yubico / php-yubico Goto Github PK
View Code? Open in Web Editor NEWPHP class for Yubico authentication
Home Page: https://developers.yubico.com/php-yubico
License: BSD 3-Clause "New" or "Revised" License
PHP class for Yubico authentication
Home Page: https://developers.yubico.com/php-yubico
License: BSD 3-Clause "New" or "Revised" License
In parsePasswordOTP, if the user is using the DVORAK keyboard layout, you take care of fixing the OTP, but leave the rest of the values mangled.
This means that if they switch back to a QWERTY based keyboard layout, their key ID will no longer match.
I would suggest something like this instead:
function parsePasswordOTP($str, $delim = '[:]')
{
/* Dvorak? */
if (preg_match("/^((.*)" . $delim . ")?" .
"(([jxe.uidchtnbpygkJXE.UIDCHTNBPYGK]{0,16})" .
"([jxe.uidchtnbpygkJXE.UIDCHTNBPYGK]{32}))$/",
$str, $matches))
{
// Un-mangle the OTP (convert from DVORAK -> QWERTY)
$str = strtr($str, "jxe.uidchtnbpygk", "cbdefghijklnrtuv");
}
if (!preg_match("/^((.*)" . $delim . ")?" .
"(([cbdefghijklnrtuvCBDEFGHIJKLNRTUV]{0,16})" .
"([cbdefghijklnrtuvCBDEFGHIJKLNRTUV]{32}))$/",
$str, $matches))
{
return false;
}
$ret['otp'] = $matches[3];
$ret['password'] = $matches[2];
$ret['prefix'] = $matches[4];
$ret['ciphertext'] = $matches[5];
return $ret;
}
The client should transcode non-qwerty OTPs into qwerty-style before sending it to the server.
https://github.com/Yubico/php-yubico/blob/master/Yubico.php#L331 and the httpsverify option.
This option should be removed. Theres never a time you could safely disable peer verification. Correct fix for validation/self-signed issues is to apply a cainfo/cabundle rather than disable peer verification.
Hey Guys,
have a note at deprecated warnings.
Rename the file to Auth_Yubico.php and change the Constructor to __construct.
Line: 35
Methods with the same name as their class will not be constructors in a future version of PHP; Auth_Yubico has a deprecated constructor
The following changes should be made to Auth/Yubico.php to silence some warnings PHP gives with strict error reporting:
$ch[$handle] = $handle;
on line 331 should be
$ch[(int)$handle] = $handle;
and on line 431:
if ($replay) return PEAR::raiseError('REPLAYED_OTP');
should be
if ($replay) return (new PEAR)->raiseError('REPLAYED_OTP');
And finally, line 433:
return (PEAR::raiseError($status);
should be
return ((new PEAR)->raiseError($status);
please add a valid composer.json and register your package at packagist
https://github.com/Yubico/php-yubico/blob/master/Yubico.php#L291
Another instance of predictable nonce. Not sure of implication (if any) given request is hmac'd under shared key.
Should probably be openssl_random_pseudo_bytes anyway.
This library doesn't seem to work for me -- it always returns "NO_VALID_ANSWER" no matter what.
In fact, it's not just me -- your own demo page doesn't work: https://demo.yubico.com/php-yubico/demo.php
Hello, I have installed the script. Here is the url: http://stv22.com/yubico/
I have entered the key on "http://stv22.com/yubico/" url and pressed the enter button but always getting "Login failure. Please try again." message on "http://stv22.com/yubico/one_factor.php" url.
Can you please tell why it's happening and how to solve this issue.
Regards.
Tested this on 2019-12-17 and apparently the demo page isn't working for me?
Although, with the new webauthn standard, maybe this is no longer needed?
Webauthn standard:
https://w3c.github.io/webauthn/
Implementation References:
https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/windows-integrati…
These standards are becoming very prevalent in the PHP community. I wouldn't mind going through and refactoring if you guys don't have the time.
Hello!
I would like to integrate this into my project, I can do so but inconvieniently by manual implementation.
Could the package maintainers please import this project into Packagist for everyone, making installing the library a composer require yubico/php-yubico
away?
Thanks.
Does this work with PHP 7.2?
As taken from the README:
This url is a dead end.
Function function _make_curl_handle($query, $timeout=null) calls function
flush();
This function modifies headers.
And then it is not possible to modify headers (redirect pages etc) in main php code that uses Yubico library.
After validzteing the password I get PHP Warning: Cannot modify header information - headers already sent in /home/benjaminas/new.velsiga.lt/htdocs/login.php on line .
I have traced the problem and that was fush() function.
After commenting this function everything works fine. Authentications works fine and I'm able to modify headers in my main program.
Why does this function needs to flush all the buffer before calling curl?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.