marcins / cf-google-authenticator Goto Github PK

ColdFusion implementation of Google Authenticator One Time Passwords

License: MIT License

ColdFusion 100.00%

cf-google-authenticator's Introduction

This is a ColdFusion native implementation of RFC6238 (TOTP: Time-Based One-Time Password Algorithm) specifically designed to work with the Google Authenticator app. You can use this for providing Two Factor Authentication for your applications.

It has been tested on Adobe Coldfusion 10 because that's what I run locally. It uses a few Java classes and bit twiddling, so YMMV on Railo. It should work on CF9, I don't think I've done anything CF10 specific - but feel free to do a Pull Request if there's a small change required to make this work on CF9 or Railo!

Background

Roughly speaking the Google Authenticator system works by using a shared secret, and a time interval. The time interval is simply the number of 30 second intervals that have passed since the UNIX epoch (1/1/1970). The shared secret, at least as far as what is required for the Google Authenticator client, is a Base32 encoding of an 80-bit value.

To use the Google Authenticator in your own app you would do something like:

when a user turns on Two Factor Authentication you generate the secret using the generateKey function, you must pass a string that is used as the base for the key, as well as optionally a 16-byte salt. If you omit the salt then Java's SecureRandom generator is used to generate one (this is recommended). You would use something unique to the user as the password - ideally you would get them to verify their password and use this, since you're not storing this.
store the key in the database against the user record - you will need this when you want to verify the One Time Password (OTP) the user has entered
the Google Authenticator app allows you to enter a new token using either manual entry or a QRCode - there is a function getOTPURL that takes an email address (or other user identifier) and the user's secret key and returns a URL you can encode into a QRCode. There's a sample in the project that uses a Javascript based QRCode generator.
when you want to verify the user's token you get the value from the user and then can use verifyGoogleToken - this takes the secret you will have saved in the database, the value the user has entered and a grace period. A boolean will be returned. The grace period is the number of previous values for the token that are allowed. This is useful when the user enters their token just as it ticks over, or they have a slight clock mismatch compared to your server. Generally you'd only allow a grace of 1 or 2 at most.

The index.cfm file mentions a blog post that no longer exists, I've put the contents of that blog into this repo.

Implementation notes

This is a purely "native" CF solution - I could've saved some code and time by using Apache Commons Codec to implement Base32 encoding/decoding, however the version bundled with ACF10 is v1.3 and Base32 was added in v1.5 - I didn't want to introduce another dependency. In fact, the whole project might've been better to be implemented as a Java library since it makes so much use of Java arrays, bit twiddling, etc! Still it was a fun coding exercise!

Notes on security

This should only be used as verification of a user's login, not as a primary authentication mechanism.
Never display the expected value of the user's token

Samples

There's a simple sample in the project where you can generate a secret key and then see the token values for that key (and compare to the Authenticator app). This sample is definitely not best practice or recommended to be used for anything other than playing around.

The samples use qrcode.js.

Tests

There are some mxunit based tests that can be run from /tests/index.cfm. They assume that mxunit is mapped at the server level to /mxunit. If we had Railo CLI I could make them not depend on a web server!

Licence

The MIT License (MIT)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

cf-google-authenticator's People

Contributors

Stargazers

Watchers

cf-google-authenticator's Issues

InaccessibleObjectException Error On Coldfusion 2023

When testing this code on Coldfusion 2023, I recieved this error:

ava.lang.reflect.InaccessibleObjectException: Unable to make public boolean com.sun.crypto.provider.PBKDF2KeyImpl.equals(java.lang.Object) accessible: module java.base does not "opens com.sun.crypto.provider" to unnamed module @21e45a6f

The error occurred in E:/Websites/AdminCopy23/Lib/cfc/Admin/Manage/authenticator/GoogleAuthenticator.cfc: line 140
138 : var keySpec = createObject("java", "javax.crypto.spec.PBEKeySpec").init(arguments.password.toCharArray(), salt, 128, 80); 139 : var secretKey = keyFactory.generateSecret(keySpec); 140 : return Base32encode(secretKey.getEncoded()); 141 : } 142 :

From what I've read here:

https://stackoverflow.com/questions/41265266/how-to-solve-inaccessibleobjectexception-unable-to-make-member-accessible-m

This could be caused by the introduction of "Java Platform Module System that was introduced in Java 9, particularly its implementation of strong encapsulation. It only allows access under certain conditions, the most prominent ones are:

the type has to be public
the owning package has to be exported"

I'm puzzled in that this cfc works in CF 2018 which uses Java 10.

Internal Server Error 500 - CF9 on Win2k12 x64

Hi all,

I have installed the cf-google-authenticator on our win2k12 x64 cf9 server.

I received following error message after clicking "Generate" on sample/sample_generate.cfm:

Invalid CFML construct found on line 126 at column 80.

ColdFusion was looking at the following text:
[

The CFML compiler was processing:

A script statement beginning with public on line 126, column 5.

The error occurred in D:\PATH\authenticator\authenticator\GoogleAuthenticator.cfc: line 126
125 : 
126 :     public string function generateKey (required string password, array salt = [])
127 :     {
128 :         if (arrayLen(salt) == 0)

Resources:
Check the ColdFusion documentation to verify that you are using the correct syntax.
Search the Knowledge Base to find a solution to your problem.
Browser     Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36
Remote Address  1.2.3.4
Referrer    http://URL.org/authenticator/sample/sample_generate.cfm
Date/Time   31-Jul-16 03:47 PM
Stack Trace
at cfsample_generate2ecfm178615731.runPage(D:\PATH\authenticator\sample\sample_generate.cfm:26) 

coldfusion.compiler.ParseException: Invalid CFML construct found on line 126 at column 80.

I changed following in authenticator\GoogleAuthenticator.cfc:

124 :    force_empty_salt = [];
125 :
126 :    public string function generateKey (required string password, array salt = force_empty_salt)

And voilà, i received the QR code.

SHA1 no longer allowed in some environments

Because of the crack of SHA1, NIST is now preventing its use on federal websites. I took a quick run at it but was unable to get it to work correctly. Maybe someone can figure out how to get this to work with SHA256 or SHA512?

cf-google-authenticator

G'day - I'm just checking as to how current the Google Authenticator is with regards to the latest version of Google OTP and/or Coldfusion.

Clock synchronization

I've been using this component for over a year without any issue until today. Today I ran into an issue where the server was out-of-sync with the UTC clock by 10 seconds -- 10 seconds behind. This created an issue of failures because the token provided by the user was the next token as far as the component was concerned. I corrected this by adjusting the verifyGoogleToken function:

/**
* Verifies the submitted value from the user against the user secret, with optional grace for the last few
* token values
*
* @param base32secret the Base32 encoded shared secret key
* @param userValue the value that the user submitted
* @param grace the amount of previous tokens to allow (1 means allow the current, next, and last token value)
* @return a boolean whether the token was valid or not
*/
public boolean function verifyGoogleToken (required string base32Secret, required string userValue, numeric grace = 0)
{
	var result = false;
    for (var i = 0; i <= grace; i++)
    {
        result = result
				or (getGoogleToken(base32Secret, -i) == userValue)
				or (getGoogleToken(base32Secret, -i-120) == userValue)		// DST switch-over adjustment - an hour ago
				or (getGoogleToken(base32Secret, -i+120) == userValue);		// DST switch-over adjustment - an hour from now

    }
	if(!result)
	{
		// check for next token in case of clocks not being synchronized to the exact UTC millisecond - only kicks in if grace>0
		for (var i = 1; i <= grace; i++)
		{
			result = result
					or (getGoogleToken(base32Secret, i) == userValue)
					or (getGoogleToken(base32Secret, i-120) == userValue)		// DST switch-over adjustment - an hour ago
					or (getGoogleToken(base32Secret, i+120) == userValue);		// DST switch-over adjustment - an hour from now
		
		}
	}
    return result;
}

Bad Var

Change line 84 from

public string function getOneTimeToken (required string Secret, required numeric counter)

public string function getOneTimeToken (required string base32Secret, required numeric counter)