sonata-project / googleauthenticator Goto Github PK

Many sites are providing backup codes facility in case user has no access to their mobile device for example they have lost their device etc.. in that case backup codes are really helpful. Can we have them please?

Feature Request

I would like there to be a way to add the image of my company when exiting in the authenticator app, like facebook

my point is $secret = "XVQ2UIGO75XRUKJO";

Feature Request

I am creating an API for an application and I am using your GoogleAuth 2.x PHP to generate the Secret and then the PIN, I am then using a library for PowerShell to call the URL using a PowerShell GoogleAuth library with the Same secret. the PIN's that are created are different. Is there a setting or feature to make them the same from the same secret?

PowerShell Library https://github.com/HumanEquivalentUnit/PowerShell-Misc/blob/master/GoogleAuthenticator.psm1

Get-GoogleAuthenticatorPin -Secret 'DB2EAFQFOV34V4P'
PS PIN = 790763
PHP PIN = 997898

Hi all. I see that this repo is abandoned - silly me for not moving away from it. In the meantime, has only else noticed their the MFA implementations have suddenly broken? Not surprising if this project isn't maintained, but it seems to have suddenly started happening for my project.

Sorry for the lack of repo details at the moment, just curious if others have found this issue too.

sonata-project/google-authenticator Version 2.2.0
sonata-project/admin-bundle version: 3.67.0
Symfony version: 4.4.8

Description
Bypass 2fa by rememberme cookie

To Reproduce
When enabled in security firewall, using the remember_me (checkbox) in the login form, on submit symfony creates a cookie "REMEMBERME". That moment we get redirected to the 2fa-auth page. We have no access to the other pages.
At that moment, if we remove our SESSIONID key with the browsers cookie inspector/tool, we can go to our homepage "/admin/dashboard" and be IS_AUTHENTICED_REMEMBERED. Effectively being logged in without 2fa, bypassing the check.

If this is known, I have not found it documented.

Environment

Sonata packages

sonata-project/google-authenticator 2.3.1 2.3.1 Library to integrate Google ...

Symfony packages

no result

PHP version

7.4.15

Subject

If one creates a GoogleAuthenticator instance with a 60-seconds code period:

$authenticator = new GoogleAuthenticator(6, 20, null, 60);

it's not possible to authenticate successfully while calling the checkCode() method.

I think the issue is caused by the ability to modify the $codePeriod but not the $periodSize. If one is going to calculate codes with a codePeriod = 60 and a periodSize = 30 (by default), checkCode() and getCode() will calculate codes for double as many codes (than with a codePeriod of 30) for 30 seconds periods which leads in all cases to non-matching codes. The wrong codes are caused by the variable $timeForCode which falsely calculates the amount of periods of 30 seconds since UNIX epoch but not the amount of 60 second periods.

To solve the issue I was able to set the periodSize via Reflection. A better way would be to allow the periodSize as a formal argument to the constructor.

What's missing in the example:
Prevent replay attacks. One token should only be used once

How this can be done?

Subject

Problem with getting QR code from https://chart.googleapis.com/chart?

Actual results

502 error

Warning notes from https://developers.google.com/chart/image/

Warning: This API is deprecated and is scheduled to be turned off on March 14, 2019. Please use the actively maintained Google Charts API instead.

Due to the GoogleQrUrl::generate generating a link to api.qrserver.com secrets are shared with the owners of api.qrserver.com.

With this information the owner of api.qrserver.com can generate OTP for each user that sets up 2FA. It also has access to the username and domain depending on implementation (the deprecated GoogleAuthenticator::getUrl function encourages these variables to be send).

For a lib that intents to improve security by providing 2FA this should be a no go.

The QR code should be generated locally (either on server or client). If that is not feasible, at least developers using this library should be warned that sensitive information is shared with the owners of api.qrserver.com.

So, I found problem where qr code doesn't work on iphone.

If we increase secretLength to 32 length, then an example of secrets would be like this:
ZPOSJX4VJXYWB3Z7Y67IDXXRB57H5T2XY4S2PI3VXQPBWZQB7HBA====

This will work for android, but symbol "=" doesn't like iphone.

I have no way to extend the class GoogleAuthenticator that to change it.

`
$otpauthString = rawurlencode(sprintf($otpauthString, $label, $secret, $issuer));

    return sprintf(
        'https://api.qrserver.com/v1/create-qr-code/?size=%1$dx%1$d&data=%2$s&ecc=M',
        $size,
        $otpauthString
    ); `

Showing QR code by passing $secret to external service, visible in URL is a serious security issue.

Consider implementing https://medium.com/ampersand-academy/generate-qr-code-using-php-b4d13a9ed8dd

Subject

The Comment on Discrepancy in https://github.com/sonata-project/GoogleAuthenticator/blob/2.x/src/GoogleAuthenticator.php#L75-L78 seems wrong:

30 seconds before and after 10:00:00 should be 09:59:30 (as in comment) to 10:00:29 (which is 10:01:29 in the comment).

I used the example.php file and worked fine, thw qr code has been generatted but dont match the codes.

I already chech the time zone and server time / date and is fine.

What do I have to do now?

I successfully generate the QR code, but i can’t validate it with the function $g->checkCode().when I tried to show code its different than code on app .
this is my code to check the code typed by the user:
$g = new \Google\Authenticator\GoogleAuthenticator();
$secret =$_POST['secret'];
$user = base64_decode($_GET['u']);

  $user_data=explode(',',$user);
  $check_this_code = $_POST['code'];
  if ($g->checkCode($secret, $check_this_code)) {
      echo 'Success!';
  } else {
      echo 'Invalid login';
  }

can you help me?

Feature Request

Can you please add PHP8 compatibility to this great lib? In the composer.json it is limited to version 7.
Thanks a lot!

Hello,

I wanted to ask if the current version is compatible with PHP8 and if not for when that is expected to be the case?

Thanks in advance.

Hello, this repo is still working?

Final blocks 2.0 upgrade for scheb/two-factor-bundle#147.

Will you consider making it possible to extend?

Feature Request

I would like to know if there would be objections to making codePeriod a protected variable instead of private. This would allow for sub-classes to extend the code period. My use-case is generating a code that can be sent out in email or SMS for users without app access. Happy to submit a pull request if this seems reasonable. Thank you.

I just make a 2FA for testing purpose but the code is still verifying after the time expired.

This project has some technical design issues and critical bugs.

Since no sonata-maintainer is using this project, there is no active support on this bundle.
That's why we will be marked it as abandoned.

Feel free to ask if you want to keep this project up to date.

Example.php shows an error:

Fatal error: Uncaught Error: Interface 'Sonata\GoogleAuthenticator\GoogleAuthenticatorInterface' not found in 'GoogleAuthenticator\src\GoogleAuthenticator.php'

I fixed it by adding

include_once __DIR__.'/../src/GoogleAuthenticatorInterface.php';

Important: Order of includes:

include_once __DIR__.'/../src/FixedBitNotation.php';
include_once __DIR__.'/../src/GoogleAuthenticatorInterface.php';
include_once __DIR__.'/../src/GoogleAuthenticator.php';
include_once __DIR__.'/../src/GoogleQrUrl.php';

in example.php.

Same issue in sample\web\index.php