Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Google Authenticator for WordPress - patch(es)
<?php
/*
Plugin Name: Google Authenticator
Plugin URI: http://henrik.schack.dk/google-authenticator-for-wordpress
Description: Two-Factor Authentication for WordPress using the Android/iPhone/Blackberry app as One Time Password generator.
Author: Henrik Schack
Version: 0.37
Author URI: http://henrik.schack.dk/
Compatibility: WordPress 3.2.1
Text Domain: google-authenticator
Domain Path: /lang
----------------------------------------------------------------------------
Thanks to Bryan Ruiz for his Base32 encode/decode class, found at php.net.
Thanks to Tobias B�thge for his major code rewrite and German translation.
Thanks to Pascal de Bruijn for his relaxed mode idea.
----------------------------------------------------------------------------
Copyright 2011 Henrik Schack (email : henrik@schack.dk)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
class GoogleAuthenticator {
static $instance; // to store a reference to the plugin, allows other plugins to remove actions
/**
* Constructor, entry point of the plugin
*/
function __construct() {
self::$instance = $this;
add_action( 'init', array( $this, 'init' ) );
}
/**
* Initialization, Hooks, and localization
*/
function init() {
require_once( 'base32.php' );
add_action( 'login_form', array( $this, 'loginform' ) );
add_filter( 'authenticate', array( $this, 'check_otp' ), 50, 3 );
if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
add_action( 'wp_ajax_GoogleAuthenticator_action', array( $this, 'ajax_callback' ) );
add_action( 'personal_options_update', array( $this, 'personal_options_update' ) );
add_action( 'profile_personal_options', array( $this, 'profile_personal_options' ) );
add_action( 'edit_user_profile', array( $this, 'edit_user_profile' ) );
add_action( 'edit_user_profile_update', array( $this, 'edit_user_profile_update' ) );
load_plugin_textdomain( 'google-authenticator', false, basename( dirname( __FILE__ ) ) . '/lang' );
}
/**
* Check the verification code entered by the user.
*/
function verify( $secretkey, $thistry, $relaxedmode ) {
// If user is running in relaxed mode, we allow more time drifting
// �4 min, as opposed to � 30 seconds in normal mode.
if ( $relaxedmode == 'enabled' ) {
$firstcount = -8;
$lastcount = 8;
} else {
$firstcount = -1;
$lastcount = 1;
}
$tm = floor( time() / 30 );
$secretkey=Base32::decode($secretkey);
// Keys from 30 seconds before and after are valid aswell.
for ($i=$firstcount; $i<=$lastcount; $i++) {
// Pack time into binary string
$time=chr(0).chr(0).chr(0).chr(0).pack('N*',$tm+$i);
// Hash it with users secret key
$hm = hash_hmac( 'SHA1', $time, $secretkey, true );
// Use last nipple of result as index/offset
$offset = ord(substr($hm,-1)) & 0x0F;
// grab 4 bytes of the result
$hashpart=substr($hm,$offset,4);
// Unpak binary value
$value=unpack("N",$hashpart);
$value=$value[1];
// Only 32 bits
$value = $value & 0x7FFFFFFF;
$value = $value % 1000000;
if ( $value == $thistry ) {
return true;
}
}
return false;
}
/**
* Create a new random secret for the Google Authenticator app.
* 16 characters, randomly chosen from the allowed Base32 characters
* equals 10 bytes = 80 bits, as 256^10 = 32^16 = 2^80
*/
function create_secret() {
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'; // allowed characters in Base32
$secret = '';
for ( $i = 0; $i < 16; $i++ ) {
$secret .= substr( $chars, wp_rand( 0, strlen( $chars ) - 1 ), 1 );
}
return $secret;
}
/**
* Add verification code field to login form.
*/
function loginform() {
echo "\t<p>\n";
echo "\t\t<label><a href=\"http://code.google.com/p/google-authenticator/\" target=\"_blank\" title=\"".__('If you don\'t have Google Authenticator enabled for your WordPress account, leave this field empty.','google-authenticator')."\">".__('Google Authenticator code','google-authenticator')."</a><span id=\"google-auth-info\"></span><br />\n";
echo "\t\t<input type=\"text\" name=\"otp\" id=\"user_email\" class=\"input\" value=\"\" size=\"20\" tabindex=\"25\" /></label>\n";
echo "\t</p>\n";
}
/**
* Login form handling.
* Check Google Authenticator verification code, if user has been setup to do so.
* @param wordpressuser
* @return user/loginstatus
*/
function check_otp( $user, $username = '', $password = '' ) {
// Store result of loginprocess, so far.
$userstate = $user;
// Get information on user, we need this in case an app password has been enabled,
// since the $user var only contain an error at this point in the login flow.
$user = get_userdatabylogin( $username );
// Does the user have the Google Authenticator enabled ?
if ( trim(get_user_option( 'googleauthenticator_enabled', $user->ID ) ) == 'enabled' ) {
// Get the users secret
$GA_secret = trim( get_user_option( 'googleauthenticator_secret', $user->ID ) );
// Figure out if user is using relaxed mode ?
$GA_relaxedmode = trim( get_user_option( 'googleauthenticator_relaxedmode', $user->ID ) );
// Get the verification code entered by the user trying to login
$otp = intval( trim( $_POST[ 'otp' ] ) );
// Valid code ?
if ( $this->verify( $GA_secret, $otp, $GA_relaxedmode ) ) {
return $userstate;
} else {
// No, lets see if an app password is enabled, and this is an XMLRPC / APP login ?
if ( trim( get_user_option( 'googleauthenticator_pwdenabled', $user->ID ) ) == 'enabled' && ( defined('XMLRPC_REQUEST') || defined('APP_REQUEST') ) ) {
$GA_passwords = json_decode( get_user_option( 'googleauthenticator_passwords', $user->ID ) );
$passwordsha1 = trim($GA_passwords->{'password'} );
$usersha1 = sha1( strtoupper( str_replace( ' ', '', $password ) ) );
if ( $passwordsha1 == $usersha1 ) {
return new WP_User( $user->ID );
} else {
// Wrong XMLRPC/APP password !
return new WP_Error( 'invalid_google_authenticator_password', __( '<strong>ERROR</strong>: The Google Authenticator password is incorrect.', 'google-authenticator' ) );
}
} else {
return new WP_Error( 'invalid_google_authenticator_token', __( '<strong>ERROR</strong>: The Google Authenticator code is incorrect or has expired.', 'google-authenticator' ) );
}
}
}
// Google Authenticator isn't enabled for this account,
// just resume normal authentication.
return $userstate;
}
/**
* Extend personal profile page with Google Authenticator settings.
*/
function profile_personal_options() {
global $user_id, $is_profile_page;
$GA_secret = trim( get_user_option( 'googleauthenticator_secret', $user_id ) );
$GA_enabled = trim( get_user_option( 'googleauthenticator_enabled', $user_id ) );
$GA_relaxedmode = trim( get_user_option( 'googleauthenticator_relaxedmode', $user_id ) );
$GA_description = trim( get_user_option( 'googleauthenticator_description', $user_id ) );
$GA_pwdenabled = trim( get_user_option( 'googleauthenticator_pwdenabled', $userid ) );
$GA_password = trim( get_user_option( 'googleauthenticator_passwords', $user_id ) );
// We dont store the generated app password in cleartext so there is no point in trying
// to show the user anything except from the fact that a password exists.
if ( $GA_password != '' ) {
$GA_password = "XXXX XXXX XXXX XXXX";
}
// In case the user has no secret ready (new install), we create one.
if ( '' == $GA_secret ) {
$GA_secret = $this->create_secret();
}
// Use "WordPress Blog" as default description
if ( '' == $GA_description ) {
$GA_description = __( 'WordPress Blog', 'google-authenticator' );
}
echo "<h3>".__( 'Google Authenticator Settings', 'google-authenticator' )."</h3>\n";
echo "<table class=\"form-table\">\n";
echo "<tbody>\n";
echo "<tr>\n";
echo "<th scope=\"row\">".__( 'Active', 'google-authenticator' )."</th>\n";
echo "<td>\n";
echo "<input name=\"GA_enabled\" id=\"GA_enabled\" class=\"tog\" type=\"checkbox\"" . checked( $GA_enabled, 'enabled', false ) . "/>\n";
echo "</td>\n";
echo "</tr>\n";
// Create URL for the Google charts QR code generator.
$chl = urlencode( "otpauth://totp/{$GA_description}?secret={$GA_secret}" );
$qrcodeurl = "https://chart.googleapis.com/chart?cht=qr&amp;chs=300x300&amp;chld=H|0&amp;chl={$chl}";
if ( $is_profile_page || IS_PROFILE_PAGE ) {
echo "<tr>\n";
echo "<th scope=\"row\">".__( 'Relaxed mode', 'google-authenticator' )."</th>\n";
echo "<td>\n";
echo "<input name=\"GA_relaxedmode\" id=\"GA_relaxedmode\" class=\"tog\" type=\"checkbox\"" . checked( $GA_relaxedmode, 'enabled', false ) . "/><span class=\"description\">".__(' Relaxed mode allows for more time drifting on your phone clock (&#177;4 min).','google-authenticator')."</span>\n";
echo "</td>\n";
echo "</tr>\n";
echo "<tr>\n";
echo "<th><label for=\"GA_description\">".__('Description','google-authenticator')."</label></th>\n";
echo "<td><input name=\"GA_description\" id=\"GA_description\" value=\"{$GA_description}\" type=\"text\" size=\"25\" /><span class=\"description\">".__(' Description that you\'ll see in the Google Authenticator app on your phone.','google-authenticator')."</span><br /></td>\n";
echo "</tr>\n";
echo "<tr>\n";
echo "<th><label for=\"GA_secret\">".__('Secret','google-authenticator')."</label></th>\n";
echo "<td>\n";
echo "<input name=\"GA_secret\" id=\"GA_secret\" value=\"{$GA_secret}\" readonly=\"readonly\" type=\"text\" size=\"25\" />";
echo "<input name=\"GA_newsecret\" id=\"GA_newsecret\" value=\"".__("Create new secret",'google-authenticator')."\" type=\"button\" class=\"button\" />";
echo "<input name=\"show_qr\" id=\"show_qr\" value=\"".__("Show/Hide QR code",'google-authenticator')."\" type=\"button\" class=\"button\" onclick=\"jQuery('#GA_QR_INFO').toggle('slow');\" />";
echo "</td>\n";
echo "</tr>\n";
echo "<tr>\n";
echo "<th></th>\n";
echo "<td><div id=\"GA_QR_INFO\" style=\"display: none\" >";
echo "<img id=\"GA_QRCODE\" src=\"{$qrcodeurl}\" alt=\"QR Code\"/>";
echo '<span class="description"><br/> ' . __( 'Scan this with the Google Authenticator app.', 'google-authenticator' ) . '</span>';
echo "</div></td>\n";
echo "</tr>\n";
echo "<tr>\n";
echo "<th scope=\"row\">".__( 'Enable App password', 'google-authenticator' )."</th>\n";
echo "<td>\n";
echo "<input name=\"GA_pwdenabled\" id=\"GA_pwdenabled\" class=\"tog\" type=\"checkbox\"" . checked( $GA_pwdenabled, 'enabled', false ) . "/><span class=\"description\">".__(' Enabling an App password will decrease your overall login security.','google-authenticator')."</span>\n";
echo "</td>\n";
echo "</tr>\n";
echo "<tr>\n";
echo "<th></th>\n";
echo "<td>\n";
echo "<input name=\"GA_password\" id=\"GA_password\" readonly=\"readonly\" value=\"".$GA_password."\" type=\"text\" size=\"25\" />";
echo "<input name=\"GA_createpassword\" id=\"GA_createpassword\" value=\"".__("Create new password",'google-authenticator')."\" type=\"button\" class=\"button\" />";
echo "<span class=\"description\" id=\"GA_passworddesc\">".__(' Password is not stored in cleartext, this is your only chance to see it.','google-authenticator')."</span>\n";
echo "</td>\n";
echo "</tr>\n";
}
echo "</tbody></table>\n";
echo "<script type=\"text/javascript\">\n";
echo "var GAnonce='".wp_create_nonce('GoogleAuthenticatoraction')."';\n";
echo <<<ENDOFJS
var pwdata;
jQuery('#GA_newsecret').bind('click', function() {
var data=new Object();
data['action'] = 'GoogleAuthenticator_action';
data['nonce'] = GAnonce;
jQuery.post(ajaxurl, data, function(response) {
jQuery('#GA_secret').val(response['new-secret']);
chl=escape("otpauth://totp/"+jQuery('#GA_description').val()+"?secret="+jQuery('#GA_secret').val());
qrcodeurl="https://chart.googleapis.com/chart?cht=qr&chs=300x300&chld=H|0&chl="+chl;
jQuery('#GA_QRCODE').attr('src',qrcodeurl);
jQuery('#GA_QR_INFO').show('slow');
});
});
jQuery('#GA_description').bind('focus blur change keyup', function() {
chl=escape("otpauth://totp/"+jQuery('#GA_description').val()+"?secret="+jQuery('#GA_secret').val());
qrcodeurl="https://chart.googleapis.com/chart?cht=qr&chs=300x300&chld=H|0&chl="+chl;
jQuery('#GA_QRCODE').attr('src',qrcodeurl);
});
jQuery('#GA_createpassword').bind('click',function() {
var data=new Object();
data['action'] = 'GoogleAuthenticator_action';
data['nonce'] = GAnonce;
data['save'] = 1;
jQuery.post(ajaxurl, data, function(response) {
jQuery('#GA_password').val(response['new-secret'].match(new RegExp(".{0,4}","g")).join(' '));
jQuery('#GA_passworddesc').show();
});
});
jQuery('#GA_enabled').bind('change',function() {
GoogleAuthenticator_apppasswordcontrol();
});
jQuery(document).ready(function() {
jQuery('#GA_passworddesc').hide();
GoogleAuthenticator_apppasswordcontrol();
});
function GoogleAuthenticator_apppasswordcontrol() {
if (jQuery('#GA_enabled').is(':checked')) {
jQuery('#GA_pwdenabled').removeAttr('disabled');
jQuery('#GA_createpassword').removeAttr('disabled');
} else {
jQuery('#GA_pwdenabled').removeAttr('checked')
jQuery('#GA_pwdenabled').attr('disabled', true);
jQuery('#GA_createpassword').attr('disabled', true);
}
}
</script>
ENDOFJS;
}
/**
* Form handling of Google Authenticator options added to personal profile page (user editing his own profile)
*/
function personal_options_update() {
global $user_id;
$GA_enabled = trim( $_POST['GA_enabled'] );
$GA_relaxedmode = trim( $_POST['GA_relaxedmode'] );
$GA_secret = trim( $_POST['GA_secret'] );
$GA_pwdenabled = trim( $_POST['GA_pwdenabled'] );
$GA_password = str_replace(' ', '', trim( $_POST['GA_password'] ) );
if ( '' == $GA_enabled ) {
$GA_enabled = 'disabled';
} else {
$GA_enabled = 'enabled';
}
if ( '' == $GA_relaxedmode ) {
$GA_relaxedmode = 'disabled';
} else {
$GA_relaxedmode = 'enabled';
}
if ( '' == $GA_pwdenabled ) {
$GA_pwdenabled = 'disabled';
} else {
$GA_pwdenabled = 'enabled';
}
// Only store password if a new one has been generated.
if (strtoupper($GA_password) != 'XXXXXXXXXXXXXXXX' ) {
// Store the password in a format that can be expanded easily later on if needed.
$GA_password = array( 'appname' => 'Default', 'password' => sha1( $GA_password ) );
update_user_option( $user_id, 'googleauthenticator_passwords', json_encode( $GA_password ), true );
}
update_user_option( $user_id, 'googleauthenticator_enabled', $GA_enabled, true );
update_user_option( $user_id, 'googleauthenticator_relaxedmode', $GA_relaxedmode, true );
update_user_option( $user_id, 'googleauthenticator_secret', $GA_secret, true );
update_user_option( $user_id, 'googleauthenticator_pwdenabled', $GA_pwdenabled, true );
}
/**
* Extend profile page with ability to enable/disable Google Authenticator authentication requirement.
* Used by an administrator when editing other users.
*/
function edit_user_profile() {
global $user_id;
$GA_enabled = trim( get_user_option( 'googleauthenticator_enabled', $user_id ) );
echo "<h3>".__('Google Authenticator Settings','google-authenticator')."</h3>\n";
echo "<table class=\"form-table\">\n";
echo "<tbody>\n";
echo "<tr>\n";
echo "<th scope=\"row\">".__('Active','google-authenticator')."</th>\n";
echo "<td>\n";
echo "<div><input name=\"GA_enabled\" id=\"GA_enabled\" class=\"tog\" type=\"checkbox\"" . checked( $GA_enabled, 'enabled', false ) . "/>\n";
echo "</td>\n";
echo "</tr>\n";
echo "</tbody>\n";
echo "</table>\n";
}
/**
* Form handling of Google Authenticator options on edit profile page (admin user editing other user)
*/
function edit_user_profile_update() {
global $user_id;
$GA_enabled = trim( $_POST['GA_enabled'] );
if ( '' == $GA_enabled ) {
$GA_enabled = 'disabled';
} else {
$GA_enabled = 'enabled';
}
update_user_option( $user_id, 'googleauthenticator_enabled', $GA_enabled, true );
}
/**
* AJAX callback function used to generate new secret
*/
function ajax_callback() {
global $user_id;
// Some AJAX security
check_ajax_referer( 'GoogleAuthenticatoraction', 'nonce' );
// Create new secret, using the users password hash as input for further hashing
$secret = $this->create_secret();
$result = array( 'new-secret' => $secret );
header( 'Content-Type: application/json' );
echo json_encode( $result );
// die() is required to return a proper result
die();
}
} // end class
new GoogleAuthenticator;
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.