Mercurial Mercurial > repos > yubikey / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
plugins/yubikey/auth.php
changeset 17 e04c0f64e972
parent 5 2114640729a5
child 25 2e7ccbdfdc0a 
--- a/plugins/yubikey/auth.php	Thu Apr 30 16:11:13 2009 -0400
+++ b/plugins/yubikey/auth.php	Thu Apr 30 16:11:40 2009 -0400
@@ -75,7 +75,20 @@
     }
     else
     {
-      // user did enter an OTP
+      // user did enter an OTP; make sure it's associated with the username
+      $yubi_uid = $db->escape(substr($userdata['yubikey_otp'], 0, 12));
+      $q = $db->sql_query('SELECT 1 FROM ' . table_prefix . 'yubikey WHERE yubi_uid = \'' . $yubi_uid . '\';');
+      if ( !$q )
+        $db->die_json();
+      if ( $db->numrows() < 1 )
+      {
+        $db->free_result();
+        return array(
+            'mode' => 'error',
+            'error' => 'yubiauth_err_key_not_authorized'
+          );
+      }
+      $db->free_result();
       $do_validate_otp = true;
     }
   }
@@ -134,6 +147,15 @@
         $session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n"
                    . '  (\'security\', \'' . $auth_log_prefix . 'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \'(Yubikey)\', '
                       . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
+      
+      if ( $otp_check['error'] === 'http_failed' )
+      {
+        return array(
+            'mode' => 'error',
+            'error' => 'yubiauth_err_' . $otp_check['error'],
+            'http_error' => $otp_check['http_error']
+          );
+      }
       return array(
           'mode' => 'error',
           'error' => 'yubiauth_err_' . $otp_check['error']
Yubikey support