Google Authenticator - Version 0.37

Version Description

The plugin now supports "relaxed mode" when authenticating. If selected, codes from 4 minutes before and 4 minutes after will work. 30 seconds before and after is still the default setting.

Release Info

Developer	Henrik.Schack
Plugin	Google Authenticator
Version	0.37
Comparing to
See all releases

Code changes from version 0.36 to 0.37

Files changed (3) hide show

google-authenticator.php +35 -4
lang/google-authenticator.pot +29 -19
readme.txt +9 -2

google-authenticator.php CHANGED Viewed

	@@ -4,7 +4,7 @@ Plugin Name: Google Authenticator
4	Plugin URI: http://henrik.schack.dk/google-authenticator-for-wordpress
5	Description: Two-Factor Authentication for WordPress using the Android/iPhone/Blackberry app as One Time Password generator.
6	Author: Henrik Schack
7	- Version: 0.36
8	Author URI: http://henrik.schack.dk/
9	Compatibility: WordPress 3.2.1
10	Text Domain: google-authenticator
	@@ -14,6 +14,7 @@ Domain Path: /lang
14
15	Thanks to Bryan Ruiz for his Base32 encode/decode class, found at php.net.
16	Thanks to Tobias B�thge for his major code rewrite and German translation.

17
18	----------------------------------------------------------------------------
19
	@@ -69,13 +70,23 @@ function init() {
69	/**
70	* Check the verification code entered by the user.
71	*/
72	- function verify( $secretkey, $thistry ) {










73
74	$tm = floor( time() / 30 );
75
76	$secretkey=Base32::decode($secretkey);
77	// Keys from 30 seconds before and after are valid aswell.
78	- for ($i~~=-1~~; $i<2; $i++) {
79	// Pack time into binary string
80	$time=chr(0).chr(0).chr(0).chr(0).pack('N*',$tm+$i);
81	// Hash it with users secret key
	@@ -143,11 +154,14 @@ function check_otp( $user, $username = '', $password = '' ) {
143	// Get the users secret
144	$GA_secret = trim( get_user_option( 'googleauthenticator_secret', $user->ID ) );
145



146	// Get the verification code entered by the user trying to login
147	$otp = intval( trim( $_POST[ 'otp' ] ) );
148
149	// Valid code ?
150	- if ( $this->verify( $GA_secret, $otp ) ) {
151	return $userstate;
152	} else {
153	// No, lets see if an app password is enabled, and this is an XMLRPC / APP login ?
	@@ -180,6 +194,7 @@ function profile_personal_options() {
180
181	$GA_secret = trim( get_user_option( 'googleauthenticator_secret', $user_id ) );
182	$GA_enabled = trim( get_user_option( 'googleauthenticator_enabled', $user_id ) );

183	$GA_description = trim( get_user_option( 'googleauthenticator_description', $user_id ) );
184	$GA_pwdenabled = trim( get_user_option( 'googleauthenticator_pwdenabled', $userid ) );
185	$GA_password = trim( get_user_option( 'googleauthenticator_passwords', $user_id ) );
	@@ -216,6 +231,13 @@ function profile_personal_options() {
216	$qrcodeurl = "https://chart.googleapis.com/chart?cht=qr&chs=300x300&chld=H\|0&chl={$chl}";
217
218	if ( $is_profile_page \|\| IS_PROFILE_PAGE ) {







219	echo "<tr>\n";
220	echo "<th><label for=\"GA_description\">".__('Description','google-authenticator')."</label></th>\n";
221	echo "<td><input name=\"GA_description\" id=\"GA_description\" value=\"{$GA_description}\" type=\"text\" size=\"25\" /><span class=\"description\">".__(' Description that you\'ll see in the Google Authenticator app on your phone.','google-authenticator')."</span><br /></td>\n";
	@@ -322,6 +344,7 @@ function personal_options_update() {
322	global $user_id;
323
324	$GA_enabled = trim( $_POST['GA_enabled'] );

325	$GA_secret = trim( $_POST['GA_secret'] );
326	$GA_pwdenabled = trim( $_POST['GA_pwdenabled'] );
327	$GA_password = str_replace(' ', '', trim( $_POST['GA_password'] ) );
	@@ -332,6 +355,13 @@ function personal_options_update() {
332	$GA_enabled = 'enabled';
333	}
334







335	if ( '' == $GA_pwdenabled ) {
336	$GA_pwdenabled = 'disabled';
337	} else {
	@@ -346,6 +376,7 @@ function personal_options_update() {
346	}
347
348	update_user_option( $user_id, 'googleauthenticator_enabled', $GA_enabled, true );

349	update_user_option( $user_id, 'googleauthenticator_secret', $GA_secret, true );
350	update_user_option( $user_id, 'googleauthenticator_pwdenabled', $GA_pwdenabled, true );
351


4	Plugin URI: http://henrik.schack.dk/google-authenticator-for-wordpress
5	Description: Two-Factor Authentication for WordPress using the Android/iPhone/Blackberry app as One Time Password generator.
6	Author: Henrik Schack
7	+ Version: 0.37
8	Author URI: http://henrik.schack.dk/
9	Compatibility: WordPress 3.2.1
10	Text Domain: google-authenticator

14
15	Thanks to Bryan Ruiz for his Base32 encode/decode class, found at php.net.
16	Thanks to Tobias B�thge for his major code rewrite and German translation.
17	+ Thanks to Pascal de Bruijn for his relaxed mode idea.
18
19	----------------------------------------------------------------------------
20

70	/**
71	* Check the verification code entered by the user.
72	*/
73	+ function verify( $secretkey, $thistry, $relaxedmode ) {
74	+
75	+ // If user is running in relaxed mode, we allow more time drifting
76	+ // �4 min, as opposed to � 30 seconds in normal mode.
77	+ if ( $relaxedmode == 'enabled' ) {
78	+ $firstcount = -8;
79	+ $lastcount = 8;
80	+ } else {
81	+ $firstcount = -1;
82	+ $lastcount = 1;
83	+ }
84
85	$tm = floor( time() / 30 );
86
87	$secretkey=Base32::decode($secretkey);
88	// Keys from 30 seconds before and after are valid aswell.
89	+ for ($i=$firstcount; $i<=$lastcount; $i++) {
90	// Pack time into binary string
91	$time=chr(0).chr(0).chr(0).chr(0).pack('N*',$tm+$i);
92	// Hash it with users secret key

154	// Get the users secret
155	$GA_secret = trim( get_user_option( 'googleauthenticator_secret', $user->ID ) );
156
157	+ // Figure out if user is using relaxed mode ?
158	+ $GA_relaxedmode = trim( get_user_option( 'googleauthenticator_relaxedmode', $user->ID ) );
159	+
160	// Get the verification code entered by the user trying to login
161	$otp = intval( trim( $_POST[ 'otp' ] ) );
162
163	// Valid code ?
164	+ if ( $this->verify( $GA_secret, $otp, $GA_relaxedmode ) ) {
165	return $userstate;
166	} else {
167	// No, lets see if an app password is enabled, and this is an XMLRPC / APP login ?

194
195	$GA_secret = trim( get_user_option( 'googleauthenticator_secret', $user_id ) );
196	$GA_enabled = trim( get_user_option( 'googleauthenticator_enabled', $user_id ) );
197	+ $GA_relaxedmode = trim( get_user_option( 'googleauthenticator_relaxedmode', $user_id ) );
198	$GA_description = trim( get_user_option( 'googleauthenticator_description', $user_id ) );
199	$GA_pwdenabled = trim( get_user_option( 'googleauthenticator_pwdenabled', $userid ) );
200	$GA_password = trim( get_user_option( 'googleauthenticator_passwords', $user_id ) );

231	$qrcodeurl = "https://chart.googleapis.com/chart?cht=qr&chs=300x300&chld=H\|0&chl={$chl}";
232
233	if ( $is_profile_page \|\| IS_PROFILE_PAGE ) {
234	+ echo "<tr>\n";
235	+ echo "<th scope=\"row\">".__( 'Relaxed mode', 'google-authenticator' )."</th>\n";
236	+ echo "<td>\n";
237	+ echo "<input name=\"GA_relaxedmode\" id=\"GA_relaxedmode\" class=\"tog\" type=\"checkbox\"" . checked( $GA_relaxedmode, 'enabled', false ) . "/><span class=\"description\">".__(' Relaxed mode allows for more time drifting on your phone clock (±4 min).','google-authenticator')."</span>\n";
238	+ echo "</td>\n";
239	+ echo "</tr>\n";
240	+
241	echo "<tr>\n";
242	echo "<th><label for=\"GA_description\">".__('Description','google-authenticator')."</label></th>\n";
243	echo "<td><input name=\"GA_description\" id=\"GA_description\" value=\"{$GA_description}\" type=\"text\" size=\"25\" /><span class=\"description\">".__(' Description that you\'ll see in the Google Authenticator app on your phone.','google-authenticator')."</span><br /></td>\n";

344	global $user_id;
345
346	$GA_enabled = trim( $_POST['GA_enabled'] );
347	+ $GA_relaxedmode = trim( $_POST['GA_relaxedmode'] );
348	$GA_secret = trim( $_POST['GA_secret'] );
349	$GA_pwdenabled = trim( $_POST['GA_pwdenabled'] );
350	$GA_password = str_replace(' ', '', trim( $_POST['GA_password'] ) );

355	$GA_enabled = 'enabled';
356	}
357
358	+ if ( '' == $GA_relaxedmode ) {
359	+ $GA_relaxedmode = 'disabled';
360	+ } else {
361	+ $GA_relaxedmode = 'enabled';
362	+ }
363	+
364	+
365	if ( '' == $GA_pwdenabled ) {
366	$GA_pwdenabled = 'disabled';
367	} else {

376	}
377
378	update_user_option( $user_id, 'googleauthenticator_enabled', $GA_enabled, true );
379	+ update_user_option( $user_id, 'googleauthenticator_relaxedmode', $GA_relaxedmode, true );
380	update_user_option( $user_id, 'googleauthenticator_secret', $GA_secret, true );
381	update_user_option( $user_id, 'googleauthenticator_pwdenabled', $GA_pwdenabled, true );
382

lang/google-authenticator.pot CHANGED Viewed

	@@ -2,9 +2,9 @@
2	# This file is distributed under the same license as the Google Authenticator package.
3	msgid ""
4	msgstr ""
5	- "Project-Id-Version: Google Authenticator 0.36\n"
6	"Report-Msgid-Bugs-To: http://wordpress.org/tag/google-authenticator\n"
7	- "POT-Creation-Date: 2011-08-10 20:20:57+00:00\n"
8	"MIME-Version: 1.0\n"
9	"Content-Type: text/plain; charset=UTF-8\n"
10	"Content-Transfer-Encoding: 8bit\n"
	@@ -12,76 +12,86 @@ msgstr ""
12	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
13	"Language-Team: LANGUAGE <LL@li.org>\n"
14
15	- #: google-authenticator.php:~~120~~
16	msgid ""
17	"If you don't have Google Authenticator enabled for your WordPress account, "
18	"leave this field empty."
19	msgstr ""
20
21	- #: google-authenticator.php:~~120~~
22	msgid "Google Authenticator code"
23	msgstr ""
24
25	- #: google-authenticator.php:~~162~~
26	msgid "<strong>ERROR</strong>: The Google Authenticator password is incorrect."
27	msgstr ""
28
29	- #: google-authenticator.php:~~165~~
30	msgid ""
31	"<strong>ERROR</strong>: The Google Authenticator code is incorrect or has "
32	"expired."
33	msgstr ""
34
35	- #: google-authenticator.php:~~200~~
36	msgid "WordPress Blog"
37	msgstr ""
38
39	- #: google-authenticator.php:~~203~~ google-authenticator.php:~~361~~
40	msgid "Google Authenticator Settings"
41	msgstr ""
42
43	- #: google-authenticator.php:~~208~~ google-authenticator.php:~~365~~
44	msgid "Active"
45	msgstr ""
46
47	- #: google-authenticator.php:~~220~~










48	msgid "Description"
49	msgstr ""
50
51	- #: google-authenticator.php:~~221~~
52	msgid ""
53	" Description that you'll see in the Google Authenticator app on your phone."
54	msgstr ""
55
56	- #: google-authenticator.php:~~225~~
57	msgid "Secret"
58	msgstr ""
59
60	- #: google-authenticator.php:~~228~~
61	msgid "Create new secret"
62	msgstr ""
63
64	- #: google-authenticator.php:~~229~~
65	msgid "Show/Hide QR code"
66	msgstr ""
67
68	- #: google-authenticator.php:~~237~~
69	msgid "Scan this with the Google Authenticator app."
70	msgstr ""
71
72	- #: google-authenticator.php:~~242~~
73	msgid "Enable App password"
74	msgstr ""
75
76	- #: google-authenticator.php:~~244~~
77	msgid " Enabling an App password will decrease your overall login security."
78	msgstr ""
79
80	- #: google-authenticator.php:~~252~~
81	msgid "Create new password"
82	msgstr ""
83
84	- #: google-authenticator.php:~~253~~
85	msgid ""
86	" Password is not stored in cleartext, this is your only chance to see it."
87	msgstr ""


2	# This file is distributed under the same license as the Google Authenticator package.
3	msgid ""
4	msgstr ""
5	+ "Project-Id-Version: Google Authenticator 0.37\n"
6	"Report-Msgid-Bugs-To: http://wordpress.org/tag/google-authenticator\n"
7	+ "POT-Creation-Date: 2011-08-21 14:25:45+00:00\n"
8	"MIME-Version: 1.0\n"
9	"Content-Type: text/plain; charset=UTF-8\n"
10	"Content-Transfer-Encoding: 8bit\n"

12	"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
13	"Language-Team: LANGUAGE <LL@li.org>\n"
14
15	+ #: google-authenticator.php:131
16	msgid ""
17	"If you don't have Google Authenticator enabled for your WordPress account, "
18	"leave this field empty."
19	msgstr ""
20
21	+ #: google-authenticator.php:131
22	msgid "Google Authenticator code"
23	msgstr ""
24
25	+ #: google-authenticator.php:176
26	msgid "<strong>ERROR</strong>: The Google Authenticator password is incorrect."
27	msgstr ""
28
29	+ #: google-authenticator.php:179
30	msgid ""
31	"<strong>ERROR</strong>: The Google Authenticator code is incorrect or has "
32	"expired."
33	msgstr ""
34
35	+ #: google-authenticator.php:215
36	msgid "WordPress Blog"
37	msgstr ""
38
39	+ #: google-authenticator.php:218 google-authenticator.php:392
40	msgid "Google Authenticator Settings"
41	msgstr ""
42
43	+ #: google-authenticator.php:223 google-authenticator.php:396
44	msgid "Active"
45	msgstr ""
46
47	+ #: google-authenticator.php:235
48	+ msgid "Relaxed mode"
49	+ msgstr ""
50	+
51	+ #: google-authenticator.php:237
52	+ msgid ""
53	+ " Relaxed mode allows for more time drifting on your phone clock (±4 "
54	+ "min)."
55	+ msgstr ""
56	+
57	+ #: google-authenticator.php:242
58	msgid "Description"
59	msgstr ""
60
61	+ #: google-authenticator.php:243
62	msgid ""
63	" Description that you'll see in the Google Authenticator app on your phone."
64	msgstr ""
65
66	+ #: google-authenticator.php:247
67	msgid "Secret"
68	msgstr ""
69
70	+ #: google-authenticator.php:250
71	msgid "Create new secret"
72	msgstr ""
73
74	+ #: google-authenticator.php:251
75	msgid "Show/Hide QR code"
76	msgstr ""
77
78	+ #: google-authenticator.php:259
79	msgid "Scan this with the Google Authenticator app."
80	msgstr ""
81
82	+ #: google-authenticator.php:264
83	msgid "Enable App password"
84	msgstr ""
85
86	+ #: google-authenticator.php:266
87	msgid " Enabling an App password will decrease your overall login security."
88	msgstr ""
89
90	+ #: google-authenticator.php:274
91	msgid "Create new password"
92	msgstr ""
93
94	+ #: google-authenticator.php:275
95	msgid ""
96	" Password is not stored in cleartext, this is your only chance to see it."
97	msgstr ""

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate Link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=henri
4	Tags: authentication,otp,password,security,login,android,iphone,blackberry
5	Requires at least: 3.1.2
6	Tested up to: 3.2.1
7	- Stable tag: 0.36
8
9	Google Authenticator for your WordPress blog.
10
	@@ -41,12 +41,14 @@ Yes, you can enable the App password feature to make that possible, but notice t
41
42	No, you'll have to delete the existing account from the Google Authenticator app on your smartphone before you scan the new QR code, that is unless you change the description as well.
43
44	- = ~~Sometimes~~ I am unable to log in using this plugin, ~~the first code never works,~~ what's wrong ? =
45
46	The Google Authenticator verification codes are time based, so it's crucial that the clock in your phone is accurate and in sync with the clock on the server where your WordPress installation is hosted.
47
48	If you have an Android phone, you can use an app like [ClockSync](https://market.android.com/details?id=ru.org.amip.ClockSync) to set your clock in case your Cell provider doesn't provide accurate time information
49


50	== Screenshots ==
51
52	1. The enhanced log-in box.
	@@ -56,6 +58,9 @@ If you have an Android phone, you can use an app like [ClockSync](https://market
56
57	== Changelog ==
58



59	= 0.36 =
60	* Bugfix, now an App password can only be used for XMLRPC/APP-Request logins.
61
	@@ -76,3 +81,5 @@ Thanks to:
76
77	[Tobias B�thge](http://tobias.baethge.com/) for his code rewrite and German translation.
78


4	Tags: authentication,otp,password,security,login,android,iphone,blackberry
5	Requires at least: 3.1.2
6	Tested up to: 3.2.1
7	+ Stable tag: 0.37
8
9	Google Authenticator for your WordPress blog.
10

41
42	No, you'll have to delete the existing account from the Google Authenticator app on your smartphone before you scan the new QR code, that is unless you change the description as well.
43
44	+ = I am unable to log in using this plugin, what's wrong ? =
45
46	The Google Authenticator verification codes are time based, so it's crucial that the clock in your phone is accurate and in sync with the clock on the server where your WordPress installation is hosted.
47
48	If you have an Android phone, you can use an app like [ClockSync](https://market.android.com/details?id=ru.org.amip.ClockSync) to set your clock in case your Cell provider doesn't provide accurate time information
49
50	+ Another option is to enable "relaxed mode" in the settings for the plugin, this will enable more valid codes by allowing up to a 4 min. timedrift in each direction.
51	+
52	== Screenshots ==
53
54	1. The enhanced log-in box.

58
59	== Changelog ==
60
61	+ = 0.37 =
62	+ * The plugin now supports "relaxed mode" when authenticating. If selected, codes from 4 minutes before and 4 minutes after will work. 30 seconds before and after is still the default setting.
63	+
64	= 0.36 =
65	* Bugfix, now an App password can only be used for XMLRPC/APP-Request logins.
66

81
82	[Tobias B�thge](http://tobias.baethge.com/) for his code rewrite and German translation.
83
84	+ [Pascal de Bruijn](http://blog.pcode.nl/) for his "relaxed mode" idea.
85	+