From: Tollef Fog Heen Date: Fri, 26 Jul 2019 21:57:05 +0000 (+0200) Subject: Initial totp-fetch-seed implementation, not complete yet X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap-cgi.git;a=commitdiff_plain;h=50a9e1ca77ee3f36febc8afda740f12d2888ae2e Initial totp-fetch-seed implementation, not complete yet --- diff --git a/debian/changelog b/debian/changelog index 6f560a6..5572b7c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -userdir-ldap-cgi (0.3.43) UNRELEASED; urgency=medium +userdir-ldap-cgi (0.3.43~) UNRELEASED; urgency=medium [ Peter Palfrader ] * html/Makefile: searchform.html also requires domains.tab @@ -6,6 +6,7 @@ userdir-ldap-cgi (0.3.43) UNRELEASED; urgency=medium [ Tollef Fog Heen ] * Ship a /var/cache/userdir-ldap/totp directory where ud-mailgate can put totp secrets to be picked up. + * Add totp-fetch-seed.cgi for fetching totp seeds. -- Tollef Fog Heen Tue, 23 Jul 2019 23:07:19 +0200 diff --git a/debian/control b/debian/control index bc986b1..084244c 100644 --- a/debian/control +++ b/debian/control @@ -19,6 +19,8 @@ Depends: userdir-ldap, libnet-ldap-perl, libossp-uuid-perl, liburi-perl, + libconvert-base32-perl, + libgd-barcode-perl, gnupg (>=1.0.3), python, python-crack | python-cracklib, diff --git a/debian/rules b/debian/rules index 409bba0..b49cd7b 100755 --- a/debian/rules +++ b/debian/rules @@ -49,6 +49,7 @@ binary-indep: build install -m 644 html/searchform.html $(i)/var/www/userdir-ldap/ install -m 644 html/searchhelp.html $(i)/var/www/userdir-ldap/ install -m 644 html/searchresults.html $(i)/var/www/userdir-ldap/ + install -m 644 html/fetch-totp-seed.html $(i)/var/www/userdir-ldap/ install -m 644 html/update.html $(i)/var/www/userdir-ldap/ chown www-data:www-data $(i)/var/cache/userdir-ldap/web-cookies/ chmod u=rwx,g=,o= $(i)/var/cache/userdir-ldap/web-cookies/ diff --git a/fetch-totp-seed.cgi b/fetch-totp-seed.cgi new file mode 100644 index 0000000..639b7eb --- /dev/null +++ b/fetch-totp-seed.cgi @@ -0,0 +1,49 @@ +#! /usr/bin/perl -T + +use lib '.'; +use strict; +use warnings; +use CGI; +use Util; +use Convert::Base32; +use MIME::Base64; +use GD::Barcode::QRcode; + +# Global settings... +my %config = &Util::ReadConfigFile; + +my $query = new CGI; + +my $random_id = $query->param('id'); +$random_id =~ /^((\d+)-([a-f0-9]+))$/; +$random_id = $1; +my $timestamp = $2; + +if ($timestamp + 1800 < time()) { + &Util::HTMLError("Timestamp too old, please request a new seed"); +} + +my $filename = $config{totpticketdirectory} . "/" . $random_id; +open(my $fh, "<", $filename) or &Util::HTMLError("TOTP seed file not found or permission denied: $! ; $filename"); +my $seed = encode_base32(pack('H*', <$fh>)); +close $fh; +#unlink $filename; + +my $totpurl = "otpauth://totp/Debian?secret=$seed&issuer=Debian"; +my $totppng = "data:image/png;base64, " . + encode_base64(GD::Barcode::QRcode->new($totpurl, + { ModuleSize => 10 })->plot->png); + +&Util::HTMLSendHeader; +open (F, "<", "fetch-totp-seed.html") || &Util::HTMLError($!); +while () { + s/~totppng~/$totppng/g; + s/~totpseed~/$seed/g; + print; + } + close F; + +# fill out HTML template with QR code (inline svg/png?) +# self-link with png link to avoid changing content-security-policy (change it back) + +exit 0; diff --git a/html/fetch-totp-seed.wml b/html/fetch-totp-seed.wml new file mode 100644 index 0000000..c57ffe2 --- /dev/null +++ b/html/fetch-totp-seed.wml @@ -0,0 +1,9 @@ +#use wml::db.d.o title="Your debian.org TOTP seed" + +Please scan the QR code using your phone. + + + +You can also manually input the following shared secret into your TOTP compatible app: + +~totpseed~