From 8553efabc16234b7c11845789a1c22948e41a8af Mon Sep 17 00:00:00 2001 From: Ryan Date: Fri, 11 Apr 2025 18:41:44 -0400 Subject: [PATCH] Upgrade dependencies: update robthree/twofactorauth to v3 and endroid/qr-code to v5; update TOTP integration (namespace, enum, QR provider) accordingly --- CHANGELOG.md | 3 ++ auth.php | 11 +++++++- composer.json | 4 +-- composer.lock | 74 +++++++++++++++++++++++++++---------------------- totp_setup.php | 16 ++++++----- totp_verify.php | 20 +++++++++++-- 6 files changed, 83 insertions(+), 45 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 076fb15..976f466 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,9 @@ - Moved change password close button to the top right of the modal. - Updated upload regex pattern to be Unicode‑enabled and added additional security measures. [(#19)](https://github.com/error311/FileRise/issues/19) - Updated filename, folder, and username regex acceptance patterns. +- Updated robthree/twofactorauth to v3 and endroid/qr-code to v5 +- Updated TOTP integration (namespace, enum, QR provider) accordingly +- Updated docker image from 22.04 to 24.04 --- diff --git a/auth.php b/auth.php index fa52502..17e1ca5 100644 --- a/auth.php +++ b/auth.php @@ -2,6 +2,9 @@ require_once 'vendor/autoload.php'; require_once 'config.php'; +use RobThree\Auth\Algorithm; +use RobThree\Auth\Providers\Qr\GoogleChartsQrCodeProvider; + // Only send the Content-Type header; CORS and related headers are handled via .htaccess. header('Content-Type: application/json'); @@ -197,7 +200,13 @@ if ($user !== false) { ]); exit(); } else { - $tfa = new \RobThree\Auth\TwoFactorAuth('FileRise'); + $tfa = new \RobThree\Auth\TwoFactorAuth( + new GoogleChartsQrCodeProvider(), // QR code provider + 'FileRise', // issuer + 6, // number of digits + 30, // period in seconds + Algorithm::Sha1 // Correct enum case name from your enum + ); $providedCode = trim($data['totp_code']); if (!$tfa->verifyCode($user['totp_secret'], $providedCode)) { echo json_encode(["error" => "Invalid TOTP code"]); diff --git a/composer.json b/composer.json index bcb5099..2eb59e0 100644 --- a/composer.json +++ b/composer.json @@ -5,7 +5,7 @@ "require": { "jumbojett/openid-connect-php": "^1.0.0", "phpseclib/phpseclib": "~3.0.7", - "robthree/twofactorauth": "^1.7", - "endroid/qr-code": "^4.0" + "robthree/twofactorauth": "^3.0", + "endroid/qr-code": "^5.0" } } \ No newline at end of file diff --git a/composer.lock b/composer.lock index 5855b57..948e444 100644 --- a/composer.lock +++ b/composer.lock @@ -4,32 +4,32 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "c9857f23364f2280ef4b71cdc72d3f78", + "content-hash": "6b70aec0c1830ebb2b8f9bb625b04a22", "packages": [ { "name": "bacon/bacon-qr-code", - "version": "2.0.8", + "version": "v3.0.1", "source": { "type": "git", "url": "https://github.com/Bacon/BaconQrCode.git", - "reference": "8674e51bb65af933a5ffaf1c308a660387c35c22" + "reference": "f9cc1f52b5a463062251d666761178dbdb6b544f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Bacon/BaconQrCode/zipball/8674e51bb65af933a5ffaf1c308a660387c35c22", - "reference": "8674e51bb65af933a5ffaf1c308a660387c35c22", + "url": "https://api.github.com/repos/Bacon/BaconQrCode/zipball/f9cc1f52b5a463062251d666761178dbdb6b544f", + "reference": "f9cc1f52b5a463062251d666761178dbdb6b544f", "shasum": "" }, "require": { "dasprid/enum": "^1.0.3", "ext-iconv": "*", - "php": "^7.1 || ^8.0" + "php": "^8.1" }, "require-dev": { - "phly/keep-a-changelog": "^2.1", - "phpunit/phpunit": "^7 | ^8 | ^9", - "spatie/phpunit-snapshot-assertions": "^4.2.9", - "squizlabs/php_codesniffer": "^3.4" + "phly/keep-a-changelog": "^2.12", + "phpunit/phpunit": "^10.5.11 || 11.0.4", + "spatie/phpunit-snapshot-assertions": "^5.1.5", + "squizlabs/php_codesniffer": "^3.9" }, "suggest": { "ext-imagick": "to generate QR code images" @@ -56,9 +56,9 @@ "homepage": "https://github.com/Bacon/BaconQrCode", "support": { "issues": "https://github.com/Bacon/BaconQrCode/issues", - "source": "https://github.com/Bacon/BaconQrCode/tree/2.0.8" + "source": "https://github.com/Bacon/BaconQrCode/tree/v3.0.1" }, - "time": "2022-12-07T17:46:57+00:00" + "time": "2024-10-01T13:55:55+00:00" }, { "name": "dasprid/enum", @@ -112,29 +112,26 @@ }, { "name": "endroid/qr-code", - "version": "4.8.5", + "version": "5.1.0", "source": { "type": "git", "url": "https://github.com/endroid/qr-code.git", - "reference": "0db25b506a8411a5e1644ebaa67123a6eb7b6a77" + "reference": "393fec6c4cbdc1bd65570ac9d245704428010122" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/endroid/qr-code/zipball/0db25b506a8411a5e1644ebaa67123a6eb7b6a77", - "reference": "0db25b506a8411a5e1644ebaa67123a6eb7b6a77", + "url": "https://api.github.com/repos/endroid/qr-code/zipball/393fec6c4cbdc1bd65570ac9d245704428010122", + "reference": "393fec6c4cbdc1bd65570ac9d245704428010122", "shasum": "" }, "require": { - "bacon/bacon-qr-code": "^2.0.5", + "bacon/bacon-qr-code": "^3.0", "php": "^8.1" }, - "conflict": { - "khanamiryan/qrcode-detector-decoder": "^1.0.6" - }, "require-dev": { - "endroid/quality": "dev-master", + "endroid/quality": "dev-main", "ext-gd": "*", - "khanamiryan/qrcode-detector-decoder": "^1.0.4||^2.0.2", + "khanamiryan/qrcode-detector-decoder": "^2.0.2", "setasign/fpdf": "^1.8.2" }, "suggest": { @@ -146,7 +143,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-master": "4.x-dev" + "dev-main": "5.x-dev" } }, "autoload": { @@ -175,7 +172,7 @@ ], "support": { "issues": "https://github.com/endroid/qr-code/issues", - "source": "https://github.com/endroid/qr-code/tree/4.8.5" + "source": "https://github.com/endroid/qr-code/tree/5.1.0" }, "funding": [ { @@ -183,7 +180,7 @@ "type": "github" } ], - "time": "2023-09-29T14:03:20+00:00" + "time": "2024-09-08T08:52:55+00:00" }, { "name": "jumbojett/openid-connect-php", @@ -456,24 +453,25 @@ }, { "name": "robthree/twofactorauth", - "version": "1.8.2", + "version": "v3.0.2", "source": { "type": "git", "url": "https://github.com/RobThree/TwoFactorAuth.git", - "reference": "65681de5a324eae05140ac58b08648a60212afc0" + "reference": "6d70f9ca8e25568f163a7b3b3ff77bd8ea743978" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/RobThree/TwoFactorAuth/zipball/65681de5a324eae05140ac58b08648a60212afc0", - "reference": "65681de5a324eae05140ac58b08648a60212afc0", + "url": "https://api.github.com/repos/RobThree/TwoFactorAuth/zipball/6d70f9ca8e25568f163a7b3b3ff77bd8ea743978", + "reference": "6d70f9ca8e25568f163a7b3b3ff77bd8ea743978", "shasum": "" }, "require": { - "php": ">=5.6.0" + "php": ">=8.2.0" }, "require-dev": { - "php-parallel-lint/php-parallel-lint": "^1.2", - "phpunit/phpunit": "@stable" + "friendsofphp/php-cs-fixer": "^3.13", + "phpstan/phpstan": "^1.9", + "phpunit/phpunit": "^9" }, "suggest": { "bacon/bacon-qr-code": "Needed for BaconQrCodeProvider provider", @@ -494,6 +492,16 @@ "name": "Rob Janssen", "homepage": "http://robiii.me", "role": "Developer" + }, + { + "name": "Nicolas CARPi", + "homepage": "https://github.com/NicolasCARPi", + "role": "Developer" + }, + { + "name": "Will Power", + "homepage": "https://github.com/willpower232", + "role": "Developer" } ], "description": "Two Factor Authentication", @@ -522,7 +530,7 @@ "type": "github" } ], - "time": "2022-03-22T16:11:07+00:00" + "time": "2024-10-24T15:14:25+00:00" } ], "packages-dev": [], diff --git a/totp_setup.php b/totp_setup.php index b5ad7fc..191748a 100644 --- a/totp_setup.php +++ b/totp_setup.php @@ -6,11 +6,8 @@ require_once 'config.php'; use Endroid\QrCode\Builder\Builder; use Endroid\QrCode\Writer\PngWriter; -use Endroid\QrCode\ErrorCorrectionLevel\ErrorCorrectionLevelHigh; - -// For debugging purposes, you might enable error reporting temporarily: -// ini_set('display_errors', 1); -// error_reporting(E_ALL); +use RobThree\Auth\Algorithm; +use RobThree\Auth\Providers\Qr\GoogleChartsQrCodeProvider; if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) { http_response_code(403); @@ -108,7 +105,13 @@ function getGlobalOtpauthUrl() { return ""; } -$tfa = new \RobThree\Auth\TwoFactorAuth('FileRise'); +$tfa = new \RobThree\Auth\TwoFactorAuth( + new GoogleChartsQrCodeProvider(), // QR code provider + 'FileRise', // issuer + 6, // number of digits + 30, // period in seconds + Algorithm::Sha1 // Correct enum case name from your enum +); // Retrieve the current TOTP secret for the user. $totpSecret = getUserTOTPSecret($username); @@ -140,7 +143,6 @@ if (!empty($globalOtpauthUrl)) { $result = Builder::create() ->writer(new PngWriter()) ->data($otpauthUrl) - ->errorCorrectionLevel(new ErrorCorrectionLevelHigh()) ->build(); header('Content-Type: ' . $result->getMimeType()); diff --git a/totp_verify.php b/totp_verify.php index edb90c2..d98002d 100644 --- a/totp_verify.php +++ b/totp_verify.php @@ -8,6 +8,9 @@ require_once 'config.php'; header('Content-Type: application/json'); header("Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self';"); +use RobThree\Auth\Algorithm; +use RobThree\Auth\Providers\Qr\GoogleChartsQrCodeProvider; + try { // standardized error helper function respond($status, $code, $message, $data = []) { @@ -71,7 +74,13 @@ try { if (isset($_SESSION['pending_login_user'])) { $username = $_SESSION['pending_login_user']; $totpSecret = $_SESSION['pending_login_secret']; - $tfa = new \RobThree\Auth\TwoFactorAuth('FileRise'); + $tfa = new \RobThree\Auth\TwoFactorAuth( + new GoogleChartsQrCodeProvider(), // QR code provider + 'FileRise', // issuer + 6, // number of digits + 30, // period in seconds + Algorithm::Sha1 // Correct enum case name from your enum + ); if (!$tfa->verifyCode($totpSecret, $code)) { $_SESSION['totp_failures']++; @@ -117,7 +126,14 @@ try { respond('error', 500, 'TOTP secret not found. Please set up TOTP again.'); } - $tfa = new \RobThree\Auth\TwoFactorAuth('FileRise'); + $tfa = new \RobThree\Auth\TwoFactorAuth( + new GoogleChartsQrCodeProvider(), // QR code provider + 'FileRise', // issuer + 6, // number of digits + 30, // period in seconds + Algorithm::Sha1 // Correct enum case name from your enum + ); + if (!$tfa->verifyCode($totpSecret, $code)) { $_SESSION['totp_failures']++; respond('error', 400, 'Invalid TOTP code');