Skip to content
This repository
Browse code

Add framework for RFC-6238: Time-Based One Time Password Algorithm.

This provides a system for two-factor authentication, using a compliant
OTP-generator such as Google Authenticator. The framework includes a
validator for use on API calls needing authentication as well as a UI
for provisioning/resetting your secret key. A secure cookie may be
generated to effectively turn the user's browser into a temporary
authentication factor.

This feature is currently limited to admins only until full-site SSL is
available.
  • Loading branch information...
commit 8dfd73b195080e1c32b93f3e0ec634c19a918fdd 1 parent 529df1b
Neil Williams authored
4  r2/example.ini
@@ -110,6 +110,8 @@ https_endpoint =
110 110
 login_cookie = reddit_session
111 111
 # name of the admin cookie
112 112
 admin_cookie = reddit_admin
  113
+# name of the otp cookie
  114
+otp_cookie = reddit_otp
113 115
 # the work factor for bcrypt, increment this every time computers double in
114 116
 # speed. don't worry, changing this won't break old passwords
115 117
 bcrypt_work_factor = 12
@@ -409,6 +411,8 @@ min_membership_create_community = 30
409 411
 ADMIN_COOKIE_TTL = 32400
410 412
 # the maximum amount of idle time for an admin cookie (seconds)
411 413
 ADMIN_COOKIE_MAX_IDLE = 900
  414
+# the maximum life of an otp cookie
  415
+OTP_COOKIE_TTL = 604800
412 416
 
413 417
 # min amount of karma to edit 
414 418
 WIKI_KARMA = 100
48  r2/r2/controllers/api.py
@@ -2713,3 +2713,51 @@ def POST_adminon(self, form, jquery, dest):
2713 2713
         self.enable_admin_mode(c.user)
2714 2714
         form.redirect(dest)
2715 2715
 
  2716
+    @validatedForm(VUser("password", default=""),
  2717
+                   VModhash())
  2718
+    def POST_generate_otp_secret(self, form, jquery):
  2719
+        if form.has_errors("password", errors.WRONG_PASSWORD):
  2720
+            return
  2721
+
  2722
+        secret = totp.generate_secret()
  2723
+        g.cache.set('otp_secret_' + c.user._id36, secret, time=300)
  2724
+        jquery("body").make_totp_qrcode(secret)
  2725
+
  2726
+    @validatedForm(VUser(),
  2727
+                   VModhash(),
  2728
+                   otp=nop("otp"))
  2729
+    def POST_enable_otp(self, form, jquery, otp):
  2730
+        if form.has_errors("password", errors.WRONG_PASSWORD):
  2731
+            return
  2732
+
  2733
+        secret = g.cache.get("otp_secret_" + c.user._id36)
  2734
+        if not secret:
  2735
+            c.errors.add(errors.EXPIRED, field="otp")
  2736
+            form.has_errors("otp", errors.EXPIRED)
  2737
+            return
  2738
+
  2739
+        if not VOneTimePassword.validate_otp(secret, otp):
  2740
+            c.errors.add(errors.WRONG_PASSWORD, field="otp")
  2741
+            form.has_errors("otp", errors.WRONG_PASSWORD)
  2742
+            return
  2743
+
  2744
+        c.user.otp_secret = secret
  2745
+        c.user._commit()
  2746
+
  2747
+        form.redirect("/prefs/otp")
  2748
+
  2749
+    @validatedForm(VUser("password", default=""),
  2750
+                   VOneTimePassword("otp", required=True),
  2751
+                   VModhash())
  2752
+    def POST_disable_otp(self, form, jquery):
  2753
+        if form.has_errors("password", errors.WRONG_PASSWORD):
  2754
+            return
  2755
+
  2756
+        if form.has_errors("otp", errors.WRONG_PASSWORD,
  2757
+                                  errors.NO_OTP_SECRET,
  2758
+                                  errors.RATELIMIT):
  2759
+            return
  2760
+
  2761
+        c.user.otp_secret = ""
  2762
+        c.user._commit()
  2763
+        form.redirect("/prefs/otp")
1  r2/r2/controllers/errors.py
@@ -97,6 +97,7 @@
97 97
         ('CONFIRM', _("please confirm the form")),
98 98
         ('NO_API', _('cannot perform this action via the API')),
99 99
         ('DOMAIN_BANNED', _('%(domain)s is not allowed on reddit: %(reason)s')),
  100
+        ('NO_OTP_SECRET', _('you must enable two-factor authentication')),
100 101
     ))
101 102
 errors = Storage([(e, e) for e in error_list.keys()])
102 103
 
2  r2/r2/controllers/front.py
@@ -1104,6 +1104,8 @@ def GET_prefs(self, location=''):
1104 1104
             content = PrefFeeds()
1105 1105
         elif location == 'delete':
1106 1106
             content = PrefDelete()
  1107
+        elif location == 'otp':
  1108
+            content = PrefOTP()
1107 1109
         else:
1108 1110
             return self.abort404()
1109 1111
 
22  r2/r2/controllers/reddit_base.py
@@ -150,9 +150,10 @@ def read_user_cookie(name):
150 150
     else:
151 151
         return ''
152 152
 
153  
-def set_user_cookie(name, val):
  153
+def set_user_cookie(name, val, **kwargs):
154 154
     uname = c.user.name if c.user_is_loggedin else ""
155  
-    c.cookies[uname + '_' + name] = Cookie(value = val)
  155
+    c.cookies[uname + '_' + name] = Cookie(value=val,
  156
+                                           **kwargs)
156 157
 
157 158
     
158 159
 valid_click_cookie = fullname_regex(Link, True).match
@@ -783,6 +784,17 @@ def enable_admin_mode(user, first_login=None):
783 784
         c.cookies[g.admin_cookie] = Cookie(value=user.make_admin_cookie(first_login=first_login))
784 785
 
785 786
     @staticmethod
  787
+    def remember_otp(user):
  788
+        cookie = user.make_otp_cookie()
  789
+        expiration = datetime.utcnow() + timedelta(seconds=g.OTP_COOKIE_TTL)
  790
+        expiration = expiration.strftime("%a, %d %b %Y %H:%M:%S GMT")
  791
+        set_user_cookie(g.otp_cookie,
  792
+                        cookie,
  793
+                        secure=True,
  794
+                        httponly=True,
  795
+                        expires=expiration)
  796
+
  797
+    @staticmethod
786 798
     def disable_admin_mode(user):
787 799
         c.cookies[g.admin_cookie] = Cookie(value='', expires=DELETE)
788 800
 
@@ -809,6 +821,7 @@ def pre(self):
809 821
 
810 822
         # the user could have been logged in via one of the feeds 
811 823
         maybe_admin = False
  824
+        is_otpcookie_valid = False
812 825
 
813 826
         # no logins for RSS feed unless valid_feed has already been called
814 827
         if not c.user:
@@ -828,6 +841,10 @@ def pre(self):
828 841
                     else:
829 842
                         self.disable_admin_mode(c.user)
830 843
 
  844
+                otp_cookie = read_user_cookie(g.otp_cookie)
  845
+                if c.user_is_loggedin and otp_cookie:
  846
+                    is_otpcookie_valid = valid_otp_cookie(otp_cookie)
  847
+
831 848
             if not c.user:
832 849
                 c.user = UnloggedUser(get_browser_langs())
833 850
                 # patch for fixing mangled language preferences
@@ -850,6 +867,7 @@ def pre(self):
850 867
             c.user_is_admin = maybe_admin and c.user.name in g.admins
851 868
             c.user_special_distinguish = c.user.special_distinguish()
852 869
             c.user_is_sponsor = c.user_is_admin or c.user.name in g.sponsors
  870
+            c.otp_cached = is_otpcookie_valid
853 871
             if request.path != '/validuser' and not g.disallow_db_writes:
854 872
                 c.user.update_last_visit(c.start_time)
855 873
 
62  r2/r2/controllers/validator/validator.py
@@ -24,7 +24,7 @@
24 24
 from pylons.i18n import _
25 25
 from pylons.controllers.util import abort
26 26
 from r2.config.extensions import api_type
27  
-from r2.lib import utils, captcha, promote
  27
+from r2.lib import utils, captcha, promote, totp
28 28
 from r2.lib.filters import unkeep_space, websafe, _force_unicode
29 29
 from r2.lib.filters import markdown_souptest
30 30
 from r2.lib.db import tdb_cassandra
@@ -1767,3 +1767,63 @@ def run(self, flair_template_id):
1767 1767
                 c.site._id, flair_template_id)
1768 1768
         except tdb_cassandra.NotFound:
1769 1769
             return None
  1770
+
  1771
+class VOneTimePassword(Validator):
  1772
+    max_skew = 2  # check two periods to allow for some clock skew
  1773
+    ratelimit = 3  # maximum number of tries per period
  1774
+
  1775
+    def __init__(self, param, required):
  1776
+        self.required = required
  1777
+        Validator.__init__(self, param)
  1778
+
  1779
+    @classmethod
  1780
+    def validate_otp(cls, secret, password):
  1781
+        # is the password a valid format and has it been used?
  1782
+        try:
  1783
+            key = "otp-%s-%d" % (c.user._id36, int(password))
  1784
+        except (TypeError, ValueError):
  1785
+            valid_and_unused = False
  1786
+        else:
  1787
+            # leave this key around for one more time period than the maximum
  1788
+            # number of time periods we'll check for valid passwords
  1789
+            key_ttl = totp.PERIOD * (cls.max_skew + 1)
  1790
+            valid_and_unused = g.cache.add(key, True, time=key_ttl)
  1791
+
  1792
+        # check the password (allowing for some clock-skew as 2FA-users
  1793
+        # frequently travel at relativistic velocities)
  1794
+        if valid_and_unused:
  1795
+            for skew in range(cls.max_skew):
  1796
+                expected_otp = totp.make_totp(secret, skew=skew)
  1797
+                if constant_time_compare(password, expected_otp):
  1798
+                    return True
  1799
+
  1800
+        return False
  1801
+
  1802
+    def run(self, password):
  1803
+        # does the user have 2FA configured?
  1804
+        secret = c.user.otp_secret
  1805
+        if not secret:
  1806
+            if self.required:
  1807
+                self.set_error(errors.NO_OTP_SECRET)
  1808
+            return
  1809
+
  1810
+        # do they have the otp cookie instead?
  1811
+        if c.otp_cached:
  1812
+            return
  1813
+
  1814
+        # make sure they're not trying this too much
  1815
+        if not g.disable_ratelimit:
  1816
+            current_password = totp.make_totp(secret)
  1817
+            key = "otp-tries-" + current_password
  1818
+            g.cache.add(key, 0)
  1819
+            recent_attempts = g.cache.incr(key)
  1820
+            if recent_attempts > self.ratelimit:
  1821
+                self.set_error(errors.RATELIMIT, dict(time="30 seconds"))
  1822
+                return
  1823
+
  1824
+        # check the password
  1825
+        if self.validate_otp(secret, password):
  1826
+            return
  1827
+
  1828
+        # if we got this far, their password was wrong, invalid or already used
  1829
+        self.set_error(errors.WRONG_PASSWORD)
1  r2/r2/lib/app_globals.py
@@ -63,6 +63,7 @@ class Globals(object):
63 63
             'QUOTA_THRESHOLD',
64 64
             'ADMIN_COOKIE_TTL',
65 65
             'ADMIN_COOKIE_MAX_IDLE',
  66
+            'OTP_COOKIE_TTL',
66 67
             'num_comments',
67 68
             'max_comments',
68 69
             'max_comments_gold',
5  r2/r2/lib/js.py
@@ -310,6 +310,11 @@ def use(self):
310 310
     "traffic.js",
311 311
 )
312 312
 
  313
+module["qrcode"] = Module("qrcode.js",
  314
+    "lib/jquery.qrcode.min.js",
  315
+    "qrcode.js",
  316
+)
  317
+
313 318
 def use(*names):
314 319
     return "\n".join(module[name].use() for name in names)
315 320
 
1  r2/r2/lib/menus.py
@@ -109,6 +109,7 @@ def __getattr__(self, attr):
109 109
                      friends      = _("friends"),
110 110
                      update       = _("password/email"),
111 111
                      delete       = _("delete"),
  112
+                     otp          = _("two-factor authentication"),
112 113
 
113 114
                      # messages
114 115
                      compose      = _("compose"),
7  r2/r2/lib/pages/pages.py
@@ -625,6 +625,10 @@ def build_toolbars(self):
625 625
 
626 626
         buttons.extend([NamedButton('friends'),
627 627
                         NamedButton('update')])
  628
+
  629
+        if c.user_is_loggedin and c.user.name in g.admins:
  630
+            buttons += [NamedButton('otp')]
  631
+
628 632
         #if CustomerID.get_id(user):
629 633
         #    buttons += [NamedButton('payment')]
630 634
         buttons += [NamedButton('delete')]
@@ -639,6 +643,9 @@ def __init__(self, done = False):
639 643
 class PrefFeeds(Templated):
640 644
     pass
641 645
 
  646
+class PrefOTP(Templated):
  647
+    pass
  648
+
642 649
 class PrefUpdate(Templated):
643 650
     """Preference form for updating email address and passwords"""
644 651
     def __init__(self, email = True, password = True, verify = False):
76  r2/r2/lib/totp.py
... ...
@@ -0,0 +1,76 @@
  1
+# The contents of this file are subject to the Common Public Attribution
  2
+# License Version 1.0. (the "License"); you may not use this file except in
  3
+# compliance with the License. You may obtain a copy of the License at
  4
+# http://code.reddit.com/LICENSE. The License is based on the Mozilla Public
  5
+# License Version 1.1, but Sections 14 and 15 have been added to cover use of
  6
+# software over a computer network and provide for limited attribution for the
  7
+# Original Developer. In addition, Exhibit A has been modified to be consistent
  8
+# with Exhibit B.
  9
+#
  10
+# Software distributed under the License is distributed on an "AS IS" basis,
  11
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for
  12
+# the specific language governing rights and limitations under the License.
  13
+#
  14
+# The Original Code is reddit.
  15
+#
  16
+# The Original Developer is the Initial Developer.  The Initial Developer of
  17
+# the Original Code is reddit Inc.
  18
+#
  19
+# All portions of the code written by reddit are Copyright (c) 2006-2012 reddit
  20
+# Inc. All Rights Reserved.
  21
+###############################################################################
  22
+
  23
+"""An implementation of the RFC-6238 Time-Based One Time Password algorithm."""
  24
+
  25
+import time
  26
+import hmac
  27
+import base64
  28
+import struct
  29
+import hashlib
  30
+
  31
+
  32
+PERIOD = 30
  33
+
  34
+
  35
+def make_hotp(secret, counter):
  36
+    """Generate an RFC-4226 HMAC-Based One Time Password."""
  37
+    key = base64.b32decode(secret)
  38
+
  39
+    # compute the HMAC digest of the counter with the secret key
  40
+    counter_encoded = struct.pack(">q", counter)
  41
+    hmac_result = hmac.HMAC(key, counter_encoded, hashlib.sha1).digest()
  42
+
  43
+    # do HOTP dynamic truncation (see RFC4226 5.3)
  44
+    offset = ord(hmac_result[-1]) & 0x0f
  45
+    truncated_hash = hmac_result[offset:offset + 4]
  46
+    code_bits, = struct.unpack(">L", truncated_hash)
  47
+    htop = (code_bits & 0x7fffffff) % 1000000
  48
+
  49
+    # pad it out as necessary
  50
+    return "%06d" % htop
  51
+
  52
+
  53
+def make_totp(secret, skew=0, timestamp=None):
  54
+    """Generate an RFC-6238 Time-Based One Time Password."""
  55
+    timestamp = timestamp or time.time()
  56
+    counter = timestamp // PERIOD
  57
+    return make_hotp(secret, counter - skew)
  58
+
  59
+
  60
+def generate_secret():
  61
+    """Make a secret key suitable for use in TOTP."""
  62
+    from Crypto.Random import get_random_bytes
  63
+    bytes = get_random_bytes(20)
  64
+    encoded = base64.b32encode(bytes)
  65
+    return encoded
  66
+
  67
+
  68
+if __name__ == "__main__":
  69
+    # based on RFC-6238 Appendix B (trimmed to six-digit OTPs)
  70
+    secret = base64.b32encode("12345678901234567890")
  71
+    assert make_totp(secret, timestamp=59) == "287082"
  72
+    assert make_totp(secret, timestamp=1111111109) == "081804"
  73
+    assert make_totp(secret, timestamp=1111111111) == "050471"
  74
+    assert make_totp(secret, timestamp=1234567890) == "005924"
  75
+    assert make_totp(secret, timestamp=2000000000) == "279037"
  76
+    assert make_totp(secret, timestamp=20000000000) == "353130"
36  r2/r2/models/account.py
@@ -108,6 +108,7 @@ class Account(Thing):
108 108
                      gold_charter = False,
109 109
                      gold_creddits = 0,
110 110
                      gold_creddit_escrow = 0,
  111
+                     otp_secret=None,
111 112
                      )
112 113
 
113 114
     def has_interacted_with(self, sr):
@@ -241,6 +242,16 @@ def make_admin_cookie(self, first_login=None, last_request=None):
241 242
         mac = hmac.new(g.SECRET, hashable, hashlib.sha1).hexdigest()
242 243
         return ','.join((first_login, last_request, mac))
243 244
 
  245
+    def make_otp_cookie(self, timestamp=None):
  246
+        if not self._loaded:
  247
+            self._load()
  248
+
  249
+        timestamp = timestamp or datetime.utcnow().strftime(COOKIE_TIMESTAMP_FORMAT)
  250
+        secrets = [request.user_agent, self.otp_secret, self.password]
  251
+        signature = hmac.new(g.SECRET, ','.join([timestamp] + secrets), hashlib.sha1).hexdigest()
  252
+
  253
+        return ",".join((timestamp, signature))
  254
+
244 255
     def needs_captcha(self):
245 256
         return not g.disable_captcha and self.link_karma < 1
246 257
 
@@ -631,6 +642,31 @@ def valid_admin_cookie(cookie):
631 642
             first_login)
632 643
 
633 644
 
  645
+def valid_otp_cookie(cookie):
  646
+    if g.read_only_mode:
  647
+        return False
  648
+
  649
+    # parse the cookie
  650
+    try:
  651
+        remembered_at, signature = cookie.split(",")
  652
+    except ValueError:
  653
+        return False
  654
+
  655
+    # make sure it hasn't expired
  656
+    try:
  657
+        remembered_at_time = datetime.strptime(remembered_at, COOKIE_TIMESTAMP_FORMAT)
  658
+    except ValueError:
  659
+        return False
  660
+
  661
+    age = datetime.utcnow() - remembered_at_time
  662
+    if age.total_seconds() > g.OTP_COOKIE_TTL:
  663
+        return False
  664
+
  665
+    # validate
  666
+    expected_cookie = c.user.make_otp_cookie(remembered_at)
  667
+    return constant_time_compare(cookie, expected_cookie)
  668
+
  669
+
634 670
 def valid_feed(name, feedhash, path):
635 671
     if name and feedhash and path:
636 672
         from r2.lib.template_helpers import add_sr
26  r2/r2/public/static/css/reddit.css
@@ -3600,7 +3600,8 @@ ul.tabmenu.formtab {
3600 3600
 
3601 3601
 .roundfield textarea,
3602 3602
 .roundfield input[type=text],
3603  
-.roundfield input[type=password] {
  3603
+.roundfield input[type=password],
  3604
+.roundfield input[type=number] {
3604 3605
     font-size: 100%;
3605 3606
     width: 492px;
3606 3607
     padding: 3px;
@@ -5622,3 +5623,26 @@ tr.gold-accent + tr > td {
5622 5623
 .sr-description p {
5623 5624
     margin: .75em 0;
5624 5625
 }
  5626
+
  5627
+/** one-time password stuff **/
  5628
+#pref-otp .roundfield {
  5629
+    margin: 1em 0;
  5630
+}
  5631
+
  5632
+#pref-otp-qr {
  5633
+    display: none;
  5634
+}
  5635
+
  5636
+#otp-secret-info {
  5637
+    margin: 2em;
  5638
+    width: 512px;
  5639
+    font-size: small;
  5640
+}
  5641
+
  5642
+#otp-secret-info div {
  5643
+    margin: 1em 0;
  5644
+}
  5645
+
  5646
+#otp-secret-info .secret {
  5647
+    font-weight: bold;
  5648
+}
28  r2/r2/public/static/js/lib/jquery.qrcode.min.js
... ...
@@ -0,0 +1,28 @@
  1
+(function(r){r.fn.qrcode=function(h){var s;function u(a){this.mode=s;this.data=a}function o(a,c){this.typeNumber=a;this.errorCorrectLevel=c;this.modules=null;this.moduleCount=0;this.dataCache=null;this.dataList=[]}function q(a,c){if(void 0==a.length)throw Error(a.length+"/"+c);for(var d=0;d<a.length&&0==a[d];)d++;this.num=Array(a.length-d+c);for(var b=0;b<a.length-d;b++)this.num[b]=a[b+d]}function p(a,c){this.totalCount=a;this.dataCount=c}function t(){this.buffer=[];this.length=0}u.prototype={getLength:function(){return this.data.length},
  2
+write:function(a){for(var c=0;c<this.data.length;c++)a.put(this.data.charCodeAt(c),8)}};o.prototype={addData:function(a){this.dataList.push(new u(a));this.dataCache=null},isDark:function(a,c){if(0>a||this.moduleCount<=a||0>c||this.moduleCount<=c)throw Error(a+","+c);return this.modules[a][c]},getModuleCount:function(){return this.moduleCount},make:function(){if(1>this.typeNumber){for(var a=1,a=1;40>a;a++){for(var c=p.getRSBlocks(a,this.errorCorrectLevel),d=new t,b=0,e=0;e<c.length;e++)b+=c[e].dataCount;
  3
+for(e=0;e<this.dataList.length;e++)c=this.dataList[e],d.put(c.mode,4),d.put(c.getLength(),j.getLengthInBits(c.mode,a)),c.write(d);if(d.getLengthInBits()<=8*b)break}this.typeNumber=a}this.makeImpl(!1,this.getBestMaskPattern())},makeImpl:function(a,c){this.moduleCount=4*this.typeNumber+17;this.modules=Array(this.moduleCount);for(var d=0;d<this.moduleCount;d++){this.modules[d]=Array(this.moduleCount);for(var b=0;b<this.moduleCount;b++)this.modules[d][b]=null}this.setupPositionProbePattern(0,0);this.setupPositionProbePattern(this.moduleCount-
  4
+7,0);this.setupPositionProbePattern(0,this.moduleCount-7);this.setupPositionAdjustPattern();this.setupTimingPattern();this.setupTypeInfo(a,c);7<=this.typeNumber&&this.setupTypeNumber(a);null==this.dataCache&&(this.dataCache=o.createData(this.typeNumber,this.errorCorrectLevel,this.dataList));this.mapData(this.dataCache,c)},setupPositionProbePattern:function(a,c){for(var d=-1;7>=d;d++)if(!(-1>=a+d||this.moduleCount<=a+d))for(var b=-1;7>=b;b++)-1>=c+b||this.moduleCount<=c+b||(this.modules[a+d][c+b]=
  5
+0<=d&&6>=d&&(0==b||6==b)||0<=b&&6>=b&&(0==d||6==d)||2<=d&&4>=d&&2<=b&&4>=b?!0:!1)},getBestMaskPattern:function(){for(var a=0,c=0,d=0;8>d;d++){this.makeImpl(!0,d);var b=j.getLostPoint(this);if(0==d||a>b)a=b,c=d}return c},createMovieClip:function(a,c,d){a=a.createEmptyMovieClip(c,d);this.make();for(c=0;c<this.modules.length;c++)for(var d=1*c,b=0;b<this.modules[c].length;b++){var e=1*b;this.modules[c][b]&&(a.beginFill(0,100),a.moveTo(e,d),a.lineTo(e+1,d),a.lineTo(e+1,d+1),a.lineTo(e,d+1),a.endFill())}return a},
  6
+setupTimingPattern:function(){for(var a=8;a<this.moduleCount-8;a++)null==this.modules[a][6]&&(this.modules[a][6]=0==a%2);for(a=8;a<this.moduleCount-8;a++)null==this.modules[6][a]&&(this.modules[6][a]=0==a%2)},setupPositionAdjustPattern:function(){for(var a=j.getPatternPosition(this.typeNumber),c=0;c<a.length;c++)for(var d=0;d<a.length;d++){var b=a[c],e=a[d];if(null==this.modules[b][e])for(var f=-2;2>=f;f++)for(var i=-2;2>=i;i++)this.modules[b+f][e+i]=-2==f||2==f||-2==i||2==i||0==f&&0==i?!0:!1}},setupTypeNumber:function(a){for(var c=
  7
+j.getBCHTypeNumber(this.typeNumber),d=0;18>d;d++){var b=!a&&1==(c>>d&1);this.modules[Math.floor(d/3)][d%3+this.moduleCount-8-3]=b}for(d=0;18>d;d++)b=!a&&1==(c>>d&1),this.modules[d%3+this.moduleCount-8-3][Math.floor(d/3)]=b},setupTypeInfo:function(a,c){for(var d=j.getBCHTypeInfo(this.errorCorrectLevel<<3|c),b=0;15>b;b++){var e=!a&&1==(d>>b&1);6>b?this.modules[b][8]=e:8>b?this.modules[b+1][8]=e:this.modules[this.moduleCount-15+b][8]=e}for(b=0;15>b;b++)e=!a&&1==(d>>b&1),8>b?this.modules[8][this.moduleCount-
  8
+b-1]=e:9>b?this.modules[8][15-b-1+1]=e:this.modules[8][15-b-1]=e;this.modules[this.moduleCount-8][8]=!a},mapData:function(a,c){for(var d=-1,b=this.moduleCount-1,e=7,f=0,i=this.moduleCount-1;0<i;i-=2)for(6==i&&i--;;){for(var g=0;2>g;g++)if(null==this.modules[b][i-g]){var n=!1;f<a.length&&(n=1==(a[f]>>>e&1));j.getMask(c,b,i-g)&&(n=!n);this.modules[b][i-g]=n;e--; -1==e&&(f++,e=7)}b+=d;if(0>b||this.moduleCount<=b){b-=d;d=-d;break}}}};o.PAD0=236;o.PAD1=17;o.createData=function(a,c,d){for(var c=p.getRSBlocks(a,
  9
+c),b=new t,e=0;e<d.length;e++){var f=d[e];b.put(f.mode,4);b.put(f.getLength(),j.getLengthInBits(f.mode,a));f.write(b)}for(e=a=0;e<c.length;e++)a+=c[e].dataCount;if(b.getLengthInBits()>8*a)throw Error("code length overflow. ("+b.getLengthInBits()+">"+8*a+")");for(b.getLengthInBits()+4<=8*a&&b.put(0,4);0!=b.getLengthInBits()%8;)b.putBit(!1);for(;!(b.getLengthInBits()>=8*a);){b.put(o.PAD0,8);if(b.getLengthInBits()>=8*a)break;b.put(o.PAD1,8)}return o.createBytes(b,c)};o.createBytes=function(a,c){for(var d=
  10
+0,b=0,e=0,f=Array(c.length),i=Array(c.length),g=0;g<c.length;g++){var n=c[g].dataCount,h=c[g].totalCount-n,b=Math.max(b,n),e=Math.max(e,h);f[g]=Array(n);for(var k=0;k<f[g].length;k++)f[g][k]=255&a.buffer[k+d];d+=n;k=j.getErrorCorrectPolynomial(h);n=(new q(f[g],k.getLength()-1)).mod(k);i[g]=Array(k.getLength()-1);for(k=0;k<i[g].length;k++)h=k+n.getLength()-i[g].length,i[g][k]=0<=h?n.get(h):0}for(k=g=0;k<c.length;k++)g+=c[k].totalCount;d=Array(g);for(k=n=0;k<b;k++)for(g=0;g<c.length;g++)k<f[g].length&&
  11
+(d[n++]=f[g][k]);for(k=0;k<e;k++)for(g=0;g<c.length;g++)k<i[g].length&&(d[n++]=i[g][k]);return d};s=4;for(var j={PATTERN_POSITION_TABLE:[[],[6,18],[6,22],[6,26],[6,30],[6,34],[6,22,38],[6,24,42],[6,26,46],[6,28,50],[6,30,54],[6,32,58],[6,34,62],[6,26,46,66],[6,26,48,70],[6,26,50,74],[6,30,54,78],[6,30,56,82],[6,30,58,86],[6,34,62,90],[6,28,50,72,94],[6,26,50,74,98],[6,30,54,78,102],[6,28,54,80,106],[6,32,58,84,110],[6,30,58,86,114],[6,34,62,90,118],[6,26,50,74,98,122],[6,30,54,78,102,126],[6,26,52,
  12
+78,104,130],[6,30,56,82,108,134],[6,34,60,86,112,138],[6,30,58,86,114,142],[6,34,62,90,118,146],[6,30,54,78,102,126,150],[6,24,50,76,102,128,154],[6,28,54,80,106,132,158],[6,32,58,84,110,136,162],[6,26,54,82,110,138,166],[6,30,58,86,114,142,170]],G15:1335,G18:7973,G15_MASK:21522,getBCHTypeInfo:function(a){for(var c=a<<10;0<=j.getBCHDigit(c)-j.getBCHDigit(j.G15);)c^=j.G15<<j.getBCHDigit(c)-j.getBCHDigit(j.G15);return(a<<10|c)^j.G15_MASK},getBCHTypeNumber:function(a){for(var c=a<<12;0<=j.getBCHDigit(c)-
  13
+j.getBCHDigit(j.G18);)c^=j.G18<<j.getBCHDigit(c)-j.getBCHDigit(j.G18);return a<<12|c},getBCHDigit:function(a){for(var c=0;0!=a;)c++,a>>>=1;return c},getPatternPosition:function(a){return j.PATTERN_POSITION_TABLE[a-1]},getMask:function(a,c,d){switch(a){case 0:return 0==(c+d)%2;case 1:return 0==c%2;case 2:return 0==d%3;case 3:return 0==(c+d)%3;case 4:return 0==(Math.floor(c/2)+Math.floor(d/3))%2;case 5:return 0==c*d%2+c*d%3;case 6:return 0==(c*d%2+c*d%3)%2;case 7:return 0==(c*d%3+(c+d)%2)%2;default:throw Error("bad maskPattern:"+
  14
+a);}},getErrorCorrectPolynomial:function(a){for(var c=new q([1],0),d=0;d<a;d++)c=c.multiply(new q([1,l.gexp(d)],0));return c},getLengthInBits:function(a,c){if(1<=c&&10>c)switch(a){case 1:return 10;case 2:return 9;case s:return 8;case 8:return 8;default:throw Error("mode:"+a);}else if(27>c)switch(a){case 1:return 12;case 2:return 11;case s:return 16;case 8:return 10;default:throw Error("mode:"+a);}else if(41>c)switch(a){case 1:return 14;case 2:return 13;case s:return 16;case 8:return 12;default:throw Error("mode:"+
  15
+a);}else throw Error("type:"+c);},getLostPoint:function(a){for(var c=a.getModuleCount(),d=0,b=0;b<c;b++)for(var e=0;e<c;e++){for(var f=0,i=a.isDark(b,e),g=-1;1>=g;g++)if(!(0>b+g||c<=b+g))for(var h=-1;1>=h;h++)0>e+h||c<=e+h||0==g&&0==h||i==a.isDark(b+g,e+h)&&f++;5<f&&(d+=3+f-5)}for(b=0;b<c-1;b++)for(e=0;e<c-1;e++)if(f=0,a.isDark(b,e)&&f++,a.isDark(b+1,e)&&f++,a.isDark(b,e+1)&&f++,a.isDark(b+1,e+1)&&f++,0==f||4==f)d+=3;for(b=0;b<c;b++)for(e=0;e<c-6;e++)a.isDark(b,e)&&!a.isDark(b,e+1)&&a.isDark(b,e+
  16
+2)&&a.isDark(b,e+3)&&a.isDark(b,e+4)&&!a.isDark(b,e+5)&&a.isDark(b,e+6)&&(d+=40);for(e=0;e<c;e++)for(b=0;b<c-6;b++)a.isDark(b,e)&&!a.isDark(b+1,e)&&a.isDark(b+2,e)&&a.isDark(b+3,e)&&a.isDark(b+4,e)&&!a.isDark(b+5,e)&&a.isDark(b+6,e)&&(d+=40);for(e=f=0;e<c;e++)for(b=0;b<c;b++)a.isDark(b,e)&&f++;a=Math.abs(100*f/c/c-50)/5;return d+10*a}},l={glog:function(a){if(1>a)throw Error("glog("+a+")");return l.LOG_TABLE[a]},gexp:function(a){for(;0>a;)a+=255;for(;256<=a;)a-=255;return l.EXP_TABLE[a]},EXP_TABLE:Array(256),
  17
+LOG_TABLE:Array(256)},m=0;8>m;m++)l.EXP_TABLE[m]=1<<m;for(m=8;256>m;m++)l.EXP_TABLE[m]=l.EXP_TABLE[m-4]^l.EXP_TABLE[m-5]^l.EXP_TABLE[m-6]^l.EXP_TABLE[m-8];for(m=0;255>m;m++)l.LOG_TABLE[l.EXP_TABLE[m]]=m;q.prototype={get:function(a){return this.num[a]},getLength:function(){return this.num.length},multiply:function(a){for(var c=Array(this.getLength()+a.getLength()-1),d=0;d<this.getLength();d++)for(var b=0;b<a.getLength();b++)c[d+b]^=l.gexp(l.glog(this.get(d))+l.glog(a.get(b)));return new q(c,0)},mod:function(a){if(0>
  18
+this.getLength()-a.getLength())return this;for(var c=l.glog(this.get(0))-l.glog(a.get(0)),d=Array(this.getLength()),b=0;b<this.getLength();b++)d[b]=this.get(b);for(b=0;b<a.getLength();b++)d[b]^=l.gexp(l.glog(a.get(b))+c);return(new q(d,0)).mod(a)}};p.RS_BLOCK_TABLE=[[1,26,19],[1,26,16],[1,26,13],[1,26,9],[1,44,34],[1,44,28],[1,44,22],[1,44,16],[1,70,55],[1,70,44],[2,35,17],[2,35,13],[1,100,80],[2,50,32],[2,50,24],[4,25,9],[1,134,108],[2,67,43],[2,33,15,2,34,16],[2,33,11,2,34,12],[2,86,68],[4,43,27],
  19
+[4,43,19],[4,43,15],[2,98,78],[4,49,31],[2,32,14,4,33,15],[4,39,13,1,40,14],[2,121,97],[2,60,38,2,61,39],[4,40,18,2,41,19],[4,40,14,2,41,15],[2,146,116],[3,58,36,2,59,37],[4,36,16,4,37,17],[4,36,12,4,37,13],[2,86,68,2,87,69],[4,69,43,1,70,44],[6,43,19,2,44,20],[6,43,15,2,44,16],[4,101,81],[1,80,50,4,81,51],[4,50,22,4,51,23],[3,36,12,8,37,13],[2,116,92,2,117,93],[6,58,36,2,59,37],[4,46,20,6,47,21],[7,42,14,4,43,15],[4,133,107],[8,59,37,1,60,38],[8,44,20,4,45,21],[12,33,11,4,34,12],[3,145,115,1,146,
  20
+116],[4,64,40,5,65,41],[11,36,16,5,37,17],[11,36,12,5,37,13],[5,109,87,1,110,88],[5,65,41,5,66,42],[5,54,24,7,55,25],[11,36,12],[5,122,98,1,123,99],[7,73,45,3,74,46],[15,43,19,2,44,20],[3,45,15,13,46,16],[1,135,107,5,136,108],[10,74,46,1,75,47],[1,50,22,15,51,23],[2,42,14,17,43,15],[5,150,120,1,151,121],[9,69,43,4,70,44],[17,50,22,1,51,23],[2,42,14,19,43,15],[3,141,113,4,142,114],[3,70,44,11,71,45],[17,47,21,4,48,22],[9,39,13,16,40,14],[3,135,107,5,136,108],[3,67,41,13,68,42],[15,54,24,5,55,25],[15,
  21
+43,15,10,44,16],[4,144,116,4,145,117],[17,68,42],[17,50,22,6,51,23],[19,46,16,6,47,17],[2,139,111,7,140,112],[17,74,46],[7,54,24,16,55,25],[34,37,13],[4,151,121,5,152,122],[4,75,47,14,76,48],[11,54,24,14,55,25],[16,45,15,14,46,16],[6,147,117,4,148,118],[6,73,45,14,74,46],[11,54,24,16,55,25],[30,46,16,2,47,17],[8,132,106,4,133,107],[8,75,47,13,76,48],[7,54,24,22,55,25],[22,45,15,13,46,16],[10,142,114,2,143,115],[19,74,46,4,75,47],[28,50,22,6,51,23],[33,46,16,4,47,17],[8,152,122,4,153,123],[22,73,45,
  22
+3,74,46],[8,53,23,26,54,24],[12,45,15,28,46,16],[3,147,117,10,148,118],[3,73,45,23,74,46],[4,54,24,31,55,25],[11,45,15,31,46,16],[7,146,116,7,147,117],[21,73,45,7,74,46],[1,53,23,37,54,24],[19,45,15,26,46,16],[5,145,115,10,146,116],[19,75,47,10,76,48],[15,54,24,25,55,25],[23,45,15,25,46,16],[13,145,115,3,146,116],[2,74,46,29,75,47],[42,54,24,1,55,25],[23,45,15,28,46,16],[17,145,115],[10,74,46,23,75,47],[10,54,24,35,55,25],[19,45,15,35,46,16],[17,145,115,1,146,116],[14,74,46,21,75,47],[29,54,24,19,
  23
+55,25],[11,45,15,46,46,16],[13,145,115,6,146,116],[14,74,46,23,75,47],[44,54,24,7,55,25],[59,46,16,1,47,17],[12,151,121,7,152,122],[12,75,47,26,76,48],[39,54,24,14,55,25],[22,45,15,41,46,16],[6,151,121,14,152,122],[6,75,47,34,76,48],[46,54,24,10,55,25],[2,45,15,64,46,16],[17,152,122,4,153,123],[29,74,46,14,75,47],[49,54,24,10,55,25],[24,45,15,46,46,16],[4,152,122,18,153,123],[13,74,46,32,75,47],[48,54,24,14,55,25],[42,45,15,32,46,16],[20,147,117,4,148,118],[40,75,47,7,76,48],[43,54,24,22,55,25],[10,
  24
+45,15,67,46,16],[19,148,118,6,149,119],[18,75,47,31,76,48],[34,54,24,34,55,25],[20,45,15,61,46,16]];p.getRSBlocks=function(a,c){var d=p.getRsBlockTable(a,c);if(void 0==d)throw Error("bad rs block @ typeNumber:"+a+"/errorCorrectLevel:"+c);for(var b=d.length/3,e=[],f=0;f<b;f++)for(var h=d[3*f+0],g=d[3*f+1],j=d[3*f+2],l=0;l<h;l++)e.push(new p(g,j));return e};p.getRsBlockTable=function(a,c){switch(c){case 1:return p.RS_BLOCK_TABLE[4*(a-1)+0];case 0:return p.RS_BLOCK_TABLE[4*(a-1)+1];case 3:return p.RS_BLOCK_TABLE[4*
  25
+(a-1)+2];case 2:return p.RS_BLOCK_TABLE[4*(a-1)+3]}};t.prototype={get:function(a){return 1==(this.buffer[Math.floor(a/8)]>>>7-a%8&1)},put:function(a,c){for(var d=0;d<c;d++)this.putBit(1==(a>>>c-d-1&1))},getLengthInBits:function(){return this.length},putBit:function(a){var c=Math.floor(this.length/8);this.buffer.length<=c&&this.buffer.push(0);a&&(this.buffer[c]|=128>>>this.length%8);this.length++}};"string"===typeof h&&(h={text:h});h=r.extend({},{render:"canvas",width:256,height:256,typeNumber:-1,
  26
+correctLevel:2,background:"#ffffff",foreground:"#000000"},h);return this.each(function(){var a;if("canvas"==h.render){a=new o(h.typeNumber,h.correctLevel);a.addData(h.text);a.make();var c=document.createElement("canvas");c.width=h.width;c.height=h.height;for(var d=c.getContext("2d"),b=h.width/a.getModuleCount(),e=h.height/a.getModuleCount(),f=0;f<a.getModuleCount();f++)for(var i=0;i<a.getModuleCount();i++){d.fillStyle=a.isDark(f,i)?h.foreground:h.background;var g=Math.ceil((i+1)*b)-Math.floor(i*b),
  27
+j=Math.ceil((f+1)*b)-Math.floor(f*b);d.fillRect(Math.round(i*b),Math.round(f*e),g,j)}}else{a=new o(h.typeNumber,h.correctLevel);a.addData(h.text);a.make();c=r("<table></table>").css("width",h.width+"px").css("height",h.height+"px").css("border","0px").css("border-collapse","collapse").css("background-color",h.background);d=h.width/a.getModuleCount();b=h.height/a.getModuleCount();for(e=0;e<a.getModuleCount();e++){f=r("<tr></tr>").css("height",b+"px").appendTo(c);for(i=0;i<a.getModuleCount();i++)r("<td></td>").css("width",
  28
+d+"px").css("background-color",a.isDark(e,i)?h.foreground:h.background).appendTo(f)}}a=c;jQuery(a).appendTo(this)})}})(jQuery);
23  r2/r2/public/static/js/qrcode.js
... ...
@@ -0,0 +1,23 @@
  1
+(function($) {
  2
+    $.fn.make_totp_qrcode = function (secret) {
  3
+        var form = $('#pref-otp'),
  4
+            newform = $('#pref-otp-qr'),
  5
+            placeholder = $('<div>'),
  6
+            uri = ('otpauth://totp/' + r.config.logged + '@' +
  7
+                   r.config.cur_domain + '?secret=' + secret)
  8
+
  9
+        newform.find('#otp-secret-info').append(
  10
+            placeholder,
  11
+            $('<p class="secret">').text(secret)
  12
+        )
  13
+
  14
+        placeholder.qrcode({
  15
+            width: 256,
  16
+            height: 256,
  17
+            text: uri
  18
+        })
  19
+
  20
+        newform.show()
  21
+        form.hide()
  22
+    }
  23
+})(jQuery)
83  r2/r2/templates/prefotp.html
... ...
@@ -0,0 +1,83 @@
  1
+## The contents of this file are subject to the Common Public Attribution
  2
+## License Version 1.0. (the "License"); you may not use this file except in
  3
+## compliance with the License. You may obtain a copy of the License at
  4
+## http://code.reddit.com/LICENSE. The License is based on the Mozilla Public
  5
+## License Version 1.1, but Sections 14 and 15 have been added to cover use of
  6
+## software over a computer network and provide for limited attribution for the
  7
+## Original Developer. In addition, Exhibit A has been modified to be
  8
+## consistent with Exhibit B.
  9
+##
  10
+## Software distributed under the License is distributed on an "AS IS" basis,
  11
+## WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for
  12
+## the specific language governing rights and limitations under the License.
  13
+##
  14
+## The Original Code is reddit.
  15
+##
  16
+## The Original Developer is the Initial Developer.  The Initial Developer of
  17
+## the Original Code is reddit Inc.
  18
+##
  19
+## All portions of the code written by reddit are Copyright (c) 2006-2012
  20
+## reddit Inc. All Rights Reserved.
  21
+###############################################################################
  22
+
  23
+<%!
  24
+  from r2.lib import js
  25
+  from r2.lib.strings import strings
  26
+%>
  27
+
  28
+<%namespace file="utils.html" import="error_field, _md"/>
  29
+<%namespace name="utils" file="utils.html"/>
  30
+
  31
+<h1>${_("two-factor authentication")}</h1>
  32
+
  33
+% if c.user.otp_secret:
  34
+<form action="/post/disable_otp" method="post" onsubmit="return post_form(this, 'disable_otp')" id="pref-otp">
  35
+
  36
+${_md("two-factor authentication is currently **enabled**. fill out the form below if you would like to disable it.", wrap=True)}
  37
+
  38
+<%utils:round_field title="${_('password')}" description="${_('(required)')}">
  39
+  <input type="password" name="password" />
  40
+  ${error_field("WRONG_PASSWORD", "password")}
  41
+</%utils:round_field>
  42
+
  43
+<%utils:round_field title="${_('one-time password')}" description="${_('(required)')}">
  44
+  <input type="number" name="otp" maxlength="6" />
  45
+  ${error_field("WRONG_PASSWORD", "otp")}
  46
+  ${error_field("NO_OTP_SECRET", "otp")}
  47
+  ${error_field("RATELIMIT", "otp")}
  48
+</%utils:round_field>
  49
+
  50
+<input type="submit" value="${_("disable")}">
  51
+</form>
  52
+% else:
  53
+<form action="/post/generate_otp_secret" method="post" onsubmit="return post_form(this, 'generate_otp_secret')" id="pref-otp">
  54
+
  55
+${_md("enter your current password below to start the activation process for two-factor authentication.", wrap=True)}
  56
+
  57
+<%utils:round_field title="${_('password')}" description="${_('(required)')}">
  58
+  <input type="password" name="password" />
  59
+  ${error_field("WRONG_PASSWORD", "password")}
  60
+</%utils:round_field>
  61
+
  62
+<input type="submit" value="${_("activate")}">
  63
+
  64
+</form>
  65
+
  66
+<form action="/post/enable_otp" method="post" onsubmit="return post_form(this, 'enable_otp')" id="pref-otp-qr">
  67
+
  68
+<div id="otp-secret-info">
  69
+    ${_md("below is your two-factor authentication secret. you can scan the QR code with Google Authenticator or enter the key below manually. you WILL NOT have another chance to see this secret.")}
  70
+</div>
  71
+
  72
+<%utils:round_field title="${_('one-time password')}" description="${_('(required)')}">
  73
+  <input type="number" name="otp" maxlength="6" />
  74
+  ${error_field("WRONG_PASSWORD", "otp")}
  75
+  ${error_field("EXPIRED", "otp")}
  76
+</%utils:round_field>
  77
+
  78
+<input type="submit" value="${_("enable")}">
  79
+
  80
+</form>
  81
+% endif
  82
+
  83
+${unsafe(js.use("qrcode"))}

0 notes on commit 8dfd73b

Please sign in to comment.
Something went wrong with that request. Please try again.