Hi peebee,
very nice. Thank you for posting (and for putting the GoogleAuthenticatorClass.php again).
I want to suggest little improvements:
a) in setup_googleauth.php we find
Code: Select all
echo $ga->TOTPsetupPage($memberinfo['username'],'AppGini'); // need to find a way to retreive the site name and put it in here.
Replace this with
Code: Select all
echo $ga->TOTPsetupPage($memberinfo['username'],$host); // need to find a way to retreive the site name and put it in here.
and your GA-Code will at least have the domain from the application. I have posted a request on how to get the application name (
viewtopic.php?f=2&p=11477#p11477 ). Once this is answered we can easily change $host in that code again.
b) The problem you describe here
peebee wrote: ↑2019-11-13 23:58
Only limitations I can recall is it doesn't allow you to disable TFA once enabled (should be able to be fixed with a bit of editing) and I don't remember it providing any manual override codes in case no Google device is handy.
can be worked around like this:
Replace the code (once again) in
incCommon.php (attention: incCommon will be created when you create your application, so all changes to this will be lost after creation and you will need to reapply your changes). Look for
Code: Select all
function logInMember() {
$redir = 'index.php';
if($_POST['signIn'] != '') {
if($_POST['username'] != '' && $_POST['password'] != '') {
replace with
Code: Select all
function logInMember() {
$redir = 'index.php';
if($_POST['signIn'] != '') {
//start https://github.com/massyn/appgini-tools/blob/master/google-authenticator.md
//old: if($_POST['username'] != '' && $_POST['password'] != '') {
//new: if($_POST['username'] != '' && $_POST['password'] != '' && ($TwoFactor == 1)) {
$curr_dir = dirname(__FILE__);
require_once "$curr_dir/hooks/GoogleAuthenticatorClass.php";
$ga = new framework_GoogleAuthenticator();
$username = makeSafe(strtolower($_POST['username']));
$sqlTwoFactor = "SELECT Count(uid) AS c FROM totp_secrets WHERE uid = '" . $username ."';";
$testTwoFactorUser = sqlValue($sqlTwoFactor);
$TwoFactor = 0;
if ($testTwoFactorUser == 1) {
if ($ga->TOTPauthenticate(db_link(),$username)) {
$TwoFactor = 1;
}
} else {
$TwoFactor = 1;
}
if($_POST['username'] != '' && $_POST['password'] != '' && ($TwoFactor === 1)) {
//end https://github.com/massyn/appgini-tools/blob/master/google-authenticator.md
What this change does: If the user has defined two-factor for himself, he needs to use it. If it has not been defined, he does not need to use it. For this the table totp_secrets is checked - from which we can easily delete entries ... Now make it easy to remove two-factor auth for/from users:
Create a new table in AppGini (after running the GooglAuthenticator once) like seen in the image. Give the admin access to all entries (only view and delete in the generated AppGini application). This way the the entries can be deleted from the table quite easily and thus two-factor-authentication being disabled for that user (again). You can allow mass delete and disable detail view (both circled).
SQL for this table:
Code: Select all
CREATE TABLE `totp_secrets` (
`uid` varchar(50) NOT NULL,
`secret` varchar(30) DEFAULT NULL,
`datetime` datetime DEFAULT NULL,
`ip_address` varchar(30) DEFAULT NULL,
PRIMARY KEY (`uid`),
UNIQUE KEY `uid_unique` (`uid`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
- totp1.png (45.26 KiB) Viewed 11114 times
Olaf