PHP Google Authenticator

atomjoy · web-flow · commit 35457125331e · 2024-02-22T23:35:01.000+01:00
2FA two-step verification with php and Google Authenticator in Laravel.
diff --git a/README.md b/README.md
@@ -1,2 +1,65 @@
-# google-authenticator
+# PHP Google Authenticator
+
 2FA two-step verification with php and Google Authenticator in Laravel.
+
+## Install
+
+```sh
+composer require atomjoy/google-authenticator
+```
+
+## GoogleAuthenticator in Laravel
+
+How to generate code from user secret like in GoogleAuthenticator on Android but from php script.
+
+```php
+<?php
+
+use Atomjoy\GoogleAuthenticator\GoogleAuthenticator;
+use Illuminate\Support\Facades\Route;
+
+// Get GoogleAuthenticator code
+Route::get('/test/2fa/google/{secret}', function ($secret) {
+  // Authenticator
+  $ga = new GoogleAuthenticator();
+
+  // Create secret for user (first time)
+  if ($secret == 'create') {
+    // Create secret enable 2fa (save secret in database)
+    $secret = $ga->createSecret();
+
+    // QR-Code image
+    $url = $ga->getQRCodeUrl('Appname:user@example.com', $secret);
+
+    // Show user qr-code
+    echo "<h1>New secret is: " . $secret . "</h1>";
+    echo '<h2>Google Charts URL for the QR-Code:</h2>';
+    echo '<p><img src="' . $url . '"> </p>';
+  } else {
+    // Generate code from user secret like in GoogleAuthenticator on Android but from php script
+    // Past this code in github 2fa confirm code form
+    $code = $ga->getCode($secret);
+    echo "<p>Checking code <b>" . $code . "</b> and Secret <b>" . $secret . "</b> use this code in 2fa on github, facebook, ...</p>";
+
+    // Confirm code (allow 2*30sec clock tolerance)
+    if ($ga->verifyCode($secret, $code, 2)) {
+      echo '<h3 style="color: #5c5">OK</h3>';
+    } else {
+      echo '<h3 style="color: #f23">FAILED</h3>';
+    }
+  }
+});
+```
+
+## Enable github two factor with php script
+
+```sh
+php artisan serve
+
+# 1. Get and save generated secret when enabling two-factor authentication in panel settings
+# QR-code example github_2fa_secret: FA7DKAS2MK6SH3BN
+
+# 2. Enable or Login with 2fa secret
+# Get 6-digit code and past in github 2fa form 😄 (refresh every 30 seconds)
+http://127.0.0.1:8000/test/2fa/google/{github_2fa_secret}
+```
diff --git a/composer.json b/composer.json
@@ -0,0 +1,34 @@
+{
+	"name": "atomjoy/google-authenticator",
+	"description": "Php Google Authenticator library.",
+	"type": "library",
+	"license": "MIT",
+	"autoload": {
+		"classmap": [
+			"src/"
+		],
+		"psr-4": {
+			"Atomjoy\\GoogleAuthenticator\\": "src/"
+		}
+	},
+	"autoload-dev": {
+		"psr-4": {
+			"Atomjoy\\GoogleAuthenticator\\Tests\\": "tests/"
+		}
+	},
+	"authors": [
+		{
+			"name": "Atomjoy",
+			"email": "atomjoy.official@gmail.com"
+		}
+	],
+	"minimum-stability": "dev",
+	"require": {
+		"php": "^8.1"
+	},
+	"extra": {
+		"laravel": {
+			"providers": []
+		}
+	}
+}
diff --git a/src/GoogleAuthenticator.php b/src/GoogleAuthenticator.php
@@ -0,0 +1,217 @@
+<?php
+
+namespace Atomjoy\GoogleAuthenticator;
+
+use Exception;
+
+/**
+ * PHP Class for handling Google Authenticator 2-factor authentication.
+ *
+ * References
+ * https://github.com/PHPGangsta/GoogleAuthenticator
+ * https://github.com/google/google-authenticator/wiki/Key-Uri-Format
+ * https://github.com/dochne/google-authenticator
+ * https://jsfiddle.net/etk912zc/3/
+ * https://jsfiddle.net/russau/ch8PK/
+ * http://blog.tinisles.com/2011/10/google-authenticator-one-time-password-algorithm-in-javascript/
+ */
+class GoogleAuthenticator
+{
+	protected $codeLength = 6;
+
+	/**
+	 * Create new secret.
+	 * 16 characters, randomly chosen from the allowed base32 characters.
+	 *
+	 * @param int $secretLength
+	 *
+	 * @return string
+	 */
+	public function createSecret($secretLength = 16)
+	{
+		$validChars = $this->allowedChars();
+
+		// Valid secret lengths are 80 to 640 bits
+		if ($secretLength < 16 || $secretLength > 128) {
+			throw new Exception('Bad secret length');
+		}
+
+		$secret = '';
+
+		$rnd = random_bytes($secretLength);
+
+		if ($rnd !== false) {
+			for ($i = 0; $i < $secretLength; ++$i) {
+				$secret .= $validChars[ord($rnd[$i]) & 31];
+			}
+		} else {
+			throw new Exception('No source of secure random');
+		}
+
+		return $secret;
+	}
+
+	/**
+	 * Calculate the code, with given secret and point in time.
+	 *
+	 * @param string   $secret
+	 * @param int|null $timeSlice
+	 *
+	 * @return string
+	 */
+	public function getCode($secret, $timeSlice = null)
+	{
+		if ($timeSlice === null) {
+			$timeSlice = floor(time() / 30);
+		}
+		// Key
+		$secretkey = $this->base32Decode($secret);
+		// Pack time into binary string
+		$time = chr(0) . chr(0) . chr(0) . chr(0) . pack('N*', $timeSlice);
+		// Hash it with users secret key
+		$hm = hash_hmac('SHA1', $time, $secretkey, true);
+		// Use last nipple of result as index/offset
+		$offset = ord(substr($hm, -1)) & 0x0F;
+		// grab 4 bytes of the result
+		$hashpart = substr($hm, $offset, 4);
+		// Unpak binary value
+		$value = unpack('N', $hashpart);
+		$value = $value[1];
+		// Only 32 bits
+		$value = $value & 0x7FFFFFFF;
+		$modulo = pow(10, $this->codeLength);
+
+		return str_pad($value % $modulo, $this->codeLength, '0', STR_PAD_LEFT);
+	}
+
+	/**
+	 * Get QR-Code URL for image, from google charts.
+	 *
+	 * @param string $name
+	 * @param string $secret
+	 * @param string $title
+	 * @param array  $params
+	 *
+	 * @return string
+	 */
+	public function getQRCodeUrl($name, $secret, $title = null, $params = array())
+	{
+		$width = !empty($params['width']) && (int) $params['width'] > 0 ? (int) $params['width'] : 200;
+		$height = !empty($params['height']) && (int) $params['height'] > 0 ? (int) $params['height'] : 200;
+		$level = !empty($params['level']) && array_search($params['level'], array('L', 'M', 'Q', 'H')) !== false ? $params['level'] : 'M';
+
+		$urlencoded = urlencode('otpauth://totp/' . $name . '?secret=' . $secret . '');
+
+		if (isset($title)) {
+			$urlencoded .= urlencode('&issuer=' . urlencode($title));
+		}
+
+		return "https://chart.googleapis.com/chart?chs=" . $width . "x" . $height . "&cht=qr&chl=" . $width . "x" . $height . "&chld=" . $level . "|0&cht=qr&chl=" . $urlencoded;
+	}
+
+	/**
+	 * Check if the code is correct. This will accept codes starting from $discrepancy*30sec ago to $discrepancy*30sec from now.
+	 *
+	 * @param string   $secret
+	 * @param string   $code
+	 * @param int      $discrepancy      This is the allowed time drift in 30 second units (8 means 4 minutes before or after)
+	 * @param int|null $currentTimeSlice time slice if we want use other that time()
+	 *
+	 * @return bool
+	 */
+	public function verifyCode($secret, $code, $discrepancy = 1, $currentTimeSlice = null)
+	{
+		if ($currentTimeSlice === null) {
+			$currentTimeSlice = floor(time() / 30);
+		}
+
+		if (strlen($code) != 6) {
+			return false;
+		}
+
+		for ($i = -$discrepancy; $i <= $discrepancy; ++$i) {
+			$calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);
+			if (hash_equals($calculatedCode, $code)) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	/**
+	 * Set the code length, should be >=6.
+	 *
+	 * @param int $length
+	 *
+	 * @return GoogleAuthenticator
+	 */
+	public function setCodeLength($length)
+	{
+		$this->codeLength = $length;
+		return $this;
+	}
+
+	/**
+	 * Helper class to decode base32.
+	 *
+	 * @param $secret
+	 *
+	 * @return bool|string
+	 */
+	protected function base32Decode($secret)
+	{
+		if (empty($secret)) {
+			return '';
+		}
+		$base32chars = $this->allowedChars();
+		$base32charsFlipped = array_flip($base32chars);
+		$paddingCharCount = substr_count($secret, $base32chars[32]);
+		$allowedValues = array(6, 4, 3, 1, 0);
+		if (!in_array($paddingCharCount, $allowedValues)) {
+			return false;
+		}
+		for ($i = 0; $i < 4; ++$i) {
+			if (
+				$paddingCharCount == $allowedValues[$i] &&
+				substr($secret, - ($allowedValues[$i])) != str_repeat($base32chars[32], $allowedValues[$i])
+			) {
+				return false;
+			}
+		}
+		$secret = str_replace('=', '', $secret);
+		$secret = str_split($secret);
+		$binaryString = '';
+		for ($i = 0; $i < count($secret); $i = $i + 8) {
+			$x = '';
+			if (!in_array($secret[$i], $base32chars)) {
+				return false;
+			}
+			for ($j = 0; $j < 8; ++$j) {
+				$x .= str_pad(base_convert(@$base32charsFlipped[@$secret[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT);
+			}
+			$eightBits = str_split($x, 8);
+			for ($z = 0; $z < count($eightBits); ++$z) {
+				$binaryString .= (($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48) ? $y : '';
+			}
+		}
+
+		return $binaryString;
+	}
+
+	/**
+	 * Get array with all 32 characters for decoding from/encoding to base32.
+	 *
+	 * @return array
+	 */
+	protected function allowedChars()
+	{
+		return array(
+			'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', //  7
+			'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15
+			'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23
+			'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31
+			'=',  // padding char
+		);
+	}
+}
