Authy does technically also validate as a regular code... #35

mydnshost · Mar 10, 2019 · 9b7b9d0 · 9b7b9d0
1 parent 4db0d72
commit 9b7b9d0
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 4 deletions.
diff --git a/admin/init_functions.php b/admin/init_functions.php
@@ -431,6 +431,14 @@ public function run($pdo) {
 			$dataChanges[26] = new DBChange(<<<MYSQLQUERY
 ALTER TABLE `twofactorkeys` ADD COLUMN `push` ENUM('false', 'true') NOT NULL DEFAULT 'false' AFTER `active`;
 MYSQLQUERY
+);
+
+			// ------------------------------------------------------------------------
+			// 2FA Key "code-based" keys.
+			// ------------------------------------------------------------------------
+			$dataChanges[27] = new DBChange(<<<MYSQLQUERY
+ALTER TABLE `twofactorkeys` ADD COLUMN `code` ENUM('false', 'true') NOT NULL DEFAULT 'true' AFTER `active`;
+MYSQLQUERY
 );
 
 			return $dataChanges;

diff --git a/classes/twofactorkey.php b/classes/twofactorkey.php
@@ -14,6 +14,7 @@ class TwoFactorKey extends DBObject {
 	                             'lastused' => 0,
 	                             'expires' => 0,
 	                             'active' => false,
+	                             'code' => true,
 	                             'push' => false,
 	                             'type' => 'rfc6238',
 	                             'onetime' => false,
@@ -158,6 +159,10 @@ public function setType($value) {
 		return $this->setData('type', strtolower($value));
 	}
 
+	public function setCode($value) {
+		return $this->setData('code', parseBool($value) ? 'true' : 'false');
+	}
+
 	public function setPush($value) {
 		return $this->setData('push', parseBool($value) ? 'true' : 'false');
 	}
@@ -210,6 +215,10 @@ public function getType() {
 		return $this->getData('type');
 	}
 
+	public function isCode() {
+		return parseBool($this->getData('code'));
+	}
+
 	public function isPush() {
 		return parseBool($this->getData('push'));
 	}
@@ -304,8 +313,8 @@ public function validate() {
 	}
 
 	public function verify($code, $discrepancy = 1) {
-		// Push-Based tokens don't verify with a code.
-		if ($this->isPush()) { return FALSE; }
+		// Only allow code-based tokens.
+		if (!$this->isCode()) { return FALSE; }
 
 		$type = $this->getType();
 		switch ($type) {
@@ -318,6 +327,9 @@ public function verify($code, $discrepancy = 1) {
 			case "yubikeyotp":
 				return $this->verify_yubikey($code);
 
+			case "authy":
+				return $this->verify_authycode($code);
+
 			default:
 				throw new Exception('Unknown key type: ' . $type);
 		}
@@ -419,8 +431,21 @@ private function verify_authypush($message) {
 		return FALSE;
 	}
 
-	public function postDelete() {
+	private function verify_authycode($code) {
 		global $config;
+		if (!self::canUseAuthy()) { return FALSE; }
+
+		$authy_api = new Authy\AuthyApi($config['twofactor']['authy']['apikey']);
+
+		$verification = $authy_api->verifyToken($this->getKey(), $code);
+
+		return $verification->ok();
+	}
+
+	public function postDelete($result) {
+		global $config;
+
+		if (!$result) { return; }
 
 		if ($this->getType() == 'authy' && self::canUseAuthy()) {
 			$authy_api = new Authy\AuthyApi($config['twofactor']['authy']['apikey']);

diff --git a/web/1.0/index.php b/web/1.0/index.php
@@ -186,7 +186,7 @@
 
 				if ($testCode !== NULL) {
 					foreach ($keys as $key) {
-						if (!$key->isPush() && $key->verify($testCode, 1)) {
+						if ($key->isCode() && $key->verify($testCode, 1)) {
 							$valid = true;
 							$key->setLastUsed(time())->save();