Version Description
- Spaces in the description field should now work on iPhones.
- Some depricated function calls replaced.
- Code inputfield easier to use for .jp users now.
- Sanitize description field input.
- App password hash function switched to one that doesn't have rainbow tables available.
- PHP notices occurring during app password login removed.
Download this release
Release Info
| Developer | Henrik.Schack |
| Plugin |  Google Authenticator |
| Version | 0.45 |
| Comparing to | |
| See all releases | |
Code changes from version 0.44 to 0.45
- google-authenticator.php +24 -15
- readme.txt +17 -5
google-authenticator.php
CHANGED
|
@@ -4,9 +4,9 @@ Plugin Name: Google Authenticator
|
|
| 4 |
Plugin URI: http://henrik.schack.dk/google-authenticator-for-wordpress
|
| 5 |
Description: Two-Factor Authentication for WordPress using the Android/iPhone/Blackberry app as One Time Password generator.
|
| 6 |
Author: Henrik Schack
|
| 7 |
-
Version: 0.
|
| 8 |
Author URI: http://henrik.schack.dk/
|
| 9 |
-
Compatibility: WordPress 3.
|
| 10 |
Text Domain: google-authenticator
|
| 11 |
Domain Path: /lang
|
| 12 |
|
|
@@ -18,7 +18,10 @@ Domain Path: /lang
|
|
| 18 |
Thanks to Daniel Werl for his usability tips.
|
| 19 |
Thanks to Dion Hulse for his bugfixes.
|
| 20 |
Thanks to Aldo Latino for his Italian translation.
|
| 21 |
-
Thanks to Kaijia Feng for his Simplified Chinese translation.
|
|
|
|
|
|
|
|
|
|
| 22 |
|
| 23 |
----------------------------------------------------------------------------
|
| 24 |
|
|
@@ -113,7 +116,7 @@ function verify( $secretkey, $thistry, $relaxedmode ) {
|
|
| 113 |
// Only 32 bits
|
| 114 |
$value = $value & 0x7FFFFFFF;
|
| 115 |
$value = $value % 1000000;
|
| 116 |
-
if ( $value
|
| 117 |
return true;
|
| 118 |
}
|
| 119 |
}
|
|
@@ -141,7 +144,7 @@ function create_secret() {
|
|
| 141 |
function loginform() {
|
| 142 |
echo "\t<p>\n";
|
| 143 |
echo "\t\t<label title=\"".__('If you don\'t have Google Authenticator enabled for your WordPress account, leave this field empty.','google-authenticator')."\">".__('Google Authenticator code','google-authenticator')."<span id=\"google-auth-info\"></span><br />\n";
|
| 144 |
-
echo "\t\t<input type=\"text\" name=\"googleotp\" id=\"user_email\" class=\"input\" value=\"\" size=\"20\" /></label>\n";
|
| 145 |
echo "\t</p>\n";
|
| 146 |
}
|
| 147 |
|
|
@@ -168,10 +171,10 @@ function check_otp( $user, $username = '', $password = '' ) {
|
|
| 168 |
|
| 169 |
// Get information on user, we need this in case an app password has been enabled,
|
| 170 |
// since the $user var only contain an error at this point in the login flow.
|
| 171 |
-
$user =
|
| 172 |
|
| 173 |
// Does the user have the Google Authenticator enabled ?
|
| 174 |
-
if ( trim(get_user_option( 'googleauthenticator_enabled', $user->ID ) ) == 'enabled' ) {
|
| 175 |
|
| 176 |
// Get the users secret
|
| 177 |
$GA_secret = trim( get_user_option( 'googleauthenticator_secret', $user->ID ) );
|
|
@@ -180,8 +183,11 @@ function check_otp( $user, $username = '', $password = '' ) {
|
|
| 180 |
$GA_relaxedmode = trim( get_user_option( 'googleauthenticator_relaxedmode', $user->ID ) );
|
| 181 |
|
| 182 |
// Get the verification code entered by the user trying to login
|
| 183 |
-
|
| 184 |
-
|
|
|
|
|
|
|
|
|
|
| 185 |
// Valid code ?
|
| 186 |
if ( $this->verify( $GA_secret, $otp, $GA_relaxedmode ) ) {
|
| 187 |
return $userstate;
|
|
@@ -189,9 +195,12 @@ function check_otp( $user, $username = '', $password = '' ) {
|
|
| 189 |
// No, lets see if an app password is enabled, and this is an XMLRPC / APP login ?
|
| 190 |
if ( trim( get_user_option( 'googleauthenticator_pwdenabled', $user->ID ) ) == 'enabled' && ( defined('XMLRPC_REQUEST') || defined('APP_REQUEST') ) ) {
|
| 191 |
$GA_passwords = json_decode( get_user_option( 'googleauthenticator_passwords', $user->ID ) );
|
| 192 |
-
$
|
| 193 |
$usersha1 = sha1( strtoupper( str_replace( ' ', '', $password ) ) );
|
| 194 |
-
if ( $
|
|
|
|
|
|
|
|
|
|
| 195 |
return new WP_User( $user->ID );
|
| 196 |
} else {
|
| 197 |
// Wrong XMLRPC/APP password !
|
|
@@ -253,7 +262,7 @@ function profile_personal_options() {
|
|
| 253 |
echo "</tr>\n";
|
| 254 |
|
| 255 |
// Create URL for the Google charts QR code generator.
|
| 256 |
-
$chl =
|
| 257 |
$qrcodeurl = "https://chart.googleapis.com/chart?cht=qr&chs=300x300&chld=H|0&chl={$chl}";
|
| 258 |
|
| 259 |
if ( $is_profile_page || IS_PROFILE_PAGE ) {
|
|
@@ -375,7 +384,7 @@ function personal_options_update() {
|
|
| 375 |
|
| 376 |
|
| 377 |
$GA_enabled = ! empty( $_POST['GA_enabled'] );
|
| 378 |
-
$GA_description = trim( $_POST['GA_description'] );
|
| 379 |
$GA_relaxedmode = ! empty( $_POST['GA_relaxedmode'] );
|
| 380 |
$GA_secret = trim( $_POST['GA_secret'] );
|
| 381 |
$GA_pwdenabled = ! empty( $_POST['GA_pwdenabled'] );
|
|
@@ -403,7 +412,7 @@ function personal_options_update() {
|
|
| 403 |
// Only store password if a new one has been generated.
|
| 404 |
if (strtoupper($GA_password) != 'XXXXXXXXXXXXXXXX' ) {
|
| 405 |
// Store the password in a format that can be expanded easily later on if needed.
|
| 406 |
-
$GA_password = array( 'appname' => 'Default', 'password' =>
|
| 407 |
update_user_option( $user_id, 'googleauthenticator_passwords', json_encode( $GA_password ), true );
|
| 408 |
}
|
| 409 |
|
|
@@ -495,4 +504,4 @@ function ajax_callback() {
|
|
| 495 |
} // end class
|
| 496 |
|
| 497 |
$google_authenticator = new GoogleAuthenticator;
|
| 498 |
-
?>
|
| 4 |
Plugin URI: http://henrik.schack.dk/google-authenticator-for-wordpress
|
| 5 |
Description: Two-Factor Authentication for WordPress using the Android/iPhone/Blackberry app as One Time Password generator.
|
| 6 |
Author: Henrik Schack
|
| 7 |
+
Version: 0.45
|
| 8 |
Author URI: http://henrik.schack.dk/
|
| 9 |
+
Compatibility: WordPress 3.8
|
| 10 |
Text Domain: google-authenticator
|
| 11 |
Domain Path: /lang
|
| 12 |
|
| 18 |
Thanks to Daniel Werl for his usability tips.
|
| 19 |
Thanks to Dion Hulse for his bugfixes.
|
| 20 |
Thanks to Aldo Latino for his Italian translation.
|
| 21 |
+
Thanks to Kaijia Feng for his Simplified Chinese translation.
|
| 22 |
+
Thanks to Ian Dunn for fixing some depricated function calls.
|
| 23 |
+
Thanks to Kimmo Suominen for fixing the iPhone description issue.
|
| 24 |
+
Thanks to Alex Concha for some security tips.
|
| 25 |
|
| 26 |
----------------------------------------------------------------------------
|
| 27 |
|
| 116 |
// Only 32 bits
|
| 117 |
$value = $value & 0x7FFFFFFF;
|
| 118 |
$value = $value % 1000000;
|
| 119 |
+
if ( $value === $thistry ) {
|
| 120 |
return true;
|
| 121 |
}
|
| 122 |
}
|
| 144 |
function loginform() {
|
| 145 |
echo "\t<p>\n";
|
| 146 |
echo "\t\t<label title=\"".__('If you don\'t have Google Authenticator enabled for your WordPress account, leave this field empty.','google-authenticator')."\">".__('Google Authenticator code','google-authenticator')."<span id=\"google-auth-info\"></span><br />\n";
|
| 147 |
+
echo "\t\t<input type=\"text\" name=\"googleotp\" id=\"user_email\" class=\"input\" value=\"\" size=\"20\" style=\"ime-mode: inactive;\" /></label>\n";
|
| 148 |
echo "\t</p>\n";
|
| 149 |
}
|
| 150 |
|
| 171 |
|
| 172 |
// Get information on user, we need this in case an app password has been enabled,
|
| 173 |
// since the $user var only contain an error at this point in the login flow.
|
| 174 |
+
$user = get_user_by( 'login', $username );
|
| 175 |
|
| 176 |
// Does the user have the Google Authenticator enabled ?
|
| 177 |
+
if ( isset( $user->ID ) && trim(get_user_option( 'googleauthenticator_enabled', $user->ID ) ) == 'enabled' ) {
|
| 178 |
|
| 179 |
// Get the users secret
|
| 180 |
$GA_secret = trim( get_user_option( 'googleauthenticator_secret', $user->ID ) );
|
| 183 |
$GA_relaxedmode = trim( get_user_option( 'googleauthenticator_relaxedmode', $user->ID ) );
|
| 184 |
|
| 185 |
// Get the verification code entered by the user trying to login
|
| 186 |
+
if ( !empty( $_POST['googleotp'] )) { // Prevent PHP notices when using app password login
|
| 187 |
+
$otp = trim( $_POST[ 'googleotp' ] );
|
| 188 |
+
} else {
|
| 189 |
+
$otp = '';
|
| 190 |
+
}
|
| 191 |
// Valid code ?
|
| 192 |
if ( $this->verify( $GA_secret, $otp, $GA_relaxedmode ) ) {
|
| 193 |
return $userstate;
|
| 195 |
// No, lets see if an app password is enabled, and this is an XMLRPC / APP login ?
|
| 196 |
if ( trim( get_user_option( 'googleauthenticator_pwdenabled', $user->ID ) ) == 'enabled' && ( defined('XMLRPC_REQUEST') || defined('APP_REQUEST') ) ) {
|
| 197 |
$GA_passwords = json_decode( get_user_option( 'googleauthenticator_passwords', $user->ID ) );
|
| 198 |
+
$passwordhash = trim($GA_passwords->{'password'} );
|
| 199 |
$usersha1 = sha1( strtoupper( str_replace( ' ', '', $password ) ) );
|
| 200 |
+
if ( $passwordhash == $usersha1 ) { // ToDo: Remove after some time when users have migrated to new format
|
| 201 |
+
return new WP_User( $user->ID );
|
| 202 |
+
// Try the new version based on thee wp_hash_password function
|
| 203 |
+
} elseif (wp_check_password( strtoupper( str_replace( ' ', '', $password ) ), $passwordhash)) {
|
| 204 |
return new WP_User( $user->ID );
|
| 205 |
} else {
|
| 206 |
// Wrong XMLRPC/APP password !
|
| 262 |
echo "</tr>\n";
|
| 263 |
|
| 264 |
// Create URL for the Google charts QR code generator.
|
| 265 |
+
$chl = rawurlencode( 'otpauth://totp/'.rawurlencode( $GA_description ).'?secret='.rawurlencode( $GA_secret ) );
|
| 266 |
$qrcodeurl = "https://chart.googleapis.com/chart?cht=qr&chs=300x300&chld=H|0&chl={$chl}";
|
| 267 |
|
| 268 |
if ( $is_profile_page || IS_PROFILE_PAGE ) {
|
| 384 |
|
| 385 |
|
| 386 |
$GA_enabled = ! empty( $_POST['GA_enabled'] );
|
| 387 |
+
$GA_description = trim( sanitize_text_field($_POST['GA_description'] ) );
|
| 388 |
$GA_relaxedmode = ! empty( $_POST['GA_relaxedmode'] );
|
| 389 |
$GA_secret = trim( $_POST['GA_secret'] );
|
| 390 |
$GA_pwdenabled = ! empty( $_POST['GA_pwdenabled'] );
|
| 412 |
// Only store password if a new one has been generated.
|
| 413 |
if (strtoupper($GA_password) != 'XXXXXXXXXXXXXXXX' ) {
|
| 414 |
// Store the password in a format that can be expanded easily later on if needed.
|
| 415 |
+
$GA_password = array( 'appname' => 'Default', 'password' => wp_hash_password( $GA_password ) );
|
| 416 |
update_user_option( $user_id, 'googleauthenticator_passwords', json_encode( $GA_password ), true );
|
| 417 |
}
|
| 418 |
|
| 504 |
} // end class
|
| 505 |
|
| 506 |
$google_authenticator = new GoogleAuthenticator;
|
| 507 |
+
?>
|
readme.txt
CHANGED
|
@@ -2,9 +2,9 @@
|
|
| 2 |
Contributors: Henrik.Schack
|
| 3 |
Donate Link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=henrik%40schack%2edk&lc=US&item_name=Google%20Authenticator&item_number=Google%20Authenticator&no_shipping=0&no_note=1&tax=0&bn=PP%2dDonationsBF&charset=UTF%2d8
|
| 4 |
Tags: authentication,otp,password,security,login,android,iphone,blackberry
|
| 5 |
-
Requires at least: 3.
|
| 6 |
-
Tested up to: 3.
|
| 7 |
-
Stable tag: 0.
|
| 8 |
|
| 9 |
Google Authenticator for your WordPress blog.
|
| 10 |
|
|
@@ -60,7 +60,7 @@ If you have SSH or FTP access to your webhosting account, you can manually delet
|
|
| 60 |
just delete the wp-content/plugins/google-authenticator directory, and you'll be able to login using username/password again.
|
| 61 |
|
| 62 |
= I don't own a Smartphone, isn't there another way to generate these secret codes ? =
|
| 63 |
-
Yes, there is a
|
| 64 |
|
| 65 |
|
| 66 |
== Screenshots ==
|
|
@@ -72,6 +72,15 @@ Yes, there is a Chrome browser extension you can use : http://4bits.dk/Uwg09z
|
|
| 72 |
|
| 73 |
== Changelog ==
|
| 74 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 75 |
= 0.44 =
|
| 76 |
* Installation/FAQ section updated.
|
| 77 |
* Simplified Chinese translation by Kaijia Feng added.
|
|
@@ -116,6 +125,7 @@ Yes, there is a Chrome browser extension you can use : http://4bits.dk/Uwg09z
|
|
| 116 |
= 0.20 =
|
| 117 |
* Initial release
|
| 118 |
|
|
|
|
| 119 |
== Credits ==
|
| 120 |
|
| 121 |
Thanks to:
|
|
@@ -130,4 +140,6 @@ Thanks to:
|
|
| 130 |
|
| 131 |
[Aldo Latino](http://profiles.wordpress.org/users/aldolat/) for his Italian translation.
|
| 132 |
|
| 133 |
-
[Kaijia Feng](http://www.kaijia.me/) for his Simplified Chinese translation.
|
|
|
|
|
|
| 2 |
Contributors: Henrik.Schack
|
| 3 |
Donate Link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=henrik%40schack%2edk&lc=US&item_name=Google%20Authenticator&item_number=Google%20Authenticator&no_shipping=0&no_note=1&tax=0&bn=PP%2dDonationsBF&charset=UTF%2d8
|
| 4 |
Tags: authentication,otp,password,security,login,android,iphone,blackberry
|
| 5 |
+
Requires at least: 3.8
|
| 6 |
+
Tested up to: 3.8
|
| 7 |
+
Stable tag: 0.45
|
| 8 |
|
| 9 |
Google Authenticator for your WordPress blog.
|
| 10 |
|
| 60 |
just delete the wp-content/plugins/google-authenticator directory, and you'll be able to login using username/password again.
|
| 61 |
|
| 62 |
= I don't own a Smartphone, isn't there another way to generate these secret codes ? =
|
| 63 |
+
Yes, there is a webbased version here : http://gauth.apps.gbraad.nl/ Github project here : https://github.com/gbraad/html5-google-authenticator
|
| 64 |
|
| 65 |
|
| 66 |
== Screenshots ==
|
| 72 |
|
| 73 |
== Changelog ==
|
| 74 |
|
| 75 |
+
= 0.45 =
|
| 76 |
+
* Spaces in the description field should now work on iPhones.
|
| 77 |
+
* Some depricated function calls replaced.
|
| 78 |
+
* Code inputfield easier to use for .jp users now.
|
| 79 |
+
* Sanitize description field input.
|
| 80 |
+
* App password hash function switched to one that doesn't have rainbow tables available.
|
| 81 |
+
* PHP notices occurring during app password login removed.
|
| 82 |
+
|
| 83 |
+
|
| 84 |
= 0.44 =
|
| 85 |
* Installation/FAQ section updated.
|
| 86 |
* Simplified Chinese translation by Kaijia Feng added.
|
| 125 |
= 0.20 =
|
| 126 |
* Initial release
|
| 127 |
|
| 128 |
+
|
| 129 |
== Credits ==
|
| 130 |
|
| 131 |
Thanks to:
|
| 140 |
|
| 141 |
[Aldo Latino](http://profiles.wordpress.org/users/aldolat/) for his Italian translation.
|
| 142 |
|
| 143 |
+
[Kaijia Feng](http://www.kaijia.me/) for his Simplified Chinese translation.
|
| 144 |
+
|
| 145 |
+
[Alex Concha](http://www.buayacorp.com/) for his security tips.
|
