equal
deleted
inserted
replaced
73 // we're ok, use normal password auth |
73 // we're ok, use normal password auth |
74 return null; |
74 return null; |
75 } |
75 } |
76 else |
76 else |
77 { |
77 { |
78 // user did enter an OTP |
78 // user did enter an OTP; make sure it's associated with the username |
|
79 $yubi_uid = $db->escape(substr($userdata['yubikey_otp'], 0, 12)); |
|
80 $q = $db->sql_query('SELECT 1 FROM ' . table_prefix . 'yubikey WHERE yubi_uid = \'' . $yubi_uid . '\';'); |
|
81 if ( !$q ) |
|
82 $db->die_json(); |
|
83 if ( $db->numrows() < 1 ) |
|
84 { |
|
85 $db->free_result(); |
|
86 return array( |
|
87 'mode' => 'error', |
|
88 'error' => 'yubiauth_err_key_not_authorized' |
|
89 ); |
|
90 } |
|
91 $db->free_result(); |
79 $do_validate_otp = true; |
92 $do_validate_otp = true; |
80 } |
93 } |
81 } |
94 } |
82 else if ( !empty($userdata['yubikey_otp']) ) |
95 else if ( !empty($userdata['yubikey_otp']) ) |
83 { |
96 { |
132 { |
145 { |
133 if ( !$do_validate_pass ) |
146 if ( !$do_validate_pass ) |
134 $session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n" |
147 $session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n" |
135 . ' (\'security\', \'' . $auth_log_prefix . 'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \'(Yubikey)\', ' |
148 . ' (\'security\', \'' . $auth_log_prefix . 'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \'(Yubikey)\', ' |
136 . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
149 . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); |
|
150 |
|
151 if ( $otp_check['error'] === 'http_failed' ) |
|
152 { |
|
153 return array( |
|
154 'mode' => 'error', |
|
155 'error' => 'yubiauth_err_' . $otp_check['error'], |
|
156 'http_error' => $otp_check['http_error'] |
|
157 ); |
|
158 } |
137 return array( |
159 return array( |
138 'mode' => 'error', |
160 'mode' => 'error', |
139 'error' => 'yubiauth_err_' . $otp_check['error'] |
161 'error' => 'yubiauth_err_' . $otp_check['error'] |
140 ); |
162 ); |
141 } |
163 } |