These standards are becoming very prevalent in the PHP community. I wouldn't mind going through and refactoring if you guys don't have the time.

Hello, I have installed the script. Here is the url: http://stv22.com/yubico/

I have entered the key on "http://stv22.com/yubico/" url and pressed the enter button but always getting "Login failure. Please try again." message on "http://stv22.com/yubico/one_factor.php" url.

Can you please tell why it's happening and how to solve this issue.

Regards.

please add a valid composer.json and register your package at packagist

Does this work with PHP 7.2?

https://developers.yubico.com/php-yubico/

In parsePasswordOTP, if the user is using the DVORAK keyboard layout, you take care of fixing the OTP, but leave the rest of the values mangled.

This means that if they switch back to a QWERTY based keyboard layout, their key ID will no longer match.

I would suggest something like this instead:

    function parsePasswordOTP($str, $delim = '[:]')
    {
        /* Dvorak? */
        if (preg_match("/^((.*)" . $delim . ")?" .
            "(([jxe.uidchtnbpygkJXE.UIDCHTNBPYGK]{0,16})" .
            "([jxe.uidchtnbpygkJXE.UIDCHTNBPYGK]{32}))$/",
            $str, $matches))
        {
            // Un-mangle the OTP (convert from DVORAK -> QWERTY)
            $str = strtr($str, "jxe.uidchtnbpygk", "cbdefghijklnrtuv");
        }
        if (!preg_match("/^((.*)" . $delim . ")?" .
            "(([cbdefghijklnrtuvCBDEFGHIJKLNRTUV]{0,16})" .
            "([cbdefghijklnrtuvCBDEFGHIJKLNRTUV]{32}))$/",
            $str, $matches))
        {
            return false;
        }
        $ret['otp'] = $matches[3];
        $ret['password'] = $matches[2];
        $ret['prefix'] = $matches[4];
        $ret['ciphertext'] = $matches[5];
        return $ret;
    }

Function function _make_curl_handle($query, $timeout=null) calls function
flush();
This function modifies headers.
And then it is not possible to modify headers (redirect pages etc) in main php code that uses Yubico library.
After validzteing the password I get PHP Warning: Cannot modify header information - headers already sent in /home/benjaminas/new.velsiga.lt/htdocs/login.php on line .
I have traced the problem and that was fush() function.
After commenting this function everything works fine. Authentications works fine and I'm able to modify headers in my main program.

Why does this function needs to flush all the buffer before calling curl?

Hey Guys,
have a note at deprecated warnings.

Rename the file to Auth_Yubico.php and change the Constructor to __construct.

Line: 35
Methods with the same name as their class will not be constructors in a future version of PHP; Auth_Yubico has a deprecated constructor

The following changes should be made to Auth/Yubico.php to silence some warnings PHP gives with strict error reporting:

$ch[$handle] = $handle;

on line 331 should be

$ch[(int)$handle] = $handle;

and on line 431:

if ($replay) return PEAR::raiseError('REPLAYED_OTP');

should be

if ($replay) return (new PEAR)->raiseError('REPLAYED_OTP');

And finally, line 433:

return (PEAR::raiseError($status);

should be

return ((new PEAR)->raiseError($status);

This library doesn't seem to work for me -- it always returns "NO_VALID_ANSWER" no matter what.

In fact, it's not just me -- your own demo page doesn't work: https://demo.yubico.com/php-yubico/demo.php

https://github.com/Yubico/php-yubico/blob/master/Yubico.php#L331 and the httpsverify option.

This option should be removed. Theres never a time you could safely disable peer verification. Correct fix for validation/self-signed issues is to apply a cainfo/cabundle rather than disable peer verification.

Hello!
I would like to integrate this into my project, I can do so but inconvieniently by manual implementation.
Could the package maintainers please import this project into Packagist for everyone, making installing the library a composer require yubico/php-yubico away?

Thanks.

The client should transcode non-qwerty OTPs into qwerty-style before sending it to the server.

https://github.com/Yubico/php-yubico/blob/master/Yubico.php#L291

Another instance of predictable nonce. Not sure of implication (if any) given request is hmac'd under shared key.

Should probably be openssl_random_pseudo_bytes anyway.

Tested this on 2019-12-17 and apparently the demo page isn't working for me?

Although, with the new webauthn standard, maybe this is no longer needed?

Webauthn standard:
https://w3c.github.io/webauthn/

Implementation References:
https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/windows-integrati…

As taken from the README:

Generate a new id+key from https://api.yubico.com/get-api-key/

This url is a dead end.