Yubikey Management Server: yms/validate.php@31387f4022e5 (annotated)

0 9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	1	<?php
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	2
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	3	function page_Special_YubikeyValidate()
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	4	{
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	5	global $db, $session, $paths, $template, $plugins; // Common objects
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	6	global $do_gzip;
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	7	$do_gzip = false;
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	8
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	9	// Check parameters
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	10	if ( !isset($_GET['id']) )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	11	{
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	12	yms_send_reply('MISSING_PARAMETER', '', array('info' => 'id'));
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	13	}
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	14
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	15	if ( !isset($_GET['otp']) )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	16	{
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	17	yms_send_reply('MISSING_PARAMETER', '', array('info' => 'otp'));
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	18	}
10 351d40b21cbc Cursory wsapi v2.0 support (backwards compatible) Dan Fuhry <dan@enanocms.org> parents: 0 diff changeset	19
351d40b21cbc Cursory wsapi v2.0 support (backwards compatible) Dan Fuhry <dan@enanocms.org> parents: 0 diff changeset	20	$nonce = null;
351d40b21cbc Cursory wsapi v2.0 support (backwards compatible) Dan Fuhry <dan@enanocms.org> parents: 0 diff changeset	21	if ( isset($_GET['nonce']) )
351d40b21cbc Cursory wsapi v2.0 support (backwards compatible) Dan Fuhry <dan@enanocms.org> parents: 0 diff changeset	22	{
351d40b21cbc Cursory wsapi v2.0 support (backwards compatible) Dan Fuhry <dan@enanocms.org> parents: 0 diff changeset	23	$nonce = $_GET['nonce'];
351d40b21cbc Cursory wsapi v2.0 support (backwards compatible) Dan Fuhry <dan@enanocms.org> parents: 0 diff changeset	24	}
0 9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	25
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	26	// first, get API key so we can properly sign responses
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	27	$id = intval($_GET['id']);
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	28	$q = $db->sql_query("SELECT apikey FROM " . table_prefix . "yms_clients WHERE id = $id;");
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	29	if ( !$q )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	30	$db->_die();
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	31
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	32	if ( $db->numrows($q) < 1 )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	33	yms_send_reply("NO_SUCH_CLIENT");
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	34
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	35	list($g_api_key) = $db->fetchrow_num($q);
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	36	$db->free_result($q);
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	37
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	38	// check API key
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	39	if ( isset($_GET['h']) )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	40	{
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	41	$hex_api_key = yms_hex_encode(base64_decode($g_api_key));
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	42	$right_sig = yubikey_sign($_GET, $hex_api_key);
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	43	if ( $right_sig !== $_GET['h'] )
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	44	{
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	45	yms_send_reply('BAD_SIGNATURE');
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	46	}
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	47	}
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	48
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	49	$GLOBALS['g_api_key'] =& $g_api_key;
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	50
10 351d40b21cbc Cursory wsapi v2.0 support (backwards compatible) Dan Fuhry <dan@enanocms.org> parents: 0 diff changeset	51	yms_send_reply(yms_validate_otp($_GET['otp'], $id), '', array('nonce' => $nonce, 'otp' => $_GET['otp']));
0 9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	52	}
9997bee9ad03 First commit. Lacks key deletion support and an admin CP for controlling options. Dan parents: diff changeset	53

author	Dan Fuhry <dan@enanocms.org>
	Wed, 11 Jan 2017 13:02:34 +0000
changeset 12	31387f4022e5
parent 10	351d40b21cbc
permissions	-rw-r--r--