Allow creating/verifying/using one-time use backup keys (type: plain,…

… onetime: true). #35
mydnshost · Nov 11, 2018 · 6cf1a8f · 6cf1a8f
1 parent bad6c98
commit 6cf1a8f
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 5 deletions.
diff --git a/web/1.0/index.php b/web/1.0/index.php
@@ -220,22 +220,25 @@ function getKnownDevice($user, &$context) {
 		$user = User::loadFromEmail($context['db'], $_SERVER['PHP_AUTH_USER']);
 
 		if ($user !== FALSE && $user->checkPassword($_SERVER['PHP_AUTH_PW'])) {
-			$keys = TwoFactorKey::getSearch($context['db'])->where('user_id', $user->getID())->where('active', 'true')->find('key');
+			$possibleKeys = TwoFactorKey::getSearch($context['db'])->where('user_id', $user->getID())->where('active', 'true')->find('key');
 
 			// Don't check 2FA keys if we have a valid saved device.
 			getKnownDevice($user, $context);
 			if (isset($context['device'])) {
-				$keys = [];
+				$possibleKeys = [];
 			}
 
+			$keys = [];
+			foreach ($possibleKeys as $key) { if ($key->isUsableKey()) { $keys[] = $key; } }
+
 			$valid = true;
 			if (count($keys) > 0) {
 				$valid = false;
 				$testCode = isset($_SERVER['HTTP_X_2FA_KEY']) ? $_SERVER['HTTP_X_2FA_KEY'] : NULL;
 
 				if ($testCode !== NULL) {
 					foreach ($keys as $key) {
-						if ($key->isUsableKey() && $key->verify($testCode, 1)) {
+						if ($key->verify($testCode, 1)) {
 							$valid = true;
 							$key->setLastUsed(time())->save();
 

diff --git a/web/1.0/methods/useradmin.php b/web/1.0/methods/useradmin.php
@@ -441,6 +441,7 @@ protected function get2FAKeys($user) {
 				if ($v->isActive()) {
 					unset($result[$k]['key']);
 				}
+				$result[$k]['usable'] = $v->isUsableKey();
 			}
 
 			$this->getContextKey('response')->data($result);
@@ -482,7 +483,26 @@ protected function get2FAKey($user, $key) {
 		}
 
 		protected function create2FAKey($user) {
-			$key = (new TwoFactorKey($this->getContextKey('db')))->setKey(TRUE)->setUserID($user->getID())->setCreated(time());
+			$key = (new TwoFactorKey($this->getContextKey('db')))->setUserID($user->getID())->setCreated(time());
+
+			$data = $this->getContextKey('data');
+			if (isset($data['data']['type'])) {
+				$key->setType($data['data']['type']);
+			}
+
+			if (isset($data['data']['onetime'])) {
+				$key->setOneTime($data['data']['onetime']);
+			}
+
+			// Some keys in future may allow this, for now do not.
+			$canSetSecret = false;
+
+			if ($canSetSecret && isset($data['data']['secret'])) {
+				$key->setKey($data['data']['secret']);
+			} else {
+				$key->setKey(TRUE);
+			}
+
 			return $this->update2FAKey($user, $key, true);
 		}
 
@@ -564,7 +584,10 @@ protected function verify2FAKey($user, $key) {
 			}
 
 			// Activate the key once verified.
-			$key->setActive(true)->setLastUsed(time())->save();
+			$key->setActive(true);
+			if (!$key->isOneTime()) { $key->setLastUsed(time()); }
+			$key->save();
+
 			$this->getContextKey('response')->data(['success' => 'Valid code provided.']);
 
 			return TRUE;