Build Two Factor Authentication

Discussions related to customizing hooks. Hooks are documented at http://bigprof.com/appgini/help/advanced-topics/hooks/
Post Reply
Moh Youba
Veteran Member
Posts: 130
Joined: 2017-03-12 09:31

Build Two Factor Authentication

Post by Moh Youba » 2019-11-10 22:35

Hello

I am using AppGini 5.81 and I am looking for any help to build Two Factor Authentication.
Any idea are welcome.

Thank you

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Build Two Factor Authentication

Post by peebee » 2019-11-13 23:58

I have tried this Google Authenticator plugin developed by a past Appgini subscriber in previous versions of AppGini (not on Version 5.81 yet - but I can't see any reason why it won't still work OK?):

https://github.com/massyn/appgini-tools ... ticator.md

It does work well! Google Authentication is selectable and not enforced on all users. Provides QR code too. Only limitations I can recall is it doesn't allow you to disable TFA once enabled (should be able to be fixed with a bit of editing) and I don't remember it providing any manual override codes in case no Google device is handy.

I does require some editing of core Appgini files but they are very minimal and easy to track changes.

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Build Two Factor Authentication

Post by peebee » 2019-11-14 00:13

Hmmm? Just checked the GoogleAuthenticatorClass.php link in that GitHub link above and I see it is now dead?

Not sure why it's no longer available and obviously I can't vouch for the code but here is a copy of the original attached if anybody is interested in giving it a go/edit:
GoogleAuthenticatorClass.zip
(3.54 KiB) Downloaded 14 times

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Build Two Factor Authentication

Post by peebee » 2019-11-14 05:13

As a matter of interest, I just tested Google Authenticator as per GitHub instructions on V5.81.

Still works although one change is necessary in inCommon.php due to hardening of password hashes in recently released versions (post V5.73).

Instead of replacing with this (final instruction):

Code: Select all

if(sqlValue("select count(1) from membership_users where lcase(memberID)='$username' and passMD5='$password' and isApproved=1 and isBanned=0")==1 && ($ga->TOTPauthenticate(db_link(),$username))){
You need to find this (around line 1050):

Code: Select all

$redir = 'index.php';
		if($_POST['signIn'] != ''){
			if($_POST['username'] != '' && $_POST['password'] != ''){
				$username = makeSafe(strtolower($_POST['username']));
				$hash = sqlValue("select passMD5 from membership_users where lcase(memberID)='{$username}' and isApproved=1 and isBanned=0");
				$password = $_POST['password'];
And replace it with this:

Code: Select all

$redir = 'index.php';
		if($_POST['signIn'] != ''){
			if($_POST['username'] != '' && $_POST['password'] != '' && ($ga->TOTPauthenticate(db_link(),$_POST['username']))){
				$username = makeSafe(strtolower($_POST['username']));
				$hash = sqlValue("select passMD5 from membership_users where lcase(memberID)='{$username}' and isApproved=1 and isBanned=0");
				$password = $_POST['password'];
Seems to work well. While I can't see that it would, I'm not sure if all this creates any other security issues though...?

Moh Youba
Veteran Member
Posts: 130
Joined: 2017-03-12 09:31

Re: Build Two Factor Authentication

Post by Moh Youba » 2019-11-14 07:27

Hello

Thank you for support and sharing, I will give a try.

Best regards,

onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 421
Joined: 2019-05-21 22:42
Contact:

Re: Build Two Factor Authentication

Post by onoehring » 2019-11-17 10:38

Hi peebee,

very nice. Thank you for posting (and for putting the GoogleAuthenticatorClass.php again).
I want to suggest little improvements:

a) in setup_googleauth.php we find

Code: Select all

echo $ga->TOTPsetupPage($memberinfo['username'],'AppGini');	// need to find a way to retreive the site name and put it in here.
Replace this with

Code: Select all

echo $ga->TOTPsetupPage($memberinfo['username'],$host);	// need to find a way to retreive the site name and put it in here.
and your GA-Code will at least have the domain from the application. I have posted a request on how to get the application name ( viewtopic.php?f=2&p=11477#p11477 ). Once this is answered we can easily change $host in that code again.

b) The problem you describe here
peebee wrote:
2019-11-13 23:58
Only limitations I can recall is it doesn't allow you to disable TFA once enabled (should be able to be fixed with a bit of editing) and I don't remember it providing any manual override codes in case no Google device is handy.
can be worked around like this:
Replace the code (once again) in incCommon.php (attention: incCommon will be created when you create your application, so all changes to this will be lost after creation and you will need to reapply your changes). Look for

Code: Select all

	function logInMember() {
		$redir = 'index.php';
		if($_POST['signIn'] != '') {
			if($_POST['username'] != '' && $_POST['password'] != '') {
replace with

Code: Select all

	function logInMember() {
		$redir = 'index.php';
		if($_POST['signIn'] != '') {
//start https://github.com/massyn/appgini-tools/blob/master/google-authenticator.md			
//old: if($_POST['username'] != '' && $_POST['password'] != '') {
//new: if($_POST['username'] != '' && $_POST['password'] != '' && ($TwoFactor == 1)) {

$curr_dir = dirname(__FILE__);
require_once "$curr_dir/hooks/GoogleAuthenticatorClass.php";
$ga = new framework_GoogleAuthenticator();

$username = makeSafe(strtolower($_POST['username']));
$sqlTwoFactor = "SELECT Count(uid) AS c FROM totp_secrets WHERE uid = '" . $username ."';";
$testTwoFactorUser = sqlValue($sqlTwoFactor);

$TwoFactor = 0;
if ($testTwoFactorUser == 1) { 
	if ($ga->TOTPauthenticate(db_link(),$username)) { 
		$TwoFactor = 1;
	}	
	} else {
		$TwoFactor = 1; 
}

if($_POST['username'] != '' && $_POST['password'] != '' && ($TwoFactor === 1)) {
//end https://github.com/massyn/appgini-tools/blob/master/google-authenticator.md


What this change does: If the user has defined two-factor for himself, he needs to use it. If it has not been defined, he does not need to use it. For this the table totp_secrets is checked - from which we can easily delete entries ... Now make it easy to remove two-factor auth for/from users:
Create a new table in AppGini (after running the GooglAuthenticator once) like seen in the image. Give the admin access to all entries (only view and delete in the generated AppGini application). This way the the entries can be deleted from the table quite easily and thus two-factor-authentication being disabled for that user (again). You can allow mass delete and disable detail view (both circled).

SQL for this table:

Code: Select all

CREATE TABLE `totp_secrets` (
  `uid` varchar(50) NOT NULL,
  `secret` varchar(30) DEFAULT NULL,
  `datetime` datetime DEFAULT NULL,
  `ip_address` varchar(30) DEFAULT NULL,
  PRIMARY KEY (`uid`),
  UNIQUE KEY `uid_unique` (`uid`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
totp1.png
totp1.png (45.26 KiB) Viewed 793 times
Olaf
Some postings I was involved, you might find useful:
Backup your database (easy) (viewtopic.php?f=4&t=3341); Improve security / safety against DDOS and brute force (failed) logins (viewtopic.php?f=4&t=3168); Field Permissions (hide / lock fields by usergroup) (viewtopic.php?f=4&t=3308); Custom (error) message (viewtopic.php?f=7&t=1740&p=10871#p10906); Audit Log (viewtopic.php?f=4&t=1369&p=10407); Two Factor Authentication (viewtopic.php?f=7&t=3306&p=11478); Add extra (2nd) SAVE CHANGES button (viewtopic.php?f=2&t=3242&p=11104);

onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 421
Joined: 2019-05-21 22:42
Contact:

Re: Build Two Factor Authentication

Post by onoehring » 2019-11-17 16:15

Hi,

I decided to make it a little easier to implement and use: Now the user can remove the two factor authentication of him/herself in the same form (you still need to adjust incCommon.php):
ec71.png
ec71.png (33.69 KiB) Viewed 781 times

Download
twofactorauth_v20191117b.zip
(5.14 KiB) Downloaded 31 times
Olaf
Some postings I was involved, you might find useful:
Backup your database (easy) (viewtopic.php?f=4&t=3341); Improve security / safety against DDOS and brute force (failed) logins (viewtopic.php?f=4&t=3168); Field Permissions (hide / lock fields by usergroup) (viewtopic.php?f=4&t=3308); Custom (error) message (viewtopic.php?f=7&t=1740&p=10871#p10906); Audit Log (viewtopic.php?f=4&t=1369&p=10407); Two Factor Authentication (viewtopic.php?f=7&t=3306&p=11478); Add extra (2nd) SAVE CHANGES button (viewtopic.php?f=2&t=3242&p=11104);

onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 421
Joined: 2019-05-21 22:42
Contact:

Re: Build Two Factor Authentication

Post by onoehring » 2019-11-18 15:19

Hi,

added one more line to allow access to the page only for logged in users.
Also added some (simple) docs: From my former posting and the github page in a single txt file.

Download:
twofactorauth_v20191118.zip
(6.42 KiB) Downloaded 29 times
Olaf
Some postings I was involved, you might find useful:
Backup your database (easy) (viewtopic.php?f=4&t=3341); Improve security / safety against DDOS and brute force (failed) logins (viewtopic.php?f=4&t=3168); Field Permissions (hide / lock fields by usergroup) (viewtopic.php?f=4&t=3308); Custom (error) message (viewtopic.php?f=7&t=1740&p=10871#p10906); Audit Log (viewtopic.php?f=4&t=1369&p=10407); Two Factor Authentication (viewtopic.php?f=7&t=3306&p=11478); Add extra (2nd) SAVE CHANGES button (viewtopic.php?f=2&t=3242&p=11104);

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 246
Joined: 2013-03-21 04:37

Re: Build Two Factor Authentication

Post by peebee » 2019-11-21 01:52

Thanks for putting in the effort Olaf, much appreciated. I haven't tried your version yet but I'll give it a go as soon as time permits.

onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 421
Joined: 2019-05-21 22:42
Contact:

Re: Build Two Factor Authentication

Post by onoehring » 2019-11-21 04:09

Hi,

thanks. I have added localization (translation) to the twofactor-auth and added the possibility to have the actual app title as GA title.

Download
twofactorauth_v20191120.zip
(9.08 KiB) Downloaded 21 times
Olaf
Some postings I was involved, you might find useful:
Backup your database (easy) (viewtopic.php?f=4&t=3341); Improve security / safety against DDOS and brute force (failed) logins (viewtopic.php?f=4&t=3168); Field Permissions (hide / lock fields by usergroup) (viewtopic.php?f=4&t=3308); Custom (error) message (viewtopic.php?f=7&t=1740&p=10871#p10906); Audit Log (viewtopic.php?f=4&t=1369&p=10407); Two Factor Authentication (viewtopic.php?f=7&t=3306&p=11478); Add extra (2nd) SAVE CHANGES button (viewtopic.php?f=2&t=3242&p=11104);

Post Reply