||
|
</script>
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Fires in the login page header after the body tag is opened.
|
||||||
|
*
|
||||||
|
* @since 4.6.0
|
||||||
|
*/
|
||||||
|
do_action( 'login_header' );
|
||||||
|
|
||||||
|
?>
|
||||||
|
<div id="login">
|
||||||
|
<h1><a href="<?php echo esc_url( $login_header_url ); ?>"><?php echo $login_header_text; ?></a></h1>
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Filters the message to display above the login form.
|
||||||
|
*
|
||||||
|
* @since 2.1.0
|
||||||
|
*
|
||||||
|
* @param string $message Login message text.
|
||||||
|
*/
|
||||||
|
$message = apply_filters( 'login_message', $message );
|
||||||
|
|
||||||
|
if ( ! empty( $message ) ) {
|
||||||
|
echo $message . "\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
// In case a plugin uses $error rather than the $wp_errors object.
|
||||||
|
if ( ! empty( $error ) ) {
|
||||||
|
$wp_error->add( 'error', $error );
|
||||||
|
unset( $error );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $wp_error->has_errors() ) {
|
||||||
|
$errors = '';
|
||||||
|
$messages = '';
|
||||||
|
|
||||||
|
foreach ( $wp_error->get_error_codes() as $code ) {
|
||||||
|
$severity = $wp_error->get_error_data( $code );
|
||||||
|
foreach ( $wp_error->get_error_messages( $code ) as $error_message ) {
|
||||||
|
if ( 'message' === $severity ) {
|
||||||
|
$messages .= ' ' . $error_message . "<br />\n";
|
||||||
|
} else {
|
||||||
|
$errors .= ' ' . $error_message . "<br />\n";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! empty( $errors ) ) {
|
||||||
|
/**
|
||||||
|
* Filters the error messages displayed above the login form.
|
||||||
|
*
|
||||||
|
* @since 2.1.0
|
||||||
|
*
|
||||||
|
* @param string $errors Login error message.
|
||||||
|
*/
|
||||||
|
echo '<div id="login_error">' . apply_filters( 'login_errors', $errors ) . "</div>\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! empty( $messages ) ) {
|
||||||
|
/**
|
||||||
|
* Filters instructional messages displayed above the login form.
|
||||||
|
*
|
||||||
|
* @since 2.5.0
|
||||||
|
*
|
||||||
|
* @param string $messages Login messages.
|
||||||
|
*/
|
||||||
|
echo '<p class="message">' . apply_filters( 'login_messages', $messages ) . "</p>\n";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} // End of login_header().
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Outputs the viewport meta tag for the login page.
|
||||||
|
*
|
||||||
|
* @since 3.7.0
|
||||||
|
*/
|
||||||
|
function wp_login_viewport_meta() {
|
||||||
|
?>
|
||||||
|
<meta name="viewport" content="width=device-width" />
|
||||||
|
<?php
|
||||||
|
}
|
@ -0,0 +1,355 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Class for creating a backup codes provider.
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class for creating a backup codes provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
class Two_Factor_Backup_Codes extends Two_Factor_Provider {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The user meta backup codes key.
|
||||||
|
*
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
const BACKUP_CODES_META_KEY = '_two_factor_backup_codes';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The number backup codes.
|
||||||
|
*
|
||||||
|
* @type int
|
||||||
|
*/
|
||||||
|
const NUMBER_OF_CODES = 10;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensures only one instance of this class exists in memory at any one time.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public static function get_instance() {
|
||||||
|
static $instance;
|
||||||
|
$class = __CLASS__;
|
||||||
|
if ( ! is_a( $instance, $class ) ) {
|
||||||
|
$instance = new $class();
|
||||||
|
}
|
||||||
|
return $instance;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class constructor.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
protected function __construct() {
|
||||||
|
add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
|
||||||
|
add_action( 'admin_notices', array( $this, 'admin_notices' ) );
|
||||||
|
add_action( 'wp_ajax_two_factor_backup_codes_generate', array( $this, 'ajax_generate_json' ) );
|
||||||
|
|
||||||
|
return parent::__construct();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Displays an admin notice when backup codes have run out.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public function admin_notices() {
|
||||||
|
$user = wp_get_current_user();
|
||||||
|
|
||||||
|
// Return if the provider is not enabled.
|
||||||
|
if ( ! in_array( __CLASS__, Two_Factor_Core::get_enabled_providers_for_user( $user->ID ), true ) ) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Return if we are not out of codes.
|
||||||
|
if ( $this->is_available_for_user( $user ) ) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
<div class="error">
|
||||||
|
<p>
|
||||||
|
<span>
|
||||||
|
<?php
|
||||||
|
echo wp_kses(
|
||||||
|
sprintf(
|
||||||
|
/* translators: %s: URL for code regeneration */
|
||||||
|
__( 'Two-Factor: You are out of backup codes and need to <a href="%s">regenerate!</a>', 'two-factor' ),
|
||||||
|
esc_url( get_edit_user_link( $user->ID ) . '#two-factor-backup-codes' )
|
||||||
|
),
|
||||||
|
array( 'a' => array( 'href' => true ) )
|
||||||
|
);
|
||||||
|
?>
|
||||||
|
<span>
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the name of the provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public function get_label() {
|
||||||
|
return _x( 'Backup Verification Codes (Single Use)', 'Provider Label', 'two-factor' );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether this Two Factor provider is configured and codes are available for the user specified.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function is_available_for_user( $user ) {
|
||||||
|
// Does this user have available codes?
|
||||||
|
if ( 0 < self::codes_remaining_for_user( $user ) ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Inserts markup at the end of the user profile field for this provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*/
|
||||||
|
public function user_options( $user ) {
|
||||||
|
$ajax_nonce = wp_create_nonce( 'two-factor-backup-codes-generate-json-' . $user->ID );
|
||||||
|
$count = self::codes_remaining_for_user( $user );
|
||||||
|
?>
|
||||||
|
<p id="two-factor-backup-codes">
|
||||||
|
<button type="button" class="button button-two-factor-backup-codes-generate button-secondary hide-if-no-js">
|
||||||
|
<?php esc_html_e( 'Generate Verification Codes', 'two-factor' ); ?>
|
||||||
|
</button>
|
||||||
|
<span class="two-factor-backup-codes-count">
|
||||||
|
<?php
|
||||||
|
echo esc_html(
|
||||||
|
sprintf(
|
||||||
|
/* translators: %s: count */
|
||||||
|
_n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ),
|
||||||
|
$count
|
||||||
|
)
|
||||||
|
);
|
||||||
|
?>
|
||||||
|
</span>
|
||||||
|
</p>
|
||||||
|
<div class="two-factor-backup-codes-wrapper" style="display:none;">
|
||||||
|
<ol class="two-factor-backup-codes-unused-codes"></ol>
|
||||||
|
<p class="description"><?php esc_html_e( 'Write these down! Once you navigate away from this page, you will not be able to view these codes again.', 'two-factor' ); ?></p>
|
||||||
|
<p>
|
||||||
|
<a class="button button-two-factor-backup-codes-download button-secondary hide-if-no-js" href="javascript:void(0);" id="two-factor-backup-codes-download-link" download="two-factor-backup-codes.txt"><?php esc_html_e( 'Download Codes', 'two-factor' ); ?></a>
|
||||||
|
<p>
|
||||||
|
</div>
|
||||||
|
<script type="text/javascript">
|
||||||
|
( function( $ ) {
|
||||||
|
$( '.button-two-factor-backup-codes-generate' ).click( function() {
|
||||||
|
$.ajax( {
|
||||||
|
method: 'POST',
|
||||||
|
url: ajaxurl,
|
||||||
|
data: {
|
||||||
|
action: 'two_factor_backup_codes_generate',
|
||||||
|
user_id: '<?php echo esc_js( $user->ID ); ?>',
|
||||||
|
nonce: '<?php echo esc_js( $ajax_nonce ); ?>'
|
||||||
|
},
|
||||||
|
dataType: 'JSON',
|
||||||
|
success: function( response ) {
|
||||||
|
var $codesList = $( '.two-factor-backup-codes-unused-codes' );
|
||||||
|
|
||||||
|
$( '.two-factor-backup-codes-wrapper' ).show();
|
||||||
|
$codesList.html( '' );
|
||||||
|
|
||||||
|
// Append the codes.
|
||||||
|
for ( i = 0; i < response.data.codes.length; i++ ) {
|
||||||
|
$codesList.append( '<li>' + response.data.codes[ i ] + '</li>' );
|
||||||
|
}
|
||||||
|
|
||||||
|
// Update counter.
|
||||||
|
$( '.two-factor-backup-codes-count' ).html( response.data.i18n.count );
|
||||||
|
|
||||||
|
// Build the download link.
|
||||||
|
var txt_data = 'data:application/text;charset=utf-8,' + '\n';
|
||||||
|
txt_data += response.data.i18n.title.replace( /%s/g, document.domain ) + '\n\n';
|
||||||
|
|
||||||
|
for ( i = 0; i < response.data.codes.length; i++ ) {
|
||||||
|
txt_data += i + 1 + '. ' + response.data.codes[ i ] + '\n';
|
||||||
|
}
|
||||||
|
|
||||||
|
$( '#two-factor-backup-codes-download-link' ).attr( 'href', encodeURI( txt_data ) );
|
||||||
|
}
|
||||||
|
} );
|
||||||
|
} );
|
||||||
|
} )( jQuery );
|
||||||
|
</script>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generates backup codes & updates the user meta.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @param array $args Optional arguments for assigning new codes.
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
public function generate_codes( $user, $args = '' ) {
|
||||||
|
$codes = array();
|
||||||
|
$codes_hashed = array();
|
||||||
|
|
||||||
|
// Check for arguments.
|
||||||
|
if ( isset( $args['number'] ) ) {
|
||||||
|
$num_codes = (int) $args['number'];
|
||||||
|
} else {
|
||||||
|
$num_codes = self::NUMBER_OF_CODES;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Append or replace (default).
|
||||||
|
if ( isset( $args['method'] ) && 'append' === $args['method'] ) {
|
||||||
|
$codes_hashed = (array) get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true );
|
||||||
|
}
|
||||||
|
|
||||||
|
for ( $i = 0; $i < $num_codes; $i++ ) {
|
||||||
|
$code = $this->get_code();
|
||||||
|
$codes_hashed[] = wp_hash_password( $code );
|
||||||
|
$codes[] = $code;
|
||||||
|
unset( $code );
|
||||||
|
}
|
||||||
|
|
||||||
|
update_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, $codes_hashed );
|
||||||
|
|
||||||
|
// Unhashed.
|
||||||
|
return $codes;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generates a JSON object of backup codes.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public function ajax_generate_json() {
|
||||||
|
$user = get_user_by( 'id', filter_input( INPUT_POST, 'user_id', FILTER_SANITIZE_NUMBER_INT ) );
|
||||||
|
check_ajax_referer( 'two-factor-backup-codes-generate-json-' . $user->ID, 'nonce' );
|
||||||
|
|
||||||
|
// Setup the return data.
|
||||||
|
$codes = $this->generate_codes( $user );
|
||||||
|
$count = self::codes_remaining_for_user( $user );
|
||||||
|
$i18n = array(
|
||||||
|
/* translators: %s: count */
|
||||||
|
'count' => esc_html( sprintf( _n( '%s unused code remaining.', '%s unused codes remaining.', $count, 'two-factor' ), $count ) ),
|
||||||
|
/* translators: %s: the site's domain */
|
||||||
|
'title' => esc_html__( 'Two-Factor Backup Codes for %s', 'two-factor' ),
|
||||||
|
);
|
||||||
|
|
||||||
|
// Send the response.
|
||||||
|
wp_send_json_success(
|
||||||
|
array(
|
||||||
|
'codes' => $codes,
|
||||||
|
'i18n' => $i18n,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the number of unused codes for the specified user
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return int $int The number of unused codes remaining
|
||||||
|
*/
|
||||||
|
public static function codes_remaining_for_user( $user ) {
|
||||||
|
$backup_codes = get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true );
|
||||||
|
if ( is_array( $backup_codes ) && ! empty( $backup_codes ) ) {
|
||||||
|
return count( $backup_codes );
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Prints the form that prompts the user to authenticate.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*/
|
||||||
|
public function authentication_page( $user ) {
|
||||||
|
require_once ABSPATH . '/wp-admin/includes/template.php';
|
||||||
|
?>
|
||||||
|
<p><?php esc_html_e( 'Enter a backup verification code.', 'two-factor' ); ?></p><br/>
|
||||||
|
<p>
|
||||||
|
<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
|
||||||
|
<input type="tel" name="two-factor-backup-code" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
|
||||||
|
</p>
|
||||||
|
<?php
|
||||||
|
submit_button( __( 'Submit', 'two-factor' ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates the users input token.
|
||||||
|
*
|
||||||
|
* In this class we just return true.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function validate_authentication( $user ) {
|
||||||
|
$backup_code = isset( $_POST['two-factor-backup-code'] ) ? sanitize_text_field( wp_unslash( $_POST['two-factor-backup-code'] ) ) : '';
|
||||||
|
return $this->validate_code( $user, $backup_code );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates a backup code.
|
||||||
|
*
|
||||||
|
* Backup Codes are single use and are deleted upon a successful validation.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @param int $code The backup code.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function validate_code( $user, $code ) {
|
||||||
|
$backup_codes = get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true );
|
||||||
|
|
||||||
|
if ( is_array( $backup_codes ) && ! empty( $backup_codes ) ) {
|
||||||
|
foreach ( $backup_codes as $code_index => $code_hashed ) {
|
||||||
|
if ( wp_check_password( $code, $code_hashed, $user->ID ) ) {
|
||||||
|
$this->delete_code( $user, $code_hashed );
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Deletes a backup code.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @param string $code_hashed The hashed the backup code.
|
||||||
|
*/
|
||||||
|
public function delete_code( $user, $code_hashed ) {
|
||||||
|
$backup_codes = get_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, true );
|
||||||
|
|
||||||
|
// Delete the current code from the list since it's been used.
|
||||||
|
$backup_codes = array_flip( $backup_codes );
|
||||||
|
unset( $backup_codes[ $code_hashed ] );
|
||||||
|
$backup_codes = array_values( array_flip( $backup_codes ) );
|
||||||
|
|
||||||
|
// Update the backup code master list.
|
||||||
|
update_user_meta( $user->ID, self::BACKUP_CODES_META_KEY, $backup_codes );
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,99 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Class for creating a dummy provider.
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class for creating a dummy provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
class Two_Factor_Dummy extends Two_Factor_Provider {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensures only one instance of this class exists in memory at any one time.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public static function get_instance() {
|
||||||
|
static $instance;
|
||||||
|
$class = __CLASS__;
|
||||||
|
if ( ! is_a( $instance, $class ) ) {
|
||||||
|
$instance = new $class();
|
||||||
|
}
|
||||||
|
return $instance;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class constructor.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
protected function __construct() {
|
||||||
|
add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
|
||||||
|
return parent::__construct();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the name of the provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public function get_label() {
|
||||||
|
return _x( 'Dummy Method', 'Provider Label', 'two-factor' );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Prints the form that prompts the user to authenticate.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*/
|
||||||
|
public function authentication_page( $user ) {
|
||||||
|
require_once ABSPATH . '/wp-admin/includes/template.php';
|
||||||
|
?>
|
||||||
|
<p><?php esc_html_e( 'Are you really you?', 'two-factor' ); ?></p>
|
||||||
|
<?php
|
||||||
|
submit_button( __( 'Yup.', 'two-factor' ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates the users input token.
|
||||||
|
*
|
||||||
|
* In this class we just return true.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function validate_authentication( $user ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether this Two Factor provider is configured and available for the user specified.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function is_available_for_user( $user ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Inserts markup at the end of the user profile field for this provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*/
|
||||||
|
public function user_options( $user ) {}
|
||||||
|
}
|
@ -0,0 +1,361 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Class for creating an email provider.
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class for creating an email provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
class Two_Factor_Email extends Two_Factor_Provider {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The user meta token key.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
const TOKEN_META_KEY = '_two_factor_email_token';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Store the timestamp when the token was generated.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
const TOKEN_META_KEY_TIMESTAMP = '_two_factor_email_token_timestamp';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Name of the input field used for code resend.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
const INPUT_NAME_RESEND_CODE = 'two-factor-email-code-resend';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensures only one instance of this class exists in memory at any one time.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public static function get_instance() {
|
||||||
|
static $instance;
|
||||||
|
$class = __CLASS__;
|
||||||
|
if ( ! is_a( $instance, $class ) ) {
|
||||||
|
$instance = new $class();
|
||||||
|
}
|
||||||
|
return $instance;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class constructor.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
protected function __construct() {
|
||||||
|
add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
|
||||||
|
return parent::__construct();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the name of the provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public function get_label() {
|
||||||
|
return _x( 'Email', 'Provider Label', 'two-factor' );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generate the user token.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function generate_token( $user_id ) {
|
||||||
|
$token = $this->get_code();
|
||||||
|
|
||||||
|
update_user_meta( $user_id, self::TOKEN_META_KEY_TIMESTAMP, time() );
|
||||||
|
update_user_meta( $user_id, self::TOKEN_META_KEY, wp_hash( $token ) );
|
||||||
|
|
||||||
|
return $token;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if user has a valid token already.
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
* @return boolean If user has a valid email token.
|
||||||
|
*/
|
||||||
|
public function user_has_token( $user_id ) {
|
||||||
|
$hashed_token = $this->get_user_token( $user_id );
|
||||||
|
|
||||||
|
if ( ! empty( $hashed_token ) ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Has the user token validity timestamp expired.
|
||||||
|
*
|
||||||
|
* @param integer $user_id User ID.
|
||||||
|
*
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function user_token_has_expired( $user_id ) {
|
||||||
|
$token_lifetime = $this->user_token_lifetime( $user_id );
|
||||||
|
$token_ttl = $this->user_token_ttl( $user_id );
|
||||||
|
|
||||||
|
// Invalid token lifetime is considered an expired token.
|
||||||
|
if ( is_int( $token_lifetime ) && $token_lifetime <= $token_ttl ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the lifetime of a user token in seconds.
|
||||||
|
*
|
||||||
|
* @param integer $user_id User ID.
|
||||||
|
*
|
||||||
|
* @return integer|null Return `null` if the lifetime can't be measured.
|
||||||
|
*/
|
||||||
|
public function user_token_lifetime( $user_id ) {
|
||||||
|
$timestamp = intval( get_user_meta( $user_id, self::TOKEN_META_KEY_TIMESTAMP, true ) );
|
||||||
|
|
||||||
|
if ( ! empty( $timestamp ) ) {
|
||||||
|
return time() - $timestamp;
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return the token time-to-live for a user.
|
||||||
|
*
|
||||||
|
* @param integer $user_id User ID.
|
||||||
|
*
|
||||||
|
* @return integer
|
||||||
|
*/
|
||||||
|
public function user_token_ttl( $user_id ) {
|
||||||
|
$token_ttl = 15 * MINUTE_IN_SECONDS;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Number of seconds the token is considered valid
|
||||||
|
* after the generation.
|
||||||
|
*
|
||||||
|
* @param integer $token_ttl Token time-to-live in seconds.
|
||||||
|
* @param integer $user_id User ID.
|
||||||
|
*/
|
||||||
|
return (int) apply_filters( 'two_factor_token_ttl', $token_ttl, $user_id );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the authentication token for the user.
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
*
|
||||||
|
* @return string|boolean User token or `false` if no token found.
|
||||||
|
*/
|
||||||
|
public function get_user_token( $user_id ) {
|
||||||
|
$hashed_token = get_user_meta( $user_id, self::TOKEN_META_KEY, true );
|
||||||
|
|
||||||
|
if ( ! empty( $hashed_token ) && is_string( $hashed_token ) ) {
|
||||||
|
return $hashed_token;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validate the user token.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
* @param string $token User token.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function validate_token( $user_id, $token ) {
|
||||||
|
$hashed_token = $this->get_user_token( $user_id );
|
||||||
|
|
||||||
|
// Bail if token is empty or it doesn't match.
|
||||||
|
if ( empty( $hashed_token ) || ! hash_equals( wp_hash( $token ), $hashed_token ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $this->user_token_has_expired( $user_id ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Ensure the token can be used only once.
|
||||||
|
$this->delete_token( $user_id );
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Delete the user token.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
*/
|
||||||
|
public function delete_token( $user_id ) {
|
||||||
|
delete_user_meta( $user_id, self::TOKEN_META_KEY );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generate and email the user token.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return bool Whether the email contents were sent successfully.
|
||||||
|
*/
|
||||||
|
public function generate_and_email_token( $user ) {
|
||||||
|
$token = $this->generate_token( $user->ID );
|
||||||
|
|
||||||
|
/* translators: %s: site name */
|
||||||
|
$subject = wp_strip_all_tags( sprintf( __( 'Your login confirmation code for %s', 'two-factor' ), wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ) ) );
|
||||||
|
/* translators: %s: token */
|
||||||
|
$message = wp_strip_all_tags( sprintf( __( 'Enter %s to log in.', 'two-factor' ), $token ) );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filter the token email subject.
|
||||||
|
*
|
||||||
|
* @param string $subject The email subject line.
|
||||||
|
* @param int $user_id The ID of the user.
|
||||||
|
*/
|
||||||
|
$subject = apply_filters( 'two_factor_token_email_subject', $subject, $user->ID );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filter the token email message.
|
||||||
|
*
|
||||||
|
* @param string $message The email message.
|
||||||
|
* @param string $token The token.
|
||||||
|
* @param int $user_id The ID of the user.
|
||||||
|
*/
|
||||||
|
$message = apply_filters( 'two_factor_token_email_message', $message, $token, $user->ID );
|
||||||
|
|
||||||
|
return wp_mail( $user->user_email, $subject, $message ); // phpcs:ignore WordPressVIPMinimum.Functions.RestrictedFunctions.wp_mail_wp_mail
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Prints the form that prompts the user to authenticate.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*/
|
||||||
|
public function authentication_page( $user ) {
|
||||||
|
if ( ! $user ) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! $this->user_has_token( $user->ID ) || $this->user_token_has_expired( $user->ID ) ) {
|
||||||
|
$this->generate_and_email_token( $user );
|
||||||
|
}
|
||||||
|
|
||||||
|
require_once ABSPATH . '/wp-admin/includes/template.php';
|
||||||
|
?>
|
||||||
|
<p><?php esc_html_e( 'A verification code has been sent to the email address associated with your account.', 'two-factor' ); ?></p>
|
||||||
|
<p>
|
||||||
|
<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
|
||||||
|
<input type="tel" name="two-factor-email-code" id="authcode" class="input" value="" size="20" />
|
||||||
|
<?php submit_button( __( 'Log In', 'two-factor' ) ); ?>
|
||||||
|
</p>
|
||||||
|
<p class="two-factor-email-resend">
|
||||||
|
<input type="submit" class="button" name="<?php echo esc_attr( self::INPUT_NAME_RESEND_CODE ); ?>" value="<?php esc_attr_e( 'Resend Code', 'two-factor' ); ?>" />
|
||||||
|
</p>
|
||||||
|
<script type="text/javascript">
|
||||||
|
setTimeout( function(){
|
||||||
|
var d;
|
||||||
|
try{
|
||||||
|
d = document.getElementById('authcode');
|
||||||
|
d.value = '';
|
||||||
|
d.focus();
|
||||||
|
} catch(e){}
|
||||||
|
}, 200);
|
||||||
|
</script>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Send the email code if missing or requested. Stop the authentication
|
||||||
|
* validation if a new token has been generated and sent.
|
||||||
|
*
|
||||||
|
* @param WP_USer $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function pre_process_authentication( $user ) {
|
||||||
|
if ( isset( $user->ID ) && isset( $_REQUEST[ self::INPUT_NAME_RESEND_CODE ] ) ) {
|
||||||
|
$this->generate_and_email_token( $user );
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates the users input token.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function validate_authentication( $user ) {
|
||||||
|
if ( ! isset( $user->ID ) || ! isset( $_REQUEST['two-factor-email-code'] ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Ensure there are no spaces or line breaks around the code.
|
||||||
|
$code = trim( sanitize_text_field( $_REQUEST['two-factor-email-code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already.
|
||||||
|
|
||||||
|
return $this->validate_token( $user->ID, $code );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether this Two Factor provider is configured and available for the user specified.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function is_available_for_user( $user ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Inserts markup at the end of the user profile field for this provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*/
|
||||||
|
public function user_options( $user ) {
|
||||||
|
$email = $user->user_email;
|
||||||
|
?>
|
||||||
|
<div>
|
||||||
|
<?php
|
||||||
|
echo esc_html(
|
||||||
|
sprintf(
|
||||||
|
/* translators: %s: email address */
|
||||||
|
__( 'Authentication codes will be sent to %s.', 'two-factor' ),
|
||||||
|
$email
|
||||||
|
)
|
||||||
|
);
|
||||||
|
?>
|
||||||
|
</div>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,160 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Class for displaying the list of security key items.
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Load the parent class if it doesn't exist.
|
||||||
|
if ( ! class_exists( 'WP_List_Table' ) ) {
|
||||||
|
require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class for displaying the list of security key items.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
* @access private
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
class Two_Factor_FIDO_U2F_Admin_List_Table extends WP_List_Table {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get a list of columns.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
public function get_columns() {
|
||||||
|
return array(
|
||||||
|
'name' => wp_strip_all_tags( __( 'Name', 'two-factor' ) ),
|
||||||
|
'added' => wp_strip_all_tags( __( 'Added', 'two-factor' ) ),
|
||||||
|
'last_used' => wp_strip_all_tags( __( 'Last Used', 'two-factor' ) ),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Prepares the list of items for displaying.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public function prepare_items() {
|
||||||
|
$columns = $this->get_columns();
|
||||||
|
$hidden = array();
|
||||||
|
$sortable = array();
|
||||||
|
$primary = 'name';
|
||||||
|
$this->_column_headers = array( $columns, $hidden, $sortable, $primary );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generates content for a single row of the table
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
* @access protected
|
||||||
|
*
|
||||||
|
* @param object $item The current item.
|
||||||
|
* @param string $column_name The current column name.
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
protected function column_default( $item, $column_name ) {
|
||||||
|
switch ( $column_name ) {
|
||||||
|
case 'name':
|
||||||
|
$out = '<div class="hidden" id="inline_' . esc_attr( $item->keyHandle ) . '">'; // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
$out .= '<div class="name">' . esc_html( $item->name ) . '</div>';
|
||||||
|
$out .= '</div>';
|
||||||
|
|
||||||
|
$actions = array(
|
||||||
|
'rename hide-if-no-js' => Two_Factor_FIDO_U2F_Admin::rename_link( $item ),
|
||||||
|
'delete' => Two_Factor_FIDO_U2F_Admin::delete_link( $item ),
|
||||||
|
);
|
||||||
|
|
||||||
|
return esc_html( $item->name ) . $out . self::row_actions( $actions );
|
||||||
|
case 'added':
|
||||||
|
return gmdate( get_option( 'date_format', 'r' ), $item->added );
|
||||||
|
case 'last_used':
|
||||||
|
return gmdate( get_option( 'date_format', 'r' ), $item->last_used );
|
||||||
|
default:
|
||||||
|
return 'WTF^^?';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generates custom table navigation to prevent conflicting nonces.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
* @access protected
|
||||||
|
*
|
||||||
|
* @param string $which The location of the bulk actions: 'top' or 'bottom'.
|
||||||
|
*/
|
||||||
|
protected function display_tablenav( $which ) {
|
||||||
|
// Not used for the Security key list.
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generates content for a single row of the table
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
* @access public
|
||||||
|
*
|
||||||
|
* @param object $item The current item.
|
||||||
|
*/
|
||||||
|
public function single_row( $item ) {
|
||||||
|
?>
|
||||||
|
<tr id="key-<?php echo esc_attr( $item->keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase ?>">
|
||||||
|
<?php $this->single_row_columns( $item ); ?>
|
||||||
|
</tr>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Outputs the hidden row displayed when inline editing
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public function inline_edit() {
|
||||||
|
?>
|
||||||
|
<table style="display: none">
|
||||||
|
<tbody id="inlineedit">
|
||||||
|
<tr id="inline-edit" class="inline-edit-row" style="display: none">
|
||||||
|
<td colspan="<?php echo esc_attr( $this->get_column_count() ); ?>" class="colspanchange">
|
||||||
|
<fieldset>
|
||||||
|
<div class="inline-edit-col">
|
||||||
|
<label>
|
||||||
|
<span class="title"><?php esc_html_e( 'Name', 'two-factor' ); ?></span>
|
||||||
|
<span class="input-text-wrap"><input type="text" name="name" class="ptitle" value="" /></span>
|
||||||
|
</label>
|
||||||
|
</div>
|
||||||
|
</fieldset>
|
||||||
|
<?php
|
||||||
|
$core_columns = array(
|
||||||
|
'name' => true,
|
||||||
|
'added' => true,
|
||||||
|
'last_used' => true,
|
||||||
|
);
|
||||||
|
list( $columns ) = $this->get_column_info();
|
||||||
|
foreach ( $columns as $column_name => $column_display_name ) {
|
||||||
|
if ( isset( $core_columns[ $column_name ] ) ) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** This action is documented in wp-admin/includes/class-wp-posts-list-table.php */
|
||||||
|
do_action( 'quick_edit_custom_box', $column_name, 'edit-security-keys' );
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
<p class="inline-edit-save submit">
|
||||||
|
<a href="#inline-edit" class="cancel button-secondary alignleft"><?php esc_html_e( 'Cancel', 'two-factor' ); ?></a>
|
||||||
|
<a href="#inline-edit" class="save button-primary alignright"><?php esc_html_e( 'Update', 'two-factor' ); ?></a>
|
||||||
|
<span class="spinner"></span>
|
||||||
|
<span class="error" style="display:none;"></span>
|
||||||
|
<?php wp_nonce_field( 'keyinlineeditnonce', '_inline_edit', false ); ?>
|
||||||
|
<br class="clear" />
|
||||||
|
</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,359 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Class for registering & modifying FIDO U2F security keys.
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class for registering & modifying FIDO U2F security keys.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
class Two_Factor_FIDO_U2F_Admin {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The user meta register data.
|
||||||
|
*
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
const REGISTER_DATA_USER_META_KEY = '_two_factor_fido_u2f_register_request';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add various hooks.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @access public
|
||||||
|
* @static
|
||||||
|
*/
|
||||||
|
public static function add_hooks() {
|
||||||
|
add_action( 'admin_enqueue_scripts', array( __CLASS__, 'enqueue_assets' ) );
|
||||||
|
add_action( 'show_user_security_settings', array( __CLASS__, 'show_user_profile' ) );
|
||||||
|
add_action( 'personal_options_update', array( __CLASS__, 'catch_submission' ), 0 );
|
||||||
|
add_action( 'edit_user_profile_update', array( __CLASS__, 'catch_submission' ), 0 );
|
||||||
|
add_action( 'load-profile.php', array( __CLASS__, 'catch_delete_security_key' ) );
|
||||||
|
add_action( 'load-user-edit.php', array( __CLASS__, 'catch_delete_security_key' ) );
|
||||||
|
add_action( 'wp_ajax_inline-save-key', array( __CLASS__, 'wp_ajax_inline_save' ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enqueue assets.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @access public
|
||||||
|
* @static
|
||||||
|
*
|
||||||
|
* @param string $hook Current page.
|
||||||
|
*/
|
||||||
|
public static function enqueue_assets( $hook ) {
|
||||||
|
if ( ! in_array( $hook, array( 'user-edit.php', 'profile.php' ), true ) ) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$user_id = Two_Factor_Core::current_user_being_edited();
|
||||||
|
if ( ! $user_id ) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
|
||||||
|
|
||||||
|
// @todo Ensure that scripts don't fail because of missing u2fL10n.
|
||||||
|
try {
|
||||||
|
$data = Two_Factor_FIDO_U2F::$u2f->getRegisterData( $security_keys );
|
||||||
|
list( $req,$sigs ) = $data;
|
||||||
|
|
||||||
|
update_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, $req );
|
||||||
|
} catch ( Exception $e ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
wp_enqueue_style(
|
||||||
|
'fido-u2f-admin',
|
||||||
|
plugins_url( 'css/fido-u2f-admin.css', __FILE__ ),
|
||||||
|
null,
|
||||||
|
self::asset_version()
|
||||||
|
);
|
||||||
|
|
||||||
|
wp_enqueue_script(
|
||||||
|
'fido-u2f-admin',
|
||||||
|
plugins_url( 'js/fido-u2f-admin.js', __FILE__ ),
|
||||||
|
array( 'jquery', 'fido-u2f-api' ),
|
||||||
|
self::asset_version(),
|
||||||
|
true
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Pass a U2F challenge and user data to our scripts
|
||||||
|
*/
|
||||||
|
|
||||||
|
$translation_array = array(
|
||||||
|
'user_id' => $user_id,
|
||||||
|
'register' => array(
|
||||||
|
'request' => $req,
|
||||||
|
'sigs' => $sigs,
|
||||||
|
),
|
||||||
|
'text' => array(
|
||||||
|
'insert' => esc_html__( 'Now insert (and tap) your Security Key.', 'two-factor' ),
|
||||||
|
'error' => esc_html__( 'U2F request failed.', 'two-factor' ),
|
||||||
|
'error_codes' => array(
|
||||||
|
// Map u2f.ErrorCodes to error messages.
|
||||||
|
0 => esc_html__( 'Request OK.', 'two-factor' ),
|
||||||
|
1 => esc_html__( 'Other U2F error.', 'two-factor' ),
|
||||||
|
2 => esc_html__( 'Bad U2F request.', 'two-factor' ),
|
||||||
|
3 => esc_html__( 'Unsupported U2F configuration.', 'two-factor' ),
|
||||||
|
4 => esc_html__( 'U2F device ineligible.', 'two-factor' ),
|
||||||
|
5 => esc_html__( 'U2F request timeout reached.', 'two-factor' ),
|
||||||
|
),
|
||||||
|
'u2f_not_supported' => esc_html__( 'FIDO U2F appears to be not supported by your web browser. Try using Google Chrome or Firefox.', 'two-factor' ),
|
||||||
|
),
|
||||||
|
);
|
||||||
|
|
||||||
|
wp_localize_script(
|
||||||
|
'fido-u2f-admin',
|
||||||
|
'u2fL10n',
|
||||||
|
$translation_array
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Script for admin UI
|
||||||
|
*/
|
||||||
|
|
||||||
|
wp_enqueue_script(
|
||||||
|
'inline-edit-key',
|
||||||
|
plugins_url( 'js/fido-u2f-admin-inline-edit.js', __FILE__ ),
|
||||||
|
array( 'jquery' ),
|
||||||
|
self::asset_version(),
|
||||||
|
true
|
||||||
|
);
|
||||||
|
|
||||||
|
wp_localize_script(
|
||||||
|
'inline-edit-key',
|
||||||
|
'inlineEditL10n',
|
||||||
|
array(
|
||||||
|
'error' => esc_html__( 'Error while saving the changes.', 'two-factor' ),
|
||||||
|
)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return the current asset version number.
|
||||||
|
*
|
||||||
|
* Added as own helper to allow swapping the implementation once we inject
|
||||||
|
* it as a dependency.
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
protected static function asset_version() {
|
||||||
|
return Two_Factor_FIDO_U2F::asset_version();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Display the security key section in a users profile.
|
||||||
|
*
|
||||||
|
* This executes during the `show_user_security_settings` action.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @access public
|
||||||
|
* @static
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*/
|
||||||
|
public static function show_user_profile( $user ) {
|
||||||
|
wp_nonce_field( "user_security_keys-{$user->ID}", '_nonce_user_security_keys' );
|
||||||
|
$new_key = false;
|
||||||
|
|
||||||
|
$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user->ID );
|
||||||
|
if ( $security_keys ) {
|
||||||
|
foreach ( $security_keys as &$security_key ) {
|
||||||
|
if ( property_exists( $security_key, 'new' ) ) {
|
||||||
|
$new_key = true;
|
||||||
|
unset( $security_key->new );
|
||||||
|
|
||||||
|
// If we've got a new one, update the db record to not save it there any longer.
|
||||||
|
Two_Factor_FIDO_U2F::update_security_key( $user->ID, $security_key );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
unset( $security_key );
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
||||||
|
<div class="security-keys" id="security-keys-section">
|
||||||
|
<h3><?php esc_html_e( 'Security Keys', 'two-factor' ); ?></h3>
|
||||||
|
|
||||||
|
<?php if ( ! is_ssl() ) : ?>
|
||||||
|
<p class="u2f-error-https">
|
||||||
|
<em><?php esc_html_e( 'U2F requires an HTTPS connection. You won\'t be able to add new security keys over HTTP.', 'two-factor' ); ?></em>
|
||||||
|
</p>
|
||||||
|
<?php endif; ?>
|
||||||
|
|
||||||
|
<div class="register-security-key">
|
||||||
|
<input type="hidden" name="do_new_security_key" id="do_new_security_key" />
|
||||||
|
<input type="hidden" name="u2f_response" id="u2f_response" />
|
||||||
|
<button type="button" class="button button-secondary" id="register_security_key"><?php echo esc_html( _x( 'Register New Key', 'security key', 'two-factor' ) ); ?></button>
|
||||||
|
<span class="spinner"></span>
|
||||||
|
<span class="security-key-status"></span>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<?php if ( $new_key ) : ?>
|
||||||
|
<div class="notice notice-success is-dismissible">
|
||||||
|
<p class="new-security-key"><?php esc_html_e( 'Your new security key registered.', 'two-factor' ); ?></p>
|
||||||
|
</div>
|
||||||
|
<?php endif; ?>
|
||||||
|
|
||||||
|
<p><a href="https://support.google.com/accounts/answer/6103523"><?php esc_html_e( 'You can find FIDO U2F Security Key devices for sale from here.', 'two-factor' ); ?></a></p>
|
||||||
|
|
||||||
|
<?php
|
||||||
|
require TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin-list-table.php';
|
||||||
|
$u2f_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
|
||||||
|
$u2f_list_table->items = $security_keys;
|
||||||
|
$u2f_list_table->prepare_items();
|
||||||
|
$u2f_list_table->display();
|
||||||
|
$u2f_list_table->inline_edit();
|
||||||
|
?>
|
||||||
|
</div>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Catch the non-ajax submission from the new form.
|
||||||
|
*
|
||||||
|
* This executes during the `personal_options_update` & `edit_user_profile_update` actions.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @access public
|
||||||
|
* @static
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
* @return false
|
||||||
|
*/
|
||||||
|
public static function catch_submission( $user_id ) {
|
||||||
|
if ( ! empty( $_REQUEST['do_new_security_key'] ) ) {
|
||||||
|
check_admin_referer( "user_security_keys-{$user_id}", '_nonce_user_security_keys' );
|
||||||
|
|
||||||
|
try {
|
||||||
|
$response = json_decode( stripslashes( $_POST['u2f_response'] ) );
|
||||||
|
$reg = Two_Factor_FIDO_U2F::$u2f->doRegister( get_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY, true ), $response );
|
||||||
|
$reg->new = true;
|
||||||
|
|
||||||
|
Two_Factor_FIDO_U2F::add_security_key( $user_id, $reg );
|
||||||
|
} catch ( Exception $e ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
delete_user_meta( $user_id, self::REGISTER_DATA_USER_META_KEY );
|
||||||
|
|
||||||
|
wp_safe_redirect(
|
||||||
|
add_query_arg(
|
||||||
|
array(
|
||||||
|
'new_app_pass' => 1,
|
||||||
|
),
|
||||||
|
wp_get_referer()
|
||||||
|
) . '#security-keys-section'
|
||||||
|
);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Catch the delete security key request.
|
||||||
|
*
|
||||||
|
* This executes during the `load-profile.php` & `load-user-edit.php` actions.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @access public
|
||||||
|
* @static
|
||||||
|
*/
|
||||||
|
public static function catch_delete_security_key() {
|
||||||
|
$user_id = Two_Factor_Core::current_user_being_edited();
|
||||||
|
|
||||||
|
if ( ! empty( $user_id ) && ! empty( $_REQUEST['delete_security_key'] ) ) {
|
||||||
|
$slug = $_REQUEST['delete_security_key'];
|
||||||
|
|
||||||
|
check_admin_referer( "delete_security_key-{$slug}", '_nonce_delete_security_key' );
|
||||||
|
|
||||||
|
Two_Factor_FIDO_U2F::delete_security_key( $user_id, $slug );
|
||||||
|
|
||||||
|
wp_safe_redirect( remove_query_arg( 'new_app_pass', wp_get_referer() ) . '#security-keys-section' );
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generate a link to rename a specified security key.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @access public
|
||||||
|
* @static
|
||||||
|
*
|
||||||
|
* @param array $item The current item.
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public static function rename_link( $item ) {
|
||||||
|
return sprintf( '<a href="#" class="editinline">%s</a>', esc_html__( 'Rename', 'two-factor' ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generate a link to delete a specified security key.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @access public
|
||||||
|
* @static
|
||||||
|
*
|
||||||
|
* @param array $item The current item.
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public static function delete_link( $item ) {
|
||||||
|
$delete_link = add_query_arg( 'delete_security_key', $item->keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
$delete_link = wp_nonce_url( $delete_link, "delete_security_key-{$item->keyHandle}", '_nonce_delete_security_key' );
|
||||||
|
return sprintf( '<a href="%1$s">%2$s</a>', esc_url( $delete_link ), esc_html__( 'Delete', 'two-factor' ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ajax handler for quick edit saving for a security key.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @access public
|
||||||
|
* @static
|
||||||
|
*/
|
||||||
|
public static function wp_ajax_inline_save() {
|
||||||
|
check_ajax_referer( 'keyinlineeditnonce', '_inline_edit' );
|
||||||
|
|
||||||
|
require TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin-list-table.php';
|
||||||
|
$wp_list_table = new Two_Factor_FIDO_U2F_Admin_List_Table();
|
||||||
|
|
||||||
|
if ( ! isset( $_POST['keyHandle'] ) ) {
|
||||||
|
wp_die();
|
||||||
|
}
|
||||||
|
|
||||||
|
$user_id = Two_Factor_Core::current_user_being_edited();
|
||||||
|
$security_keys = Two_Factor_FIDO_U2F::get_security_keys( $user_id );
|
||||||
|
if ( ! $security_keys ) {
|
||||||
|
wp_die();
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach ( $security_keys as &$key ) {
|
||||||
|
if ( $key->keyHandle === $_POST['keyHandle'] ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$key->name = $_POST['name'];
|
||||||
|
|
||||||
|
$updated = Two_Factor_FIDO_U2F::update_security_key( $user_id, $key );
|
||||||
|
if ( ! $updated ) {
|
||||||
|
wp_die( esc_html__( 'Item not updated.', 'two-factor' ) );
|
||||||
|
}
|
||||||
|
$wp_list_table->single_row( $key );
|
||||||
|
wp_die();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,397 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Class for creating a FIDO Universal 2nd Factor provider.
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class for creating a FIDO Universal 2nd Factor provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
class Two_Factor_FIDO_U2F extends Two_Factor_Provider {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* U2F Library
|
||||||
|
*
|
||||||
|
* @var u2flib_server\U2F
|
||||||
|
*/
|
||||||
|
public static $u2f;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The user meta registered key.
|
||||||
|
*
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
const REGISTERED_KEY_USER_META_KEY = '_two_factor_fido_u2f_registered_key';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The user meta authenticate data.
|
||||||
|
*
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
const AUTH_DATA_USER_META_KEY = '_two_factor_fido_u2f_login_request';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Version number for the bundled assets.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
const U2F_ASSET_VERSION = '0.2.1';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensures only one instance of this class exists in memory at any one time.
|
||||||
|
*
|
||||||
|
* @return \Two_Factor_FIDO_U2F
|
||||||
|
*/
|
||||||
|
public static function get_instance() {
|
||||||
|
static $instance;
|
||||||
|
|
||||||
|
if ( ! isset( $instance ) ) {
|
||||||
|
$instance = new self();
|
||||||
|
}
|
||||||
|
|
||||||
|
return $instance;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class constructor.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
protected function __construct() {
|
||||||
|
if ( version_compare( PHP_VERSION, '5.3.0', '<' ) ) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
require_once TWO_FACTOR_DIR . 'includes/Yubico/U2F.php';
|
||||||
|
self::$u2f = new u2flib_server\U2F( self::get_u2f_app_id() );
|
||||||
|
|
||||||
|
require_once TWO_FACTOR_DIR . 'providers/class-two-factor-fido-u2f-admin.php';
|
||||||
|
Two_Factor_FIDO_U2F_Admin::add_hooks();
|
||||||
|
|
||||||
|
// Ensure the script dependencies have been registered before they're enqueued at a later priority.
|
||||||
|
add_action( 'admin_enqueue_scripts', array( __CLASS__, 'enqueue_scripts' ), 5 );
|
||||||
|
add_action( 'wp_enqueue_scripts', array( __CLASS__, 'enqueue_scripts' ), 5 );
|
||||||
|
add_action( 'login_enqueue_scripts', array( __CLASS__, 'enqueue_scripts' ), 5 );
|
||||||
|
|
||||||
|
add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_options' ) );
|
||||||
|
|
||||||
|
return parent::__construct();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the asset version number.
|
||||||
|
*
|
||||||
|
* TODO: There should be a plugin-level helper for getting the current plugin version.
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public static function asset_version() {
|
||||||
|
return self::U2F_ASSET_VERSION;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return the U2F AppId. U2F requires the AppID to use HTTPS
|
||||||
|
* and a top-level domain.
|
||||||
|
*
|
||||||
|
* @return string AppID URI
|
||||||
|
*/
|
||||||
|
public static function get_u2f_app_id() {
|
||||||
|
$url_parts = wp_parse_url( home_url() );
|
||||||
|
|
||||||
|
if ( ! empty( $url_parts['port'] ) ) {
|
||||||
|
return sprintf( 'https://%s:%d', $url_parts['host'], $url_parts['port'] );
|
||||||
|
} else {
|
||||||
|
return sprintf( 'https://%s', $url_parts['host'] );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the name of the provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public function get_label() {
|
||||||
|
return _x( 'FIDO U2F Security Keys', 'Provider Label', 'two-factor' );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Register script dependencies used during login and when
|
||||||
|
* registering keys in the WP admin.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public static function enqueue_scripts() {
|
||||||
|
wp_register_script(
|
||||||
|
'fido-u2f-api',
|
||||||
|
plugins_url( 'includes/Google/u2f-api.js', dirname( __FILE__ ) ),
|
||||||
|
null,
|
||||||
|
self::asset_version(),
|
||||||
|
true
|
||||||
|
);
|
||||||
|
|
||||||
|
wp_register_script(
|
||||||
|
'fido-u2f-login',
|
||||||
|
plugins_url( 'js/fido-u2f-login.js', __FILE__ ),
|
||||||
|
array( 'jquery', 'fido-u2f-api' ),
|
||||||
|
self::asset_version(),
|
||||||
|
true
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Prints the form that prompts the user to authenticate.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return null
|
||||||
|
*/
|
||||||
|
public function authentication_page( $user ) {
|
||||||
|
require_once ABSPATH . '/wp-admin/includes/template.php';
|
||||||
|
|
||||||
|
// U2F doesn't work without HTTPS.
|
||||||
|
if ( ! is_ssl() ) {
|
||||||
|
?>
|
||||||
|
<p><?php esc_html_e( 'U2F requires an HTTPS connection. Please use an alternative 2nd factor method.', 'two-factor' ); ?></p>
|
||||||
|
<?php
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
$keys = self::get_security_keys( $user->ID );
|
||||||
|
$data = self::$u2f->getAuthenticateData( $keys );
|
||||||
|
update_user_meta( $user->ID, self::AUTH_DATA_USER_META_KEY, $data );
|
||||||
|
} catch ( Exception $e ) {
|
||||||
|
?>
|
||||||
|
<p><?php esc_html_e( 'An error occurred while creating authentication data.', 'two-factor' ); ?></p>
|
||||||
|
<?php
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
wp_localize_script(
|
||||||
|
'fido-u2f-login',
|
||||||
|
'u2fL10n',
|
||||||
|
array(
|
||||||
|
'request' => $data,
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
wp_enqueue_script( 'fido-u2f-login' );
|
||||||
|
|
||||||
|
?>
|
||||||
|
<p><?php esc_html_e( 'Now insert (and tap) your Security Key.', 'two-factor' ); ?></p>
|
||||||
|
<input type="hidden" name="u2f_response" id="u2f_response" />
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates the users input token.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function validate_authentication( $user ) {
|
||||||
|
$requests = get_user_meta( $user->ID, self::AUTH_DATA_USER_META_KEY, true );
|
||||||
|
|
||||||
|
$response = json_decode( stripslashes( $_REQUEST['u2f_response'] ) );
|
||||||
|
|
||||||
|
$keys = self::get_security_keys( $user->ID );
|
||||||
|
|
||||||
|
try {
|
||||||
|
$reg = self::$u2f->doAuthenticate( $requests, $keys, $response );
|
||||||
|
|
||||||
|
$reg->last_used = time();
|
||||||
|
|
||||||
|
self::update_security_key( $user->ID, $reg );
|
||||||
|
|
||||||
|
return true;
|
||||||
|
} catch ( Exception $e ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether this Two Factor provider is configured and available for the user specified.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function is_available_for_user( $user ) {
|
||||||
|
return (bool) self::get_security_keys( $user->ID );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Inserts markup at the end of the user profile field for this provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*/
|
||||||
|
public function user_options( $user ) {
|
||||||
|
?>
|
||||||
|
<p>
|
||||||
|
<?php esc_html_e( 'Requires an HTTPS connection. Configure your security keys in the "Security Keys" section below.', 'two-factor' ); ?>
|
||||||
|
</p>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add registered security key to a user.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
* @param object $register The data of registered security key.
|
||||||
|
* @return int|bool Meta ID on success, false on failure.
|
||||||
|
*/
|
||||||
|
public static function add_security_key( $user_id, $register ) {
|
||||||
|
if ( ! is_numeric( $user_id ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (
|
||||||
|
! is_object( $register )
|
||||||
|
|| ! property_exists( $register, 'keyHandle' ) || empty( $register->keyHandle ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
|| ! property_exists( $register, 'publicKey' ) || empty( $register->publicKey ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
|| ! property_exists( $register, 'certificate' ) || empty( $register->certificate )
|
||||||
|
|| ! property_exists( $register, 'counter' ) || ( -1 > $register->counter )
|
||||||
|
) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$register = array(
|
||||||
|
'keyHandle' => $register->keyHandle, // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
'publicKey' => $register->publicKey, // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
'certificate' => $register->certificate,
|
||||||
|
'counter' => $register->counter,
|
||||||
|
);
|
||||||
|
|
||||||
|
$register['name'] = __( 'New Security Key', 'two-factor' );
|
||||||
|
$register['added'] = time();
|
||||||
|
$register['last_used'] = $register['added'];
|
||||||
|
|
||||||
|
return add_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, $register );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Retrieve registered security keys for a user.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
* @return array|bool Array of keys on success, false on failure.
|
||||||
|
*/
|
||||||
|
public static function get_security_keys( $user_id ) {
|
||||||
|
if ( ! is_numeric( $user_id ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$keys = get_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY );
|
||||||
|
if ( $keys ) {
|
||||||
|
foreach ( $keys as &$key ) {
|
||||||
|
$key = (object) $key;
|
||||||
|
}
|
||||||
|
unset( $key );
|
||||||
|
}
|
||||||
|
|
||||||
|
return $keys;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Update registered security key.
|
||||||
|
*
|
||||||
|
* Use the $prev_value parameter to differentiate between meta fields with the
|
||||||
|
* same key and user ID.
|
||||||
|
*
|
||||||
|
* If the meta field for the user does not exist, it will be added.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
* @param object $data The data of registered security key.
|
||||||
|
* @return int|bool Meta ID if the key didn't exist, true on successful update, false on failure.
|
||||||
|
*/
|
||||||
|
public static function update_security_key( $user_id, $data ) {
|
||||||
|
if ( ! is_numeric( $user_id ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (
|
||||||
|
! is_object( $data )
|
||||||
|
|| ! property_exists( $data, 'keyHandle' ) || empty( $data->keyHandle ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
|| ! property_exists( $data, 'publicKey' ) || empty( $data->publicKey ) // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
|| ! property_exists( $data, 'certificate' ) || empty( $data->certificate )
|
||||||
|
|| ! property_exists( $data, 'counter' ) || ( -1 > $data->counter )
|
||||||
|
) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$keys = self::get_security_keys( $user_id );
|
||||||
|
if ( $keys ) {
|
||||||
|
foreach ( $keys as $key ) {
|
||||||
|
if ( $key->keyHandle === $data->keyHandle ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.UsedPropertyNotSnakeCase
|
||||||
|
return update_user_meta( $user_id, self::REGISTERED_KEY_USER_META_KEY, (array) $data, (array) $key );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return self::add_security_key( $user_id, $data );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Remove registered security key matching criteria from a user.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
* @param string $keyHandle Optional. Key handle.
|
||||||
|
* @return bool True on success, false on failure.
|
||||||
|
*/
|
||||||
|
public static function delete_security_key( $user_id, $keyHandle = null ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
|
||||||
|
global $wpdb;
|
||||||
|
|
||||||
|
if ( ! is_numeric( $user_id ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$user_id = absint( $user_id );
|
||||||
|
if ( ! $user_id ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$keyHandle = wp_unslash( $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
|
||||||
|
$keyHandle = maybe_serialize( $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
|
||||||
|
|
||||||
|
$query = $wpdb->prepare( "SELECT umeta_id FROM {$wpdb->usermeta} WHERE meta_key = %s AND user_id = %d", self::REGISTERED_KEY_USER_META_KEY, $user_id );
|
||||||
|
|
||||||
|
if ( $keyHandle ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
|
||||||
|
$key_handle_lookup = sprintf( ':"%s";s:', $keyHandle ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.VariableNotSnakeCase
|
||||||
|
|
||||||
|
$query .= $wpdb->prepare(
|
||||||
|
' AND meta_value LIKE %s',
|
||||||
|
'%' . $wpdb->esc_like( $key_handle_lookup ) . '%'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
$meta_ids = $wpdb->get_col( $query ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
|
||||||
|
if ( ! count( $meta_ids ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach ( $meta_ids as $meta_id ) {
|
||||||
|
delete_metadata_by_mid( 'user', $meta_id );
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,102 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Abstract class for creating two factor authentication providers.
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Abstract class for creating two factor authentication providers.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
abstract class Two_Factor_Provider {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class constructor.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
protected function __construct() {
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the name of the provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
abstract public function get_label();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Prints the name of the provider.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*/
|
||||||
|
public function print_label() {
|
||||||
|
echo esc_html( $this->get_label() );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Prints the form that prompts the user to authenticate.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*/
|
||||||
|
abstract public function authentication_page( $user );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Allow providers to do extra processing before the authentication.
|
||||||
|
* Return `true` to prevent the authentication and render the
|
||||||
|
* authentication page.
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function pre_process_authentication( $user ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates the users input token.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
abstract public function validate_authentication( $user );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether this Two Factor provider is configured and available for the user specified.
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
abstract public function is_available_for_user( $user );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generate a random eight-digit string to send out as an auth code.
|
||||||
|
*
|
||||||
|
* @since 0.1-dev
|
||||||
|
*
|
||||||
|
* @param int $length The code length.
|
||||||
|
* @param string|array $chars Valid auth code characters.
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function get_code( $length = 8, $chars = '1234567890' ) {
|
||||||
|
$code = '';
|
||||||
|
if ( is_array( $chars ) ) {
|
||||||
|
$chars = implode( '', $chars );
|
||||||
|
}
|
||||||
|
for ( $i = 0; $i < $length; $i++ ) {
|
||||||
|
$code .= substr( $chars, wp_rand( 0, strlen( $chars ) - 1 ), 1 );
|
||||||
|
}
|
||||||
|
return $code;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,578 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Class for creating a Time Based One-Time Password provider.
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class Two_Factor_Totp
|
||||||
|
*/
|
||||||
|
class Two_Factor_Totp extends Two_Factor_Provider {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The user meta token key.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
const SECRET_META_KEY = '_two_factor_totp_key';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The user meta token key.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
const NOTICES_META_KEY = '_two_factor_totp_notices';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Action name for resetting the secret token.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
const ACTION_SECRET_DELETE = 'totp-delete';
|
||||||
|
|
||||||
|
const DEFAULT_KEY_BIT_SIZE = 160;
|
||||||
|
const DEFAULT_CRYPTO = 'sha1';
|
||||||
|
const DEFAULT_DIGIT_COUNT = 6;
|
||||||
|
const DEFAULT_TIME_STEP_SEC = 30;
|
||||||
|
const DEFAULT_TIME_STEP_ALLOWANCE = 4;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Characters used in base32 encoding.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
private static $base_32_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class constructor. Sets up hooks, etc.
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
protected function __construct() {
|
||||||
|
add_action( 'two_factor_user_options_' . __CLASS__, array( $this, 'user_two_factor_options' ) );
|
||||||
|
add_action( 'personal_options_update', array( $this, 'user_two_factor_options_update' ) );
|
||||||
|
add_action( 'edit_user_profile_update', array( $this, 'user_two_factor_options_update' ) );
|
||||||
|
add_action( 'two_factor_user_settings_action', array( $this, 'user_settings_action' ), 10, 2 );
|
||||||
|
|
||||||
|
return parent::__construct();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensures only one instance of this class exists in memory at any one time.
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
public static function get_instance() {
|
||||||
|
static $instance;
|
||||||
|
if ( ! isset( $instance ) ) {
|
||||||
|
$instance = new self();
|
||||||
|
}
|
||||||
|
return $instance;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the name of the provider.
|
||||||
|
*/
|
||||||
|
public function get_label() {
|
||||||
|
return _x( 'Time Based One-Time Password (TOTP)', 'Provider Label', 'two-factor' );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Trigger our custom user settings actions.
|
||||||
|
*
|
||||||
|
* @param integer $user_id User ID.
|
||||||
|
* @param string $action Action ID.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
public function user_settings_action( $user_id, $action ) {
|
||||||
|
if ( self::ACTION_SECRET_DELETE === $action ) {
|
||||||
|
$this->delete_user_totp_key( $user_id );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the URL for deleting the secret token.
|
||||||
|
*
|
||||||
|
* @param integer $user_id User ID.
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
protected function get_token_delete_url_for_user( $user_id ) {
|
||||||
|
return Two_Factor_Core::get_user_update_action_url( $user_id, self::ACTION_SECRET_DELETE );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Display TOTP options on the user settings page.
|
||||||
|
*
|
||||||
|
* @param WP_User $user The current user being edited.
|
||||||
|
* @return false
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
public function user_two_factor_options( $user ) {
|
||||||
|
if ( ! isset( $user->ID ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
wp_nonce_field( 'user_two_factor_totp_options', '_nonce_user_two_factor_totp_options', false );
|
||||||
|
|
||||||
|
$key = $this->get_user_totp_key( $user->ID );
|
||||||
|
$this->admin_notices( $user->ID );
|
||||||
|
|
||||||
|
?>
|
||||||
|
<div id="two-factor-totp-options">
|
||||||
|
<?php
|
||||||
|
if ( empty( $key ) ) :
|
||||||
|
$key = $this->generate_key();
|
||||||
|
$site_name = get_bloginfo( 'name', 'display' );
|
||||||
|
$totp_title = apply_filters( 'two_factor_totp_title', $site_name . ':' . $user->user_login, $user );
|
||||||
|
?>
|
||||||
|
<p>
|
||||||
|
<?php esc_html_e( 'Please scan the QR code or manually enter the key, then enter an authentication code from your app in order to complete setup.', 'two-factor' ); ?>
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<img src="<?php echo esc_url( $this->get_google_qr_code( $totp_title, $key, $site_name ) ); ?>" id="two-factor-totp-qrcode" />
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<code><?php echo esc_html( $key ); ?></code>
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<input type="hidden" name="two-factor-totp-key" value="<?php echo esc_attr( $key ); ?>" />
|
||||||
|
<label for="two-factor-totp-authcode">
|
||||||
|
<?php esc_html_e( 'Authentication Code:', 'two-factor' ); ?>
|
||||||
|
<input type="tel" name="two-factor-totp-authcode" id="two-factor-totp-authcode" class="input" value="" size="20" pattern="[0-9]*" />
|
||||||
|
</label>
|
||||||
|
<input type="submit" class="button" name="two-factor-totp-submit" value="<?php esc_attr_e( 'Submit', 'two-factor' ); ?>" />
|
||||||
|
</p>
|
||||||
|
<?php else : ?>
|
||||||
|
<p class="success">
|
||||||
|
<?php esc_html_e( 'Secret key is configured and registered. It is not possible to view it again for security reasons.', 'two-factor' ); ?>
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<a class="button" href="<?php echo esc_url( self::get_token_delete_url_for_user( $user->ID ) ); ?>"><?php esc_html_e( 'Reset Key', 'two-factor' ); ?></a>
|
||||||
|
<em class="description">
|
||||||
|
<?php esc_html_e( 'You will have to re-scan the QR code on all devices as the previous codes will stop working.', 'two-factor' ); ?>
|
||||||
|
</em>
|
||||||
|
</p>
|
||||||
|
<?php endif; ?>
|
||||||
|
</div>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Save the options specified in `::user_two_factor_options()`
|
||||||
|
*
|
||||||
|
* @param integer $user_id The user ID whose options are being updated.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
public function user_two_factor_options_update( $user_id ) {
|
||||||
|
$notices = array();
|
||||||
|
$errors = array();
|
||||||
|
|
||||||
|
if ( isset( $_POST['_nonce_user_two_factor_totp_options'] ) ) {
|
||||||
|
check_admin_referer( 'user_two_factor_totp_options', '_nonce_user_two_factor_totp_options' );
|
||||||
|
|
||||||
|
// Validate and store a new secret key.
|
||||||
|
if ( ! empty( $_POST['two-factor-totp-authcode'] ) && ! empty( $_POST['two-factor-totp-key'] ) ) {
|
||||||
|
// Don't use filter_input() because we can't mock it during tests for now.
|
||||||
|
$authcode = filter_var( sanitize_text_field( $_POST['two-factor-totp-authcode'] ), FILTER_SANITIZE_NUMBER_INT );
|
||||||
|
$key = sanitize_text_field( $_POST['two-factor-totp-key'] );
|
||||||
|
|
||||||
|
if ( $this->is_valid_key( $key ) ) {
|
||||||
|
if ( $this->is_valid_authcode( $key, $authcode ) ) {
|
||||||
|
if ( ! $this->set_user_totp_key( $user_id, $key ) ) {
|
||||||
|
$errors[] = __( 'Unable to save Two Factor Authentication code. Please re-scan the QR code and enter the code provided by your application.', 'two-factor' );
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$errors[] = __( 'Invalid Two Factor Authentication code.', 'two-factor' );
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$errors[] = __( 'Invalid Two Factor Authentication secret key.', 'two-factor' );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! empty( $errors ) ) {
|
||||||
|
$notices['error'] = $errors;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! empty( $notices ) ) {
|
||||||
|
update_user_meta( $user_id, self::NOTICES_META_KEY, $notices );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the TOTP secret key for a user.
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function get_user_totp_key( $user_id ) {
|
||||||
|
return (string) get_user_meta( $user_id, self::SECRET_META_KEY, true );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the TOTP secret key for a user.
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
* @param string $key TOTP secret key.
|
||||||
|
*
|
||||||
|
* @return boolean If the key was stored successfully.
|
||||||
|
*/
|
||||||
|
public function set_user_totp_key( $user_id, $key ) {
|
||||||
|
return update_user_meta( $user_id, self::SECRET_META_KEY, $key );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Delete the TOTP secret key for a user.
|
||||||
|
*
|
||||||
|
* @param int $user_id User ID.
|
||||||
|
*
|
||||||
|
* @return boolean If the key was deleted successfully.
|
||||||
|
*/
|
||||||
|
public function delete_user_totp_key( $user_id ) {
|
||||||
|
return delete_user_meta( $user_id, self::SECRET_META_KEY );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if the TOTP secret key has a proper format.
|
||||||
|
*
|
||||||
|
* @param string $key TOTP secret key.
|
||||||
|
*
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function is_valid_key( $key ) {
|
||||||
|
$check = sprintf( '/^[%s]+$/', self::$base_32_chars );
|
||||||
|
|
||||||
|
if ( 1 === preg_match( $check, $key ) ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Display any available admin notices.
|
||||||
|
*
|
||||||
|
* @param integer $user_id User ID.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
public function admin_notices( $user_id ) {
|
||||||
|
$notices = get_user_meta( $user_id, self::NOTICES_META_KEY, true );
|
||||||
|
|
||||||
|
if ( ! empty( $notices ) ) {
|
||||||
|
delete_user_meta( $user_id, self::NOTICES_META_KEY );
|
||||||
|
|
||||||
|
foreach ( $notices as $class => $messages ) {
|
||||||
|
?>
|
||||||
|
<div class="<?php echo esc_attr( $class ); ?>">
|
||||||
|
<?php
|
||||||
|
foreach ( $messages as $msg ) {
|
||||||
|
?>
|
||||||
|
<p>
|
||||||
|
<span><?php echo esc_html( $msg ); ?><span>
|
||||||
|
</p>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
</div>
|
||||||
|
<?php
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates authentication.
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*
|
||||||
|
* @return bool Whether the user gave a valid code
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
public function validate_authentication( $user ) {
|
||||||
|
if ( ! empty( $_REQUEST['authcode'] ) ) {
|
||||||
|
return $this->is_valid_authcode(
|
||||||
|
$this->get_user_totp_key( $user->ID ),
|
||||||
|
sanitize_text_field( $_REQUEST['authcode'] )
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks if a given code is valid for a given key, allowing for a certain amount of time drift
|
||||||
|
*
|
||||||
|
* @param string $key The share secret key to use.
|
||||||
|
* @param string $authcode The code to test.
|
||||||
|
*
|
||||||
|
* @return bool Whether the code is valid within the time frame
|
||||||
|
*/
|
||||||
|
public static function is_valid_authcode( $key, $authcode ) {
|
||||||
|
/**
|
||||||
|
* Filter the maximum ticks to allow when checking valid codes.
|
||||||
|
*
|
||||||
|
* Ticks are the allowed offset from the correct time in 30 second increments,
|
||||||
|
* so the default of 4 allows codes that are two minutes to either side of server time
|
||||||
|
*
|
||||||
|
* @deprecated 0.7.0 Use {@see 'two_factor_totp_time_step_allowance'} instead.
|
||||||
|
* @param int $max_ticks Max ticks of time correction to allow. Default 4.
|
||||||
|
*/
|
||||||
|
$max_ticks = apply_filters_deprecated( 'two-factor-totp-time-step-allowance', array( self::DEFAULT_TIME_STEP_ALLOWANCE ), '0.7.0', 'two_factor_totp_time_step_allowance' );
|
||||||
|
|
||||||
|
$max_ticks = apply_filters( 'two_factor_totp_time_step_allowance', self::DEFAULT_TIME_STEP_ALLOWANCE );
|
||||||
|
|
||||||
|
// Array of all ticks to allow, sorted using absolute value to test closest match first.
|
||||||
|
$ticks = range( - $max_ticks, $max_ticks );
|
||||||
|
usort( $ticks, array( __CLASS__, 'abssort' ) );
|
||||||
|
|
||||||
|
$time = time() / self::DEFAULT_TIME_STEP_SEC;
|
||||||
|
|
||||||
|
foreach ( $ticks as $offset ) {
|
||||||
|
$log_time = $time + $offset;
|
||||||
|
if ( hash_equals(self::calc_totp( $key, $log_time ), $authcode ) ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generates key
|
||||||
|
*
|
||||||
|
* @param int $bitsize Nume of bits to use for key.
|
||||||
|
*
|
||||||
|
* @return string $bitsize long string composed of available base32 chars.
|
||||||
|
*/
|
||||||
|
public static function generate_key( $bitsize = self::DEFAULT_KEY_BIT_SIZE ) {
|
||||||
|
$bytes = ceil( $bitsize / 8 );
|
||||||
|
$secret = wp_generate_password( $bytes, true, true );
|
||||||
|
|
||||||
|
return self::base32_encode( $secret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Pack stuff
|
||||||
|
*
|
||||||
|
* @param string $value The value to be packed.
|
||||||
|
*
|
||||||
|
* @return string Binary packed string.
|
||||||
|
*/
|
||||||
|
public static function pack64( $value ) {
|
||||||
|
// 64bit mode (PHP_INT_SIZE == 8).
|
||||||
|
if ( PHP_INT_SIZE >= 8 ) {
|
||||||
|
// If we're on PHP 5.6.3+ we can use the new 64bit pack functionality.
|
||||||
|
if ( version_compare( PHP_VERSION, '5.6.3', '>=' ) && PHP_INT_SIZE >= 8 ) {
|
||||||
|
return pack( 'J', $value ); // phpcs:ignore PHPCompatibility.ParameterValues.NewPackFormat.NewFormatFound
|
||||||
|
}
|
||||||
|
$highmap = 0xffffffff << 32;
|
||||||
|
$higher = ( $value & $highmap ) >> 32;
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
* 32bit PHP can't shift 32 bits like that, so we have to assume 0 for the higher
|
||||||
|
* and not pack anything beyond it's limits.
|
||||||
|
*/
|
||||||
|
$higher = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
$lowmap = 0xffffffff;
|
||||||
|
$lower = $value & $lowmap;
|
||||||
|
|
||||||
|
return pack( 'NN', $higher, $lower );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Calculate a valid code given the shared secret key
|
||||||
|
*
|
||||||
|
* @param string $key The shared secret key to use for calculating code.
|
||||||
|
* @param mixed $step_count The time step used to calculate the code, which is the floor of time() divided by step size.
|
||||||
|
* @param int $digits The number of digits in the returned code.
|
||||||
|
* @param string $hash The hash used to calculate the code.
|
||||||
|
* @param int $time_step The size of the time step.
|
||||||
|
*
|
||||||
|
* @return string The totp code
|
||||||
|
*/
|
||||||
|
public static function calc_totp( $key, $step_count = false, $digits = self::DEFAULT_DIGIT_COUNT, $hash = self::DEFAULT_CRYPTO, $time_step = self::DEFAULT_TIME_STEP_SEC ) {
|
||||||
|
$secret = self::base32_decode( $key );
|
||||||
|
|
||||||
|
if ( false === $step_count ) {
|
||||||
|
$step_count = floor( time() / $time_step );
|
||||||
|
}
|
||||||
|
|
||||||
|
$timestamp = self::pack64( $step_count );
|
||||||
|
|
||||||
|
$hash = hash_hmac( $hash, $timestamp, $secret, true );
|
||||||
|
|
||||||
|
$offset = ord( $hash[19] ) & 0xf;
|
||||||
|
|
||||||
|
$code = (
|
||||||
|
( ( ord( $hash[ $offset + 0 ] ) & 0x7f ) << 24 ) |
|
||||||
|
( ( ord( $hash[ $offset + 1 ] ) & 0xff ) << 16 ) |
|
||||||
|
( ( ord( $hash[ $offset + 2 ] ) & 0xff ) << 8 ) |
|
||||||
|
( ord( $hash[ $offset + 3 ] ) & 0xff )
|
||||||
|
) % pow( 10, $digits );
|
||||||
|
|
||||||
|
return str_pad( $code, $digits, '0', STR_PAD_LEFT );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Uses the Google Charts API to build a QR Code for use with an otpauth url
|
||||||
|
*
|
||||||
|
* @param string $name The name to display in the Authentication app.
|
||||||
|
* @param string $key The secret key to share with the Authentication app.
|
||||||
|
* @param string $title The title to display in the Authentication app.
|
||||||
|
*
|
||||||
|
* @return string A URL to use as an img src to display the QR code
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
public static function get_google_qr_code( $name, $key, $title = null ) {
|
||||||
|
// Encode to support spaces, question marks and other characters.
|
||||||
|
$name = rawurlencode( $name );
|
||||||
|
$google_url = urlencode( 'otpauth://totp/' . $name . '?secret=' . $key );
|
||||||
|
if ( isset( $title ) ) {
|
||||||
|
$google_url .= urlencode( '&issuer=' . rawurlencode( $title ) );
|
||||||
|
}
|
||||||
|
return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=' . $google_url;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether this Two Factor provider is configured and available for the user specified.
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function is_available_for_user( $user ) {
|
||||||
|
// Only available if the secret key has been saved for the user.
|
||||||
|
$key = $this->get_user_totp_key( $user->ID );
|
||||||
|
|
||||||
|
return ! empty( $key );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Prints the form that prompts the user to authenticate.
|
||||||
|
*
|
||||||
|
* @param WP_User $user WP_User object of the logged-in user.
|
||||||
|
*
|
||||||
|
* @codeCoverageIgnore
|
||||||
|
*/
|
||||||
|
public function authentication_page( $user ) {
|
||||||
|
require_once ABSPATH . '/wp-admin/includes/template.php';
|
||||||
|
?>
|
||||||
|
<p>
|
||||||
|
<?php esc_html_e( 'Please enter the code generated by your authenticator app.', 'two-factor' ); ?>
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<label for="authcode"><?php esc_html_e( 'Authentication Code:', 'two-factor' ); ?></label>
|
||||||
|
<input type="tel" autocomplete="one-time-code" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
|
||||||
|
</p>
|
||||||
|
<script type="text/javascript">
|
||||||
|
setTimeout( function(){
|
||||||
|
var d;
|
||||||
|
try{
|
||||||
|
d = document.getElementById('authcode');
|
||||||
|
d.focus();
|
||||||
|
} catch(e){}
|
||||||
|
}, 200);
|
||||||
|
</script>
|
||||||
|
<?php
|
||||||
|
submit_button( __( 'Authenticate', 'two-factor' ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns a base32 encoded string.
|
||||||
|
*
|
||||||
|
* @param string $string String to be encoded using base32.
|
||||||
|
*
|
||||||
|
* @return string base32 encoded string without padding.
|
||||||
|
*/
|
||||||
|
public static function base32_encode( $string ) {
|
||||||
|
if ( empty( $string ) ) {
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
|
||||||
|
$binary_string = '';
|
||||||
|
|
||||||
|
foreach ( str_split( $string ) as $character ) {
|
||||||
|
$binary_string .= str_pad( base_convert( ord( $character ), 10, 2 ), 8, '0', STR_PAD_LEFT );
|
||||||
|
}
|
||||||
|
|
||||||
|
$five_bit_sections = str_split( $binary_string, 5 );
|
||||||
|
$base32_string = '';
|
||||||
|
|
||||||
|
foreach ( $five_bit_sections as $five_bit_section ) {
|
||||||
|
$base32_string .= self::$base_32_chars[ base_convert( str_pad( $five_bit_section, 5, '0' ), 2, 10 ) ];
|
||||||
|
}
|
||||||
|
|
||||||
|
return $base32_string;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Decode a base32 string and return a binary representation
|
||||||
|
*
|
||||||
|
* @param string $base32_string The base 32 string to decode.
|
||||||
|
*
|
||||||
|
* @throws Exception If string contains non-base32 characters.
|
||||||
|
*
|
||||||
|
* @return string Binary representation of decoded string
|
||||||
|
*/
|
||||||
|
public static function base32_decode( $base32_string ) {
|
||||||
|
|
||||||
|
$base32_string = strtoupper( $base32_string );
|
||||||
|
|
||||||
|
if ( ! preg_match( '/^[' . self::$base_32_chars . ']+$/', $base32_string, $match ) ) {
|
||||||
|
throw new Exception( 'Invalid characters in the base32 string.' );
|
||||||
|
}
|
||||||
|
|
||||||
|
$l = strlen( $base32_string );
|
||||||
|
$n = 0;
|
||||||
|
$j = 0;
|
||||||
|
$binary = '';
|
||||||
|
|
||||||
|
for ( $i = 0; $i < $l; $i++ ) {
|
||||||
|
|
||||||
|
$n = $n << 5; // Move buffer left by 5 to make room.
|
||||||
|
$n = $n + strpos( self::$base_32_chars, $base32_string[ $i ] ); // Add value into buffer.
|
||||||
|
$j += 5; // Keep track of number of bits in buffer.
|
||||||
|
|
||||||
|
if ( $j >= 8 ) {
|
||||||
|
$j -= 8;
|
||||||
|
$binary .= chr( ( $n & ( 0xFF << $j ) ) >> $j );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $binary;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Used with usort to sort an array by distance from 0
|
||||||
|
*
|
||||||
|
* @param int $a First array element.
|
||||||
|
* @param int $b Second array element.
|
||||||
|
*
|
||||||
|
* @return int -1, 0, or 1 as needed by usort
|
||||||
|
*/
|
||||||
|
private static function abssort( $a, $b ) {
|
||||||
|
$a = abs( $a );
|
||||||
|
$b = abs( $b );
|
||||||
|
if ( $a === $b ) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
return ( $a < $b ) ? -1 : 1;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,12 @@
|
|||||||
|
#security-keys-section .wp-list-table {
|
||||||
|
margin-bottom: 2em;
|
||||||
|
}
|
||||||
|
|
||||||
|
#security-keys-section .register-security-key .spinner {
|
||||||
|
float: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
#security-keys-section .security-key-status {
|
||||||
|
vertical-align: middle;
|
||||||
|
font-style: italic;
|
||||||
|
}
|
@ -0,0 +1,150 @@
|
|||||||
|
/* global window, document, jQuery, inlineEditL10n, ajaxurl */
|
||||||
|
var inlineEditKey;
|
||||||
|
|
||||||
|
( function( $ ) {
|
||||||
|
inlineEditKey = {
|
||||||
|
|
||||||
|
init: function() {
|
||||||
|
var t = this,
|
||||||
|
row = $( '#security-keys-section #inline-edit' );
|
||||||
|
|
||||||
|
t.what = '#key-';
|
||||||
|
|
||||||
|
$( '#security-keys-section #the-list' ).on( 'click', 'a.editinline', function() {
|
||||||
|
inlineEditKey.edit( this );
|
||||||
|
return false;
|
||||||
|
} );
|
||||||
|
|
||||||
|
// Prepare the edit row.
|
||||||
|
row.keyup( function( event ) {
|
||||||
|
if ( 27 === event.which ) {
|
||||||
|
return inlineEditKey.revert();
|
||||||
|
}
|
||||||
|
} );
|
||||||
|
|
||||||
|
$( 'a.cancel', row ).click( function() {
|
||||||
|
return inlineEditKey.revert();
|
||||||
|
} );
|
||||||
|
|
||||||
|
$( 'a.save', row ).click( function() {
|
||||||
|
return inlineEditKey.save( this );
|
||||||
|
} );
|
||||||
|
|
||||||
|
$( 'input, select', row ).keydown( function( event ) {
|
||||||
|
if ( 13 === event.which ) {
|
||||||
|
return inlineEditKey.save( this );
|
||||||
|
}
|
||||||
|
} );
|
||||||
|
},
|
||||||
|
|
||||||
|
toggle: function( el ) {
|
||||||
|
var t = this;
|
||||||
|
|
||||||
|
if ( 'none' === $( t.what + t.getId( el ) ).css( 'display' ) ) {
|
||||||
|
t.revert();
|
||||||
|
} else {
|
||||||
|
t.edit( el );
|
||||||
|
}
|
||||||
|
},
|
||||||
|
|
||||||
|
edit: function( id ) {
|
||||||
|
var editRow, rowData, val,
|
||||||
|
t = this;
|
||||||
|
t.revert();
|
||||||
|
|
||||||
|
if ( 'object' === typeof id ) {
|
||||||
|
id = t.getId( id );
|
||||||
|
}
|
||||||
|
|
||||||
|
editRow = $( '#inline-edit' ).clone( true );
|
||||||
|
rowData = $( '#inline_' + id );
|
||||||
|
|
||||||
|
$( 'td', editRow ).attr( 'colspan', $( 'th:visible, td:visible', '#security-keys-section .widefat thead' ).length );
|
||||||
|
|
||||||
|
$( t.what + id ).hide().after( editRow ).after( '<tr class="hidden"></tr>' );
|
||||||
|
|
||||||
|
val = $( '.name', rowData );
|
||||||
|
val.find( 'img' ).replaceWith( function() {
|
||||||
|
return this.alt;
|
||||||
|
} );
|
||||||
|
val = val.text();
|
||||||
|
$( ':input[name="name"]', editRow ).val( val );
|
||||||
|
|
||||||
|
$( editRow ).attr( 'id', 'edit-' + id ).addClass( 'inline-editor' ).show();
|
||||||
|
$( '.ptitle', editRow ).eq( 0 ).focus();
|
||||||
|
|
||||||
|
return false;
|
||||||
|
},
|
||||||
|
|
||||||
|
save: function( id ) {
|
||||||
|
var params, fields;
|
||||||
|
|
||||||
|
if ( 'object' === typeof id ) {
|
||||||
|
id = this.getId( id );
|
||||||
|
}
|
||||||
|
|
||||||
|
$( '#security-keys-section table.widefat .spinner' ).addClass( 'is-active' );
|
||||||
|
|
||||||
|
params = {
|
||||||
|
action: 'inline-save-key',
|
||||||
|
keyHandle: id,
|
||||||
|
user_id: window.u2fL10n.user_id
|
||||||
|
};
|
||||||
|
|
||||||
|
fields = $( '#edit-' + id ).find( ':input' ).serialize();
|
||||||
|
params = fields + '&' + $.param( params );
|
||||||
|
|
||||||
|
// Make ajax request.
|
||||||
|
$.post( ajaxurl, params,
|
||||||
|
function( r ) {
|
||||||
|
var row, newID;
|
||||||
|
$( '#security-keys-section table.widefat .spinner' ).removeClass( 'is-active' );
|
||||||
|
|
||||||
|
if ( r ) {
|
||||||
|
if ( -1 !== r.indexOf( '<tr' ) ) {
|
||||||
|
$( inlineEditKey.what + id ).siblings( 'tr.hidden' ).addBack().remove();
|
||||||
|
newID = $( r ).attr( 'id' );
|
||||||
|
|
||||||
|
$( '#edit-' + id ).before( r ).remove();
|
||||||
|
|
||||||
|
if ( newID ) {
|
||||||
|
row = $( '#' + newID );
|
||||||
|
} else {
|
||||||
|
row = $( inlineEditKey.what + id );
|
||||||
|
}
|
||||||
|
|
||||||
|
row.hide().fadeIn();
|
||||||
|
} else {
|
||||||
|
$( '#edit-' + id + ' .inline-edit-save .error' ).html( r ).show();
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$( '#edit-' + id + ' .inline-edit-save .error' ).html( inlineEditL10n.error ).show();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
);
|
||||||
|
return false;
|
||||||
|
},
|
||||||
|
|
||||||
|
revert: function() {
|
||||||
|
var id = $( '#security-keys-section table.widefat tr.inline-editor' ).attr( 'id' );
|
||||||
|
|
||||||
|
if ( id ) {
|
||||||
|
$( '#security-keys-section table.widefat .spinner' ).removeClass( 'is-active' );
|
||||||
|
$( '#' + id ).siblings( 'tr.hidden' ).addBack().remove();
|
||||||
|
id = id.replace( /\w+\-/, '' );
|
||||||
|
$( this.what + id ).show();
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
},
|
||||||
|
|
||||||
|
getId: function( o ) {
|
||||||
|
var id = 'TR' === o.tagName ? o.id : $( o ).parents( 'tr' ).attr( 'id' );
|
||||||
|
return id.replace( /\w+\-/, '' );
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
$( document ).ready( function() {
|
||||||
|
inlineEditKey.init();
|
||||||
|
} );
|
||||||
|
}( jQuery ) );
|
48
wp-content/plugins/two-factor/providers/js/fido-u2f-admin.js
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
/* global window, u2fL10n, jQuery */
|
||||||
|
( function( $ ) {
|
||||||
|
var $button = $( '#register_security_key' );
|
||||||
|
var $statusNotice = $( '#security-keys-section .security-key-status' );
|
||||||
|
var u2fSupported = ( window.u2f && 'register' in window.u2f );
|
||||||
|
|
||||||
|
if ( ! u2fSupported ) {
|
||||||
|
$statusNotice.text( u2fL10n.text.u2f_not_supported );
|
||||||
|
}
|
||||||
|
|
||||||
|
$button.click( function() {
|
||||||
|
var registerRequest;
|
||||||
|
|
||||||
|
if ( $( this ).prop( 'disabled' ) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$( this ).prop( 'disabled', true );
|
||||||
|
$( '.register-security-key .spinner' ).addClass( 'is-active' );
|
||||||
|
$statusNotice.text( '' );
|
||||||
|
|
||||||
|
registerRequest = {
|
||||||
|
version: u2fL10n.register.request.version,
|
||||||
|
challenge: u2fL10n.register.request.challenge
|
||||||
|
};
|
||||||
|
|
||||||
|
window.u2f.register( u2fL10n.register.request.appId, [ registerRequest ], u2fL10n.register.sigs, function( data ) {
|
||||||
|
$( '.register-security-key .spinner' ).removeClass( 'is-active' );
|
||||||
|
$button.prop( 'disabled', false );
|
||||||
|
|
||||||
|
if ( data.errorCode ) {
|
||||||
|
if ( u2fL10n.text.error_codes[ data.errorCode ] ) {
|
||||||
|
$statusNotice.text( u2fL10n.text.error_codes[ data.errorCode ] );
|
||||||
|
} else {
|
||||||
|
$statusNotice.text( u2fL10n.text.error_codes[ u2fL10n.text.error ] );
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$( '#do_new_security_key' ).val( 'true' );
|
||||||
|
$( '#u2f_response' ).val( JSON.stringify( data ) );
|
||||||
|
|
||||||
|
// See: http://stackoverflow.com/questions/833032/submit-is-not-a-function-error-in-javascript
|
||||||
|
$( '<form>' )[0].submit.call( $( '#your-profile' )[0] );
|
||||||
|
} );
|
||||||
|
} );
|
||||||
|
}( jQuery ) );
|
16
wp-content/plugins/two-factor/providers/js/fido-u2f-login.js
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
/* global window, u2f, u2fL10n, jQuery */
|
||||||
|
( function( $ ) {
|
||||||
|
if ( ! window.u2fL10n ) {
|
||||||
|
window.console.error( 'u2fL10n is not defined' );
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
u2f.sign( u2fL10n.request[0].appId, u2fL10n.request[0].challenge, u2fL10n.request, function( data ) {
|
||||||
|
if ( data.errorCode ) {
|
||||||
|
window.console.error( 'Registration Failed', data.errorCode );
|
||||||
|
} else {
|
||||||
|
$( '#u2f_response' ).val( JSON.stringify( data ) );
|
||||||
|
$( '#loginform' ).submit();
|
||||||
|
}
|
||||||
|
} );
|
||||||
|
}( jQuery ) );
|
44
wp-content/plugins/two-factor/readme.txt
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
=== Two-Factor ===
|
||||||
|
Contributors: georgestephanis, valendesigns, stevenkword, extendwings, sgrant, aaroncampbell, johnbillion, stevegrunwell, netweb, kasparsd, alihusnainarshad, passoniate
|
||||||
|
Tags: two factor, two step, authentication, login, totp, fido u2f, u2f, email, backup codes, 2fa, yubikey
|
||||||
|
Requires at least: 4.3
|
||||||
|
Tested up to: 6.0
|
||||||
|
Requires PHP: 5.6
|
||||||
|
Stable tag: 0.7.3
|
||||||
|
|
||||||
|
Enable Two-Factor Authentication using time-based one-time passwords (OTP, Google Authenticator), Universal 2nd Factor (FIDO U2F, YubiKey), email and backup verification codes.
|
||||||
|
|
||||||
|
== Description ==
|
||||||
|
|
||||||
|
Use the "Two-Factor Options" section under "Users" → "Your Profile" to enable and configure one or multiple two-factor authentication providers for your account:
|
||||||
|
|
||||||
|
- Email codes
|
||||||
|
- Time Based One-Time Passwords (TOTP)
|
||||||
|
- FIDO Universal 2nd Factor (U2F)
|
||||||
|
- Backup Codes
|
||||||
|
- Dummy Method (only for testing purposes)
|
||||||
|
|
||||||
|
For more history, see [this post](https://georgestephanis.wordpress.com/2013/08/14/two-cents-on-two-factor/).
|
||||||
|
|
||||||
|
= Actions & Filters =
|
||||||
|
|
||||||
|
Here is a list of action and filter hooks provided by the plugin:
|
||||||
|
|
||||||
|
- `two_factor_providers` filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.
|
||||||
|
- `two_factor_enabled_providers_for_user` filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.
|
||||||
|
- `two_factor_user_authenticated` action which receives the logged in `WP_User` object as the first argument for determining the logged in user right after the authentication workflow.
|
||||||
|
- `two_factor_token_ttl` filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the `WP_User` object being authenticated.
|
||||||
|
|
||||||
|
== Screenshots ==
|
||||||
|
|
||||||
|
1. Two-factor options under User Profile.
|
||||||
|
2. U2F Security Keys section under User Profile.
|
||||||
|
3. Email Code Authentication during WordPress Login.
|
||||||
|
|
||||||
|
== Get Involved ==
|
||||||
|
|
||||||
|
Development happens [on GitHub](https://github.com/wordpress/two-factor/).
|
||||||
|
|
||||||
|
== Changelog ==
|
||||||
|
|
||||||
|
See the [release history](https://github.com/wordpress/two-factor/releases).
|
48
wp-content/plugins/two-factor/two-factor.php
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* Two Factor
|
||||||
|
*
|
||||||
|
* @package Two_Factor
|
||||||
|
* @author Plugin Contributors
|
||||||
|
* @copyright 2020 Plugin Contributors
|
||||||
|
* @license GPL-2.0-or-later
|
||||||
|
*
|
||||||
|
* @wordpress-plugin
|
||||||
|
* Plugin Name: Two Factor
|
||||||
|
* Plugin URI: https://wordpress.org/plugins/two-factor/
|
||||||
|
* Description: Two-Factor Authentication using time-based one-time passwords, Universal 2nd Factor (FIDO U2F), email and backup verification codes.
|
||||||
|
* Author: Plugin Contributors
|
||||||
|
* Version: 0.7.3
|
||||||
|
* Author URI: https://github.com/wordpress/two-factor/graphs/contributors
|
||||||
|
* Network: True
|
||||||
|
* Text Domain: two-factor
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Shortcut constant to the path of this file.
|
||||||
|
*/
|
||||||
|
define( 'TWO_FACTOR_DIR', plugin_dir_path( __FILE__ ) );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Version of the plugin.
|
||||||
|
*/
|
||||||
|
define( 'TWO_FACTOR_VERSION', '0.7.3' );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Include the base class here, so that other plugins can also extend it.
|
||||||
|
*/
|
||||||
|
require_once TWO_FACTOR_DIR . 'providers/class-two-factor-provider.php';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Include the core that handles the common bits.
|
||||||
|
*/
|
||||||
|
require_once TWO_FACTOR_DIR . 'class-two-factor-core.php';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* A compatability layer for some of the most-used plugins out there.
|
||||||
|
*/
|
||||||
|
require_once TWO_FACTOR_DIR . 'class-two-factor-compat.php';
|
||||||
|
|
||||||
|
$two_factor_compat = new Two_Factor_Compat();
|
||||||
|
|
||||||
|
Two_Factor_Core::add_hooks( $two_factor_compat );
|
42
wp-content/plugins/two-factor/user-edit.css
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
|
||||||
|
.two-factor-methods-table {
|
||||||
|
background-color: #fff;
|
||||||
|
border: 1px solid #e5e5e5;
|
||||||
|
border-spacing: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
.two-factor-methods-table thead,
|
||||||
|
.two-factor-methods-table tfoot {
|
||||||
|
background: #fff;
|
||||||
|
}
|
||||||
|
|
||||||
|
.two-factor-methods-table thead th {
|
||||||
|
padding: 0.5em;
|
||||||
|
}
|
||||||
|
|
||||||
|
.two-factor-methods-table .col-primary,
|
||||||
|
.two-factor-methods-table .col-enabled {
|
||||||
|
width: 5%;
|
||||||
|
}
|
||||||
|
|
||||||
|
.two-factor-methods-table .col-name {
|
||||||
|
width: 90%;
|
||||||
|
}
|
||||||
|
|
||||||
|
.two-factor-methods-table tbody th {
|
||||||
|
text-align: center;
|
||||||
|
}
|
||||||
|
|
||||||
|
.two-factor-methods-table tbody th,
|
||||||
|
.two-factor-methods-table tbody td {
|
||||||
|
vertical-align: top;
|
||||||
|
}
|
||||||
|
|
||||||
|
.two-factor-methods-table tbody tr:nth-child(odd) {
|
||||||
|
background-color: #f9f9f9;
|
||||||
|
}
|
||||||
|
|
||||||
|
.two-factor-methods-table .two-factor-method-label {
|
||||||
|
display: block;
|
||||||
|
font-weight: 700;
|
||||||
|
}
|