mediawiki-extensions-OATHAuth/OATHAuthKey.php
Bryan Davis a6b60d2465 Apply rate limits to all token verifications
Extend the token validation failure checks introduced in I4884f6e to the
other interactions where OATHAuthKey::verifyToken is used.

Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04
Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43
2016-10-07 17:24:32 -07:00

155 lines
3.7 KiB
PHP

<?php
/**
* Class representing a two-factor key
*
* Keys can be tied to OAUTHUsers
*
* @ingroup Extensions
*/
class OATHAuthKey {
/**
* Represents that a token corresponds to the main secret
* @see verifyToken
*/
const MAIN_TOKEN = 1;
/**
* Represents that a token corresponds to a scratch token
* @see verifyToken
*/
const SCRATCH_TOKEN = -1;
/** @var string Two factor binary secret */
private $secret;
/** @var string[] List of scratch tokens */
private $scratchTokens;
/**
* Make a new key from random values
*
* @return OATHAuthKey
*/
public static function newFromRandom() {
$object = new self(
Base32::encode( MWCryptRand::generate( 10, true ) ),
[]
);
$object->regenerateScratchTokens();
return $object;
}
/**
* @param string $secret
* @param array $scratchTokens
*/
public function __construct( $secret, array $scratchTokens ) {
// Currently harcoded values; might be used in future
$this->secret = [
'mode' => 'hotp',
'secret' => $secret,
'period' => 30,
'algorithm' => 'SHA1',
];
$this->scratchTokens = $scratchTokens;
}
/**
* @return String
*/
public function getSecret() {
return $this->secret['secret'];
}
/**
* @return array
*/
public function getScratchTokens() {
return $this->scratchTokens;
}
/**
* Verify a token against the secret or scratch tokens
*
* @param string $token Token to verify
* @param OATHUser $user
*
* @return int|false Returns a constant represent what type of token was matched,
* or false for no match
*/
public function verifyToken( $token, OATHUser $user ) {
global $wgOATHAuthWindowRadius;
if ( $this->secret['mode'] !== 'hotp' ) {
throw new \DomainException( 'OATHAuth extension does not support non-HOTP tokens' );
}
// Prevent replay attacks
$memc = ObjectCache::newAnything( [] );
$uid = CentralIdLookup::factory()->centralIdFromLocalUser( $user->getUser() );
$memcKey = wfMemcKey( 'oauthauth', 'usedtokens', $uid );
$lastWindow = (int)$memc->get( $memcKey );
$retval = false;
$results = HOTP::generateByTimeWindow(
Base32::decode( $this->secret['secret'] ),
$this->secret['period'], -$wgOATHAuthWindowRadius, $wgOATHAuthWindowRadius
);
// Check to see if the user's given token is in the list of tokens generated
// for the time window.
foreach ( $results as $window => $result ) {
if ( $window > $lastWindow && $result->toHOTP( 6 ) === $token ) {
$lastWindow = $window;
$retval = self::MAIN_TOKEN;
break;
}
}
// See if the user is using a scratch token
if ( !$retval ) {
$length = count( $this->scratchTokens );
// Detect condition where all scratch tokens have been used
if ( $length == 1 && "" === $this->scratchTokens[0] ) {
$retval = false;
} else {
for ( $i = 0; $i < $length; $i++ ) {
if ( $token === $this->scratchTokens[$i] ) {
// If there is a scratch token, remove it from the scratch token list
unset( $this->scratchTokens[$i] );
$oathrepo = OATHAuthHooks::getOATHUserRepository();
$user->setKey( $this );
$oathrepo->persist( $user );
// Only return true if we removed it from the database
$retval = self::SCRATCH_TOKEN;
break;
}
}
}
}
if ( $retval ) {
$memc->set(
$memcKey,
$lastWindow,
$this->secret['period'] * ( 1 + 2 * $wgOATHAuthWindowRadius )
);
} else {
// Increase rate limit counter for failed request
$user->getUser()->pingLimiter( 'badoath' );
}
return $retval;
}
public function regenerateScratchTokens() {
$scratchTokens = [];
for ( $i = 0; $i < 5; $i++ ) {
array_push( $scratchTokens, Base32::encode( MWCryptRand::generate( 10, true ) ) );
}
$this->scratchTokens = $scratchTokens;
}
}