Micke/roundcubemail-plugins-kolab
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix TOTP authentication

Browse source 
Summary:
Kolab used to depend on version 4 of the otphp library, which returns
its computed OTP codes as integers. Hence, the kolab_2fa plugin converts
the user input to `int` in order to facilitate comparisons using the
`===` operator.

Starting with version 5, which is now bundled with Kolab, otphp returns
a string instead of an integer. Now the comparison is between an `int`
and a `string`, and thus consistently yields `false`. As a result, no
TOTP code is ever accepted.

Fix TOTP authentication by removing the now-obsolete conversion to
`int`.

Reviewers: machniak

Reviewed By: machniak

Differential Revision: https://git.kolab.org/D4370
This commit is contained in:
Christoph Erhardt 2023-06-14 14:54:18 +02:00 committed by Aleksander Machniak
parent 096b7a8181
commit 32f1865339
1 changed files with 0 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
plugins/kolab_2fa/lib/Kolab2FA/Driver/TOTP.php
View file

@ -77,9 +77,6 @@ class TOTP extends Base
$this->backend->setLabel($this->username)->setSecret($secret);
// PHP gets a string, but we're comparing integers.
$code = (int)$code;
// Pass a window to indicate the maximum timeslip between client (mobile
// device) and server.
$pass = $this->backend->verify($code, $timestamp, 150);