openrat-cms

commit c068e3b2c805cd95789d4f6cb263c0ed19d25eed
parent 8b88f16ab4bb2b211e52502d9520cb2ce6007da3
Author: Jan Dankert <devnull@localhost>
Date:   Wed,  8 Nov 2017 20:33:21 +0100

Beim Anlegen neuer Benutzer ein neues OTP-Secret erzeugen.

Diffstat:
action/UserAction.class.php
 | 
4
++--
model/User.class.php
 | 
26
++++++++++++++++++++++----

2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/action/UserAction.class.php b/action/UserAction.class.php
@@ -217,7 +217,7 @@ class UserAction extends Action
 	    $account = $this->user->name.'@'.$_SERVER['SERVER_NAME'];
 
 	    $base32 = new Base2n(5, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567', FALSE, TRUE, TRUE);
-	    $secret = $base32->encode(hex2bin($this->user->otpSecret));
+	    $secret = $base32->encode(@hex2bin($this->user->otpSecret));
 	    
 	    $counter = $this->user->hotpCount;
 	    
@@ -226,7 +226,7 @@ class UserAction extends Action
 		    array('totpSecretUrl' => "otpauth://totp/{$issuer}:{$account}?secret={$secret}&issuer={$issuer}",
 		          'hotpSecretUrl' => "otpauth://hotp/{$issuer}:{$account}?secret={$secret}&issuer={$issuer}&counter={$counter}"
 		    )
-		    + array('totpToken'=>$this->user->getCode())
+		    + array('totpToken'=>$this->user->getTOTPCode())
 		);
 
 		$this->setTemplateVar( 'allstyles',$this->user->getAvailableStyles() );
diff --git a/model/User.class.php b/model/User.class.php
@@ -434,8 +434,8 @@ SQL
 		$this->userid = intval($sql->getOne($sql))+1;
 
 		$sql = $db->sql('INSERT INTO {{user}}'.
-		               ' (id,name,password_hash,ldap_dn,fullname,tel,mail,descr,style,is_admin)'.
-		               " VALUES( {userid},{name},'','','','','','','default',0 )" );
+		               ' (id,name,password_hash,ldap_dn,fullname,tel,mail,descr,style,is_admin,password_salt)'.
+		               " VALUES( {userid},{name},'','','','','','','default',0,'' )" );
 		$sql->setInt   ('userid',$this->userid);
 		$sql->setString('name'  ,$this->name  );
 
@@ -443,6 +443,8 @@ SQL
 		$sql->query( $sql );
 		
 		$this->addNewUserGroups(); // Neue Gruppen hinzufuegen.
+		
+		$this->renewOTPSecret();
 	}
 
 	
@@ -955,7 +957,7 @@ SQL
 	{
 	    $codeLength = 6;
 	    $timeSlice = floor(time() / 30);
-	    $secretkey = hex2bin($this->otpSecret);
+	    $secretkey = @hex2bin($this->otpSecret);
 	    // Pack time into binary string
 	    $time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice);
 	    // Hash it with users secret key
@@ -974,7 +976,23 @@ SQL
 	}
 	
 	
-	
+	/**
+	 * Erzeugt ein neues OTP-Secret.
+	 */
+	public function renewOTPSecret() {
+	    
+	    $secret = Password::randomHexString(64);
+	    
+	    $db = db_connection();
+	    
+	    $stmt = $db->sql('UPDATE {{user}} SET otp_secret={secret} WHERE id={id}');
+	    
+	    $stmt->setString( 'secret', $secret       );
+	    $stmt->setInt   ( 'id'    , $this->userid );
+	    
+	    $stmt->execute();
+	    
+	}
 	
 }