Mercurial Mercurial > repos > yms / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
yms/validate.php
author Dan Fuhry <dan@enanocms.org>
Fri, 08 Apr 2016 17:23:16 -0400
changeset 10 351d40b21cbc
parent 0 9997bee9ad03
permissions -rw-r--r--
Cursory wsapi v2.0 support (backwards compatible)

<?php

function page_Special_YubikeyValidate()
{
  global $db, $session, $paths, $template, $plugins; // Common objects
  global $do_gzip;
  $do_gzip = false;
  
  // Check parameters
  if ( !isset($_GET['id']) )
  {
    yms_send_reply('MISSING_PARAMETER', '', array('info' => 'id'));
  }
  
  if ( !isset($_GET['otp']) )
  {
    yms_send_reply('MISSING_PARAMETER', '', array('info' => 'otp'));
  }

  $nonce = null;
  if ( isset($_GET['nonce']) )
  {
    $nonce = $_GET['nonce'];
  }
  
  // first, get API key so we can properly sign responses
  $id = intval($_GET['id']);
  $q = $db->sql_query("SELECT apikey FROM " . table_prefix . "yms_clients WHERE id = $id;");
  if ( !$q )
    $db->_die();
  
  if ( $db->numrows($q) < 1 )
    yms_send_reply("NO_SUCH_CLIENT");
  
  list($g_api_key) = $db->fetchrow_num($q);
  $db->free_result($q);
  
  // check API key
  if ( isset($_GET['h']) )
  {
    $hex_api_key = yms_hex_encode(base64_decode($g_api_key));
    $right_sig = yubikey_sign($_GET, $hex_api_key);
    if ( $right_sig !== $_GET['h'] )
    {
      yms_send_reply('BAD_SIGNATURE');
    }
  }
  
  $GLOBALS['g_api_key'] =& $g_api_key;
  
  yms_send_reply(yms_validate_otp($_GET['otp'], $id), '', array('nonce' => $nonce, 'otp' => $_GET['otp']));
}
Yubikey Management Server