68 lines
2.1 KiB
PHP
68 lines
2.1 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
namespace App\Services;
|
|
|
|
/**
|
|
* TotpService
|
|
*
|
|
* Implements RFC 6238 for Two-Factor Authentication (TOTP).
|
|
*/
|
|
final class TotpService
|
|
{
|
|
public function generateSecret(): string
|
|
{
|
|
// Generate a random 16-character base32 secret
|
|
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
|
|
$secret = '';
|
|
for ($i = 0; $i < 16; $i++) {
|
|
$secret .= $chars[random_int(0, 31)];
|
|
}
|
|
return $secret;
|
|
}
|
|
|
|
public function getQrCodeUrl(string $email, string $secret): string
|
|
{
|
|
$issuer = urlencode('Musadaq');
|
|
$email = urlencode($email);
|
|
$qrUrl = "otpauth://totp/Musadaq:{$email}?secret={$secret}&issuer=Musadaq";
|
|
return "https://api.qrserver.com/v1/create-qr-code/?size=200x200&data=" . urlencode($qrUrl);
|
|
}
|
|
|
|
public function verify(string $secret, string $code, int $window = 1): bool
|
|
{
|
|
$time = floor(time() / 30);
|
|
for ($i = -$window; $i <= $window; $i++) {
|
|
$t = $time + $i;
|
|
$hash = hash_hmac('sha1', pack('N*', 0) . pack('N*', $t), $this->base32Decode($secret));
|
|
$offset = ord($hash[19]) & 0x0F;
|
|
$otp = ((ord($hash[$offset]) & 0x7F) << 24 | (ord($hash[$offset+1]) & 0xFF) << 16 | (ord($hash[$offset+2]) & 0xFF) << 8 | (ord($hash[$offset+3]) & 0xFF)) % 1000000;
|
|
if (str_pad((string)$otp, 6, '0', STR_PAD_LEFT) === $code) return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
private function base32Decode(string $base32): string
|
|
{
|
|
$base32chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
|
|
$base32charsFlipped = array_flip(str_split($base32chars));
|
|
|
|
$output = '';
|
|
$v = 0;
|
|
$vbits = 0;
|
|
|
|
for ($i = 0, $j = strlen($base32); $i < $j; $i++) {
|
|
$v <<= 5;
|
|
if (isset($base32charsFlipped[$base32[$i]])) {
|
|
$v += $base32charsFlipped[$base32[$i]];
|
|
}
|
|
$vbits += 5;
|
|
|
|
while ($vbits >= 8) {
|
|
$vbits -= 8;
|
|
$output .= chr(($v >> $vbits) & 0xFF);
|
|
}
|
|
}
|
|
return $output;
|
|
}
|
|
}
|