Auth: allow to reverse password / token order in TOTP

fichtner · fichtner · commit 20ec899ae51f · 2017-07-12T20:56:14.000+02:00
PR: https://forum.opnsense.org/index.php?topic=5466.0
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/TOTP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/TOTP.php
@@ -53,6 +53,11 @@ trait TOTP
      */
     private $graceperiod = 10;
 
+    /**
+     * @var bool token after password
+     */
+    private $passwordFirst = false;
+
     /**
      * @var string method accepting username and returning a simplexml user object
      */
@@ -149,8 +154,14 @@ public function authenticate($username, $password)
         if ($userObject != null && !empty($userObject->otp_seed)) {
             if (strlen($password) > $this->otpLength) {
                 // split otp token code and userpassword
-                $code = substr($password, 0, $this->otpLength);
-                $userPassword =  substr($password, $this->otpLength);
+                $pwStart = $this->otpLength;
+                $otpStart = 0;
+                if ($this->passwordFirst) {
+                    $otpStart = strlen($password) - $this->otpLength;
+                    $pwStart = 0;
+                }
+                $userPassword = substr($password, $pwStart, strlen($password) - $this->otpLength);
+                $code = substr($password, $otpStart, $this->otpLength);
                 $otp_seed = \Base32\Base32::decode($userObject->otp_seed);
                 if ($this->authTOTP($otp_seed, $code)) {
                     // token valid, do parents auth
@@ -176,6 +187,9 @@ public function setTOTPProperties($config)
         if (!empty($config['graceperiod'])) {
             $this->graceperiod = $config['graceperiod'];
         }
+        if (array_key_exists('passwordFirst', $config) && !empty($config['passwordFirst'])) {
+            $this->passwordFirst = true;
+        }
     }
 
     /**
@@ -226,6 +240,13 @@ private function getTOTPConfigurationOptions()
                 return array();
             }
         };
+        $fields["passwordFirst"] = array();
+        $fields["passwordFirst"]["name"] = gettext("Reverse token order");
+        $fields["passwordFirst"]["help"] = gettext("Require the password in front of the token instead of behind it.");
+        $fields["passwordFirst"]["type"] = "checkbox";
+        $fields["passwordFirst"]["validate"] = function ($value) {
+            return array();
+        };
 
         return $fields;
     }
