Implement 2FA v-Scripts, 2FA libary and control scripts.

bin/v-add-user-2fa

@@ -0,0 +1,58 @@
+#!/bin/bash
+# info: add 2fa to existing user
+# options: USER
+#
+# The function creates a new 2fa token for user.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+
+# Includes
+source $HESTIA/func/main.sh
+source $HESTIA/conf/hestia.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'USER'
+is_format_valid 'user' 'system'
+is_object_valid 'user' 'USER' "$user"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Reading user values
+source $USER_DATA/user.conf
+
+# Check if 2FA is already enabled
+if [ ! -z "$TWOFA" ]; then
+    echo "Error: 2FA already enabled"
+    exit $E_EXIST
+fi
+
+# Get secret and qr code from 2fa libary
+data=$($HESTIA/php/bin/php $HESTIA/web/inc/2fa/secret.php)
+
+# Split to secret and qrcode using delimiter
+IFS='-' read -r -a array <<< "$data"
+secret=${array[0]}
+qrcode=${array[1]}
+
+# Save the secret in user config (needs encryption?)
+sed -i "/RKEY/a TWOFA='$secret'" $USER_DATA/user.conf
+sed -i "/TWOFA/a QRCODE='$qrcode'" $USER_DATA/user.conf
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+exit

bin/v-check-user-2fa

@@ -0,0 +1,54 @@
+#!/bin/bash
+# info: check user token
+# options: USER TOKEN
+#
+# The function verifies user 2fa token.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+token=$2
+
+# Includes
+source $HESTIA/func/main.sh
+source $HESTIA/conf/hestia.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'USER TOKEN'
+is_format_valid 'user' 'system'
+is_object_valid 'user' 'USER' "$user"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Reading user values
+source $USER_DATA/user.conf
+
+# Check if 2FA is enabled
+if [ -z "$TWOFA" ]; then
+    echo "Error: 2FA is not enabled"
+    exit $E_NOTEXIST
+fi
+
+# Check if token is valid
+result=$($HESTIA/php/bin/php $HESTIA/web/inc/2fa/secret.php)
+if [ "$result" != "ok" ]; then
+    echo "Error: Token missmatch"
+    exit 9
+fi
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+exit

bin/v-delete-user-2fa

@@ -0,0 +1,50 @@
+#!/bin/bash
+# info: delete 2fa of existing user
+# options: USER
+#
+# The function deletes 2fa token of a user.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+
+# Includes
+source $HESTIA/func/main.sh
+source $HESTIA/conf/hestia.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'USER'
+is_format_valid 'user' 'system'
+is_object_valid 'user' 'USER' "$user"
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Reading user values
+source $USER_DATA/user.conf
+
+# Check if 2FA is enabled
+if [ -z "$TWOFA" ]; then
+    echo "Error: 2FA is not enabled"
+    exit $E_NOTEXIST
+fi
+
+# Remove 2FA from user config
+sed -i '/TWOFA=/d' $USER_DATA/user.conf
+sed -i '/QRCODE=/d' $USER_DATA/user.conf
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+exit

bin/v-list-user

@@ -44,6 +44,8 @@ json_list() {
         "CONTACT": "'$CONTACT'",
         "CRON_REPORTS": "'$CRON_REPORTS'",
         "RKEY": "'$RKEY'",
+        "TWOFA": "'$TWOFA'",
+        "QRCODE": "'$QRCODE'",
         "SUSPENDED": "'$SUSPENDED'",
         "SUSPENDED_USERS": "'$SUSPENDED_USERS'",
         "SUSPENDED_WEB": "'$SUSPENDED_WEB'",

web/inc/2fa/.gitignore

@@ -0,0 +1,189 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.sln.docstates
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+build/
+bld/
+[Bb]in/
+[Oo]bj/
+
+# Roslyn cache directories
+*.ide/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+#NUNIT
+*.VisualState.xml
+TestResult.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+*_i.c
+*_p.c
+*_i.h
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding addin-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# TODO: Comment the next line if you want to checkin your web deploy settings 
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# NuGet Packages
+*.nupkg
+# The packages folder can be ignored because of Package Restore
+**/packages/*
+# except build/, which is used as an MSBuild target.
+!**/packages/build/
+# If using the old MSBuild-Integrated Package Restore, uncomment this:
+#!**/packages/repositories.config
+
+# Windows Azure Build Output
+csx/
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+sql/
+*.Cache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.pfx
+*.publishsettings
+node_modules/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+*.mdf
+*.ldf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# Composer
+/vendor
+
+# .vs
+.vs/

web/inc/2fa/.travis.yml

@@ -0,0 +1,15 @@
+language: php
+
+php:
+  - 5.4
+  - 5.5
+  - 5.6
+  - 7.0
+  - 7.1
+  - 7.2
+
+before_script:
+  - composer install
+
+script:
+  - vendor/bin/phpunit --coverage-text tests

web/inc/2fa/Providers/Qr/BaseHTTPQRCodeProvider.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace RobThree\Auth\Providers\Qr;
+
+abstract class BaseHTTPQRCodeProvider implements IQRCodeProvider
+{
+    protected $verifyssl;
+
+    protected function getContent($url)
+    {
+        $curlhandle = curl_init();
+        
+        curl_setopt_array($curlhandle, array(
+            CURLOPT_URL => $url,
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_CONNECTTIMEOUT => 10,
+            CURLOPT_DNS_CACHE_TIMEOUT => 10,
+            CURLOPT_TIMEOUT => 10,
+            CURLOPT_SSL_VERIFYPEER => $this->verifyssl,
+            CURLOPT_USERAGENT => 'TwoFactorAuth'
+        ));
+        $data = curl_exec($curlhandle);
+        
+        curl_close($curlhandle);
+        return $data;
+    }
+}

web/inc/2fa/Providers/Qr/GoogleQRCodeProvider.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace RobThree\Auth\Providers\Qr;
+
+// https://developers.google.com/chart/infographics/docs/qr_codes
+class GoogleQRCodeProvider extends BaseHTTPQRCodeProvider 
+{
+    public $errorcorrectionlevel;
+    public $margin;
+
+    function __construct($verifyssl = false, $errorcorrectionlevel = 'L', $margin = 1) 
+    {
+        if (!is_bool($verifyssl))
+            throw new \QRException('VerifySSL must be bool');
+
+        $this->verifyssl = $verifyssl;
+        
+        $this->errorcorrectionlevel = $errorcorrectionlevel;
+        $this->margin = $margin;
+    }
+    
+    public function getMimeType() 
+    {
+        return 'image/png';
+    }
+    
+    public function getQRCodeImage($qrtext, $size) 
+    {
+        return $this->getContent($this->getUrl($qrtext, $size));
+    }
+    
+    public function getUrl($qrtext, $size) 
+    {
+        return 'https://chart.googleapis.com/chart?cht=qr'
+            . '&chs=' . $size . 'x' . $size
+            . '&chld=' . $this->errorcorrectionlevel . '|' . $this->margin
+            . '&chl=' . rawurlencode($qrtext);
+    }
+}

web/inc/2fa/Providers/Qr/IQRCodeProvider.php

@@ -0,0 +1,9 @@
+<?php
+
+namespace RobThree\Auth\Providers\Qr;
+
+interface IQRCodeProvider
+{
+    public function getQRCodeImage($qrtext, $size);
+    public function getMimeType();
+}

web/inc/2fa/Providers/Qr/QRException.php

@@ -0,0 +1,5 @@
+<?php
+
+use RobThree\Auth\TwoFactorAuthException;
+
+class QRException extends TwoFactorAuthException {}

web/inc/2fa/Providers/Qr/QRServerProvider.php

@@ -0,0 +1,71 @@
+<?php
+
+namespace RobThree\Auth\Providers\Qr;
+
+// http://goqr.me/api/doc/create-qr-code/
+class QRServerProvider extends BaseHTTPQRCodeProvider 
+{
+    public $errorcorrectionlevel;
+    public $margin;
+    public $qzone;
+    public $bgcolor;
+    public $color;
+    public $format;
+
+    function __construct($verifyssl = false, $errorcorrectionlevel = 'L', $margin = 4, $qzone = 1, $bgcolor = 'ffffff', $color = '000000', $format = 'png') 
+    {
+        if (!is_bool($verifyssl))
+            throw new QRException('VerifySSL must be bool');
+
+        $this->verifyssl = $verifyssl;
+        
+        $this->errorcorrectionlevel = $errorcorrectionlevel;
+        $this->margin = $margin;
+        $this->qzone = $qzone;
+        $this->bgcolor = $bgcolor;
+        $this->color = $color;
+        $this->format = $format;
+    }
+    
+    public function getMimeType() 
+    {
+        switch (strtolower($this->format))
+        {
+        	case 'png':
+                return 'image/png';
+        	case 'gif':
+                return 'image/gif';
+        	case 'jpg':
+        	case 'jpeg':
+                return 'image/jpeg';
+        	case 'svg':
+                return 'image/svg+xml';
+        	case 'eps':
+                return 'application/postscript';
+        }
+        throw new \QRException(sprintf('Unknown MIME-type: %s', $this->format));
+    }
+    
+    public function getQRCodeImage($qrtext, $size) 
+    {
+        return $this->getContent($this->getUrl($qrtext, $size));
+    }
+    
+    private function decodeColor($value) 
+    {
+        return vsprintf('%d-%d-%d', sscanf($value, "%02x%02x%02x"));
+    }
+    
+    public function getUrl($qrtext, $size) 
+    {
+        return 'https://api.qrserver.com/v1/create-qr-code/'
+            . '?size=' . $size . 'x' . $size
+            . '&ecc=' . strtoupper($this->errorcorrectionlevel)
+            . '&margin=' . $this->margin
+            . '&qzone=' . $this->qzone
+            . '&bgcolor=' . $this->decodeColor($this->bgcolor)
+            . '&color=' . $this->decodeColor($this->color)
+            . '&format=' . strtolower($this->format)
+            . '&data=' . rawurlencode($qrtext);
+    }
+}

web/inc/2fa/Providers/Qr/QRicketProvider.php

@@ -0,0 +1,54 @@
+<?php
+
+namespace RobThree\Auth\Providers\Qr;
+
+// http://qrickit.com/qrickit_apps/qrickit_api.php
+class QRicketProvider extends BaseHTTPQRCodeProvider 
+{
+    public $errorcorrectionlevel;
+    public $margin;
+    public $qzone;
+    public $bgcolor;
+    public $color;
+    public $format;
+
+    function __construct($errorcorrectionlevel = 'L', $bgcolor = 'ffffff', $color = '000000', $format = 'p') 
+    {
+        $this->verifyssl = false;
+        
+        $this->errorcorrectionlevel = $errorcorrectionlevel;
+        $this->bgcolor = $bgcolor;
+        $this->color = $color;
+        $this->format = $format;
+    }
+    
+    public function getMimeType() 
+    {
+        switch (strtolower($this->format))
+        {
+        	case 'p':
+                return 'image/png';
+        	case 'g':
+                return 'image/gif';
+        	case 'j':
+                return 'image/jpeg';
+        }
+        throw new \QRException(sprintf('Unknown MIME-type: %s', $this->format));
+    }
+    
+    public function getQRCodeImage($qrtext, $size) 
+    {
+        return $this->getContent($this->getUrl($qrtext, $size));
+    }
+    
+    public function getUrl($qrtext, $size) 
+    {
+        return 'http://qrickit.com/api/qr'
+            . '?qrsize=' . $size
+            . '&e=' . strtolower($this->errorcorrectionlevel)
+            . '&bgdcolor=' . $this->bgcolor
+            . '&fgdcolor=' . $this->color
+            . '&t=' . strtolower($this->format)
+            . '&d=' . rawurlencode($qrtext);
+    }
+}

web/inc/2fa/Providers/Rng/CSRNGProvider.php

@@ -0,0 +1,14 @@
+<?php
+
+namespace RobThree\Auth\Providers\Rng;
+
+class CSRNGProvider implements IRNGProvider
+{
+    public function getRandomBytes($bytecount) {
+        return random_bytes($bytecount);    // PHP7+
+    }
+    
+    public function isCryptographicallySecure() {
+        return true;
+    }
+}

web/inc/2fa/Providers/Rng/HashRNGProvider.php

@@ -0,0 +1,28 @@
+<?php
+namespace RobThree\Auth\Providers\Rng;
+
+class HashRNGProvider implements IRNGProvider
+{
+    private $algorithm;
+    
+    function __construct($algorithm = 'sha256' ) {
+        $algos = array_values(hash_algos());
+        if (!in_array($algorithm, $algos, true))
+            throw new \RNGException('Unsupported algorithm specified');
+        $this->algorithm = $algorithm;
+    }
+    
+    public function getRandomBytes($bytecount) {
+        $result = '';
+        $hash = mt_rand();
+        for ($i = 0; $i < $bytecount; $i++) {
+            $hash = hash($this->algorithm, $hash.mt_rand(), true);
+            $result .= $hash[mt_rand(0, strlen($hash)-1)];
+        }
+        return $result;
+    }
+    
+    public function isCryptographicallySecure() {
+        return false;
+    }
+}

web/inc/2fa/Providers/Rng/IRNGProvider.php

@@ -0,0 +1,9 @@
+<?php
+
+namespace RobThree\Auth\Providers\Rng;
+
+interface IRNGProvider
+{
+    public function getRandomBytes($bytecount);
+    public function isCryptographicallySecure();
+}

web/inc/2fa/Providers/Rng/MCryptRNGProvider.php

@@ -0,0 +1,23 @@
+<?php
+
+namespace RobThree\Auth\Providers\Rng;
+
+class MCryptRNGProvider implements IRNGProvider
+{
+    private $source;
+    
+    function __construct($source = MCRYPT_DEV_URANDOM) {
+        $this->source = $source;
+    }
+    
+    public function getRandomBytes($bytecount) {
+        $result = @mcrypt_create_iv($bytecount, $this->source);
+        if ($result === false)
+            throw new \RNGException('mcrypt_create_iv returned an invalid value');
+        return $result;
+    }
+    
+    public function isCryptographicallySecure() {
+        return true;
+    }
+}

web/inc/2fa/Providers/Rng/OpenSSLRNGProvider.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace RobThree\Auth\Providers\Rng;
+
+class OpenSSLRNGProvider implements IRNGProvider
+{
+    private $requirestrong;
+    
+    function __construct($requirestrong = true) {
+        $this->requirestrong = $requirestrong;
+    }
+    
+    public function getRandomBytes($bytecount) {
+        $result = openssl_random_pseudo_bytes($bytecount, $crypto_strong);
+        if ($this->requirestrong && ($crypto_strong === false))
+            throw new \RNGException('openssl_random_pseudo_bytes returned non-cryptographically strong value');
+        if ($result === false)
+            throw new \RNGException('openssl_random_pseudo_bytes returned an invalid value');
+        return $result;
+    }
+    
+    public function isCryptographicallySecure() {
+        return $this->requirestrong;
+    }
+}

web/inc/2fa/Providers/Rng/RNGException.php

@@ -0,0 +1,5 @@
+<?php
+
+use RobThree\Auth\TwoFactorAuthException;
+
+class RNGException extends TwoFactorAuthException {}

web/inc/2fa/Providers/Time/HttpTimeProvider.php

@@ -0,0 +1,54 @@
+<?php
+
+namespace RobThree\Auth\Providers\Time;
+
+/**
+ * Takes the time from any webserver by doing a HEAD request on the specified URL and extracting the 'Date:' header
+ */
+class HttpTimeProvider implements ITimeProvider
+{
+    public $url;
+    public $options;
+    public $expectedtimeformat;
+
+    function __construct($url = 'https://google.com', $expectedtimeformat = 'D, d M Y H:i:s O+', array $options = null)
+    {
+        $this->url = $url;
+        $this->expectedtimeformat = $expectedtimeformat;
+        $this->options = $options;
+        if ($this->options === null) {
+            $this->options = array(
+                'http' => array(
+                    'method' => 'HEAD',
+                    'follow_location' => false,
+                    'ignore_errors' => true,
+                    'max_redirects' => 0,
+                    'request_fulluri' => true,
+                    'header' => array(
+                        'Connection: close',
+                        'User-agent: TwoFactorAuth HttpTimeProvider (https://github.com/RobThree/TwoFactorAuth)',
+                        'Cache-Control: no-cache'
+                    )
+                )
+            );
+        }
+    }
+
+    public function getTime() {
+        try {
+            $context  = stream_context_create($this->options);
+            $fd = fopen($this->url, 'rb', false, $context);
+            $headers = stream_get_meta_data($fd);
+            fclose($fd);
+
+            foreach ($headers['wrapper_data'] as $h) {
+                if (strcasecmp(substr($h, 0, 5), 'Date:') === 0)
+                    return \DateTime::createFromFormat($this->expectedtimeformat, trim(substr($h,5)))->getTimestamp();
+            }
+            throw new \TimeException(sprintf('Unable to retrieve time from %s (Invalid or no "Date:" header found)', $this->url));
+        }
+        catch (Exception $ex) {
+            throw new \TimeException(sprintf('Unable to retrieve time from %s (%s)', $this->url, $ex->getMessage()));
+        }
+    }
+}

web/inc/2fa/Providers/Time/ITimeProvider.php

@@ -0,0 +1,8 @@
+<?php
+
+namespace RobThree\Auth\Providers\Time;
+
+interface ITimeProvider
+{
+    public function getTime();
+}

web/inc/2fa/Providers/Time/LocalMachineTimeProvider.php

@@ -0,0 +1,9 @@
+<?php
+
+namespace RobThree\Auth\Providers\Time;
+
+class LocalMachineTimeProvider implements ITimeProvider {
+    public function getTime() {
+        return time();
+    }
+}

web/inc/2fa/Providers/Time/NTPTimeProvider.php

@@ -0,0 +1,52 @@
+<?php
+
+namespace RobThree\Auth\Providers\Time;
+
+/**
+ * Takes the time from any NTP server
+ */
+class NTPTimeProvider implements ITimeProvider
+{
+    public $host;
+    public $port;
+    public $timeout;
+
+    function __construct($host = 'pool.ntp.org', $port = 123, $timeout = 1)
+    {
+        $this->host = $host;
+
+        if (!is_int($port) || $port <= 0 || $port > 65535)
+            throw new \TimeException('Port must be 0 < port < 65535');
+        $this->port = $port;
+
+        if (!is_int($timeout) || $timeout < 0)
+            throw new \TimeException('Timeout must be >= 0');
+        $this->timeout = $timeout;
+    }
+
+    public function getTime() {
+        try {
+            /* Create a socket and connect to NTP server */
+            $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
+            socket_connect($sock, $this->host, $this->port);
+
+            /* Send request */
+            $msg = "\010" . str_repeat("\0", 47);
+            socket_send($sock, $msg, strlen($msg), 0);
+
+            /* Receive response and close socket */
+            socket_recv($sock, $recv, 48, MSG_WAITALL);
+            socket_close($sock);
+
+            /* Interpret response */
+            $data = unpack('N12', $recv);
+            $timestamp = sprintf('%u', $data[9]);
+
+            /* NTP is number of seconds since 0000 UT on 1 January 1900 Unix time is seconds since 0000 UT on 1 January 1970 */
+            return $timestamp - 2208988800;
+        }
+        catch (Exception $ex) {
+            throw new \TimeException(sprintf('Unable to retrieve time from %s (%s)', $this->host, $ex->getMessage()));
+        }
+    }
+}

web/inc/2fa/Providers/Time/TimeException.php

@@ -0,0 +1,5 @@
+<?php
+
+use RobThree\Auth\TwoFactorAuthException;
+
+class TimeException extends TwoFactorAuthException {}

web/inc/2fa/TwoFactorAuth.php

@@ -0,0 +1,256 @@
+<?php
+namespace RobThree\Auth;
+
+use RobThree\Auth\Providers\Qr\IQRCodeProvider;
+use RobThree\Auth\Providers\Rng\IRNGProvider;
+use RobThree\Auth\Providers\Time\ITimeProvider;
+
+// Based on / inspired by: https://github.com/PHPGangsta/GoogleAuthenticator
+// Algorithms, digits, period etc. explained: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
+class TwoFactorAuth
+{
+    private $algorithm;
+    private $period;
+    private $digits;
+    private $issuer;
+    private $qrcodeprovider = null;
+    private $rngprovider = null;
+    private $timeprovider = null;
+    private static $_base32dict = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567=';
+    private static $_base32;
+    private static $_base32lookup = array();
+    private static $_supportedalgos = array('sha1', 'sha256', 'sha512', 'md5');
+
+    function __construct($issuer = null, $digits = 6, $period = 30, $algorithm = 'sha1', IQRCodeProvider $qrcodeprovider = null, IRNGProvider $rngprovider = null, ITimeProvider $timeprovider = null)
+    {
+        $this->issuer = $issuer;
+        if (!is_int($digits) || $digits <= 0)
+            throw new TwoFactorAuthException('Digits must be int > 0');
+        $this->digits = $digits;
+
+        if (!is_int($period) || $period <= 0)
+            throw new TwoFactorAuthException('Period must be int > 0');
+        $this->period = $period;
+
+        $algorithm = strtolower(trim($algorithm));
+        if (!in_array($algorithm, self::$_supportedalgos))
+            throw new TwoFactorAuthException('Unsupported algorithm: ' . $algorithm);
+        $this->algorithm = $algorithm;
+        $this->qrcodeprovider = $qrcodeprovider;
+        $this->rngprovider = $rngprovider;
+        $this->timeprovider = $timeprovider;
+
+        self::$_base32 = str_split(self::$_base32dict);
+        self::$_base32lookup = array_flip(self::$_base32);
+    }
+
+    /**
+     * Create a new secret
+     */
+    public function createSecret($bits = 80, $requirecryptosecure = true)
+    {
+        $secret = '';
+        $bytes = ceil($bits / 5);   //We use 5 bits of each byte (since we have a 32-character 'alphabet' / BASE32)
+        $rngprovider = $this->getRngprovider();
+        if ($requirecryptosecure && !$rngprovider->isCryptographicallySecure())
+            throw new TwoFactorAuthException('RNG provider is not cryptographically secure');
+        $rnd = $rngprovider->getRandomBytes($bytes);
+        for ($i = 0; $i < $bytes; $i++)
+            $secret .= self::$_base32[ord($rnd[$i]) & 31];  //Mask out left 3 bits for 0-31 values
+        return $secret;
+    }
+
+    /**
+     * Calculate the code with given secret and point in time
+     */
+    public function getCode($secret, $time = null)
+    {
+        $secretkey = $this->base32Decode($secret);
+
+        $timestamp = "\0\0\0\0" . pack('N*', $this->getTimeSlice($this->getTime($time)));  // Pack time into binary string
+        $hashhmac = hash_hmac($this->algorithm, $timestamp, $secretkey, true);             // Hash it with users secret key
+        $hashpart = substr($hashhmac, ord(substr($hashhmac, -1)) & 0x0F, 4);               // Use last nibble of result as index/offset and grab 4 bytes of the result
+        $value = unpack('N', $hashpart);                                                   // Unpack binary value
+        $value = $value[1] & 0x7FFFFFFF;                                                   // Drop MSB, keep only 31 bits
+
+        return str_pad($value % pow(10, $this->digits), $this->digits, '0', STR_PAD_LEFT);
+    }
+
+    /**
+     * Check if the code is correct. This will accept codes starting from ($discrepancy * $period) sec ago to ($discrepancy * period) sec from now
+     */
+    public function verifyCode($secret, $code, $discrepancy = 1, $time = null, &$timeslice = 0)
+    {
+        $timetamp = $this->getTime($time);
+
+        $timeslice = 0;
+
+        // To keep safe from timing-attacks we iterate *all* possible codes even though we already may have
+        // verified a code is correct. We use the timeslice variable to hold either 0 (no match) or the timeslice
+        // of the match. Each iteration we either set the timeslice variable to the timeslice of the match
+        // or set the value to itself.  This is an effort to maintain constant execution time for the code.
+        for ($i = -$discrepancy; $i <= $discrepancy; $i++) {
+            $ts = $timetamp + ($i * $this->period);
+            $slice = $this->getTimeSlice($ts);
+            $timeslice = $this->codeEquals($this->getCode($secret, $ts), $code) ? $slice : $timeslice;
+        }
+
+        return $timeslice > 0;
+    }
+
+    /**
+     * Timing-attack safe comparison of 2 codes (see http://blog.ircmaxell.com/2014/11/its-all-about-time.html)
+     */
+    private function codeEquals($safe, $user) {
+        if (function_exists('hash_equals')) {
+            return hash_equals($safe, $user);
+        }
+        // In general, it's not possible to prevent length leaks. So it's OK to leak the length. The important part is that
+        // we don't leak information about the difference of the two strings.
+        if (strlen($safe)===strlen($user)) {
+            $result = 0;
+            for ($i = 0; $i < strlen($safe); $i++)
+                $result |= (ord($safe[$i]) ^ ord($user[$i]));
+            return $result === 0;
+        }
+        return false;
+    }
+
+    /**
+     * Get data-uri of QRCode
+     */
+    public function getQRCodeImageAsDataUri($label, $secret, $size = 200)
+    {
+        if (!is_int($size) || $size <= 0)
+            throw new TwoFactorAuthException('Size must be int > 0');
+
+        $qrcodeprovider = $this->getQrCodeProvider();
+        return 'data:'
+            . $qrcodeprovider->getMimeType()
+            . ';base64,'
+            . base64_encode($qrcodeprovider->getQRCodeImage($this->getQRText($label, $secret), $size));
+    }
+
+    /**
+     * Compare default timeprovider with specified timeproviders and ensure the time is within the specified number of seconds (leniency)
+     */
+    public function ensureCorrectTime(array $timeproviders = null, $leniency = 5)
+    {
+        if ($timeproviders != null && !is_array($timeproviders))
+            throw new TwoFactorAuthException('No timeproviders specified');
+
+        if ($timeproviders == null)
+            $timeproviders = array(
+                new Providers\Time\NTPTimeProvider(),
+                new Providers\Time\HttpTimeProvider()
+            );
+
+        // Get default time provider
+        $timeprovider = $this->getTimeProvider();
+
+        // Iterate specified time providers
+        foreach ($timeproviders as $t) {
+            if (!($t instanceof ITimeProvider))
+                throw new TwoFactorAuthException('Object does not implement ITimeProvider');
+
+            // Get time from default time provider and compare to specific time provider and throw if time difference is more than specified number of seconds leniency
+            if (abs($timeprovider->getTime() - $t->getTime()) > $leniency)
+                throw new TwoFactorAuthException(sprintf('Time for timeprovider is off by more than %d seconds when compared to %s', $leniency, get_class($t)));
+        }
+    }
+
+    private function getTime($time)
+    {
+        return ($time === null) ? $this->getTimeProvider()->getTime() : $time;
+    }
+
+    private function getTimeSlice($time = null, $offset = 0)
+    {
+        return (int)floor($time / $this->period) + ($offset * $this->period);
+    }
+
+    /**
+     * Builds a string to be encoded in a QR code
+     */
+    public function getQRText($label, $secret)
+    {
+        return 'otpauth://totp/' . rawurlencode($label)
+            . '?secret=' . rawurlencode($secret)
+            . '&issuer=' . rawurlencode($this->issuer)
+            . '&period=' . intval($this->period)
+            . '&algorithm=' . rawurlencode(strtoupper($this->algorithm))
+            . '&digits=' . intval($this->digits);
+    }
+
+    private function base32Decode($value)
+    {
+        if (strlen($value)==0) return '';
+
+        if (preg_match('/[^'.preg_quote(self::$_base32dict).']/', $value) !== 0)
+            throw new TwoFactorAuthException('Invalid base32 string');
+
+        $buffer = '';
+        foreach (str_split($value) as $char)
+        {
+            if ($char !== '=')
+                $buffer .= str_pad(decbin(self::$_base32lookup[$char]), 5, 0, STR_PAD_LEFT);
+        }
+        $length = strlen($buffer);
+        $blocks = trim(chunk_split(substr($buffer, 0, $length - ($length % 8)), 8, ' '));
+
+        $output = '';
+        foreach (explode(' ', $blocks) as $block)
+            $output .= chr(bindec(str_pad($block, 8, 0, STR_PAD_RIGHT)));
+        return $output;
+    }
+
+    /**
+     * @return IQRCodeProvider
+     * @throws TwoFactorAuthException
+     */
+    public function getQrCodeProvider()
+    {
+        // Set default QR Code provider if none was specified
+        if (null === $this->qrcodeprovider) {
+            return $this->qrcodeprovider = new Providers\Qr\GoogleQRCodeProvider();
+        }
+        return $this->qrcodeprovider;
+    }
+
+    /**
+     * @return IRNGProvider
+     * @throws TwoFactorAuthException
+     */
+    public function getRngprovider()
+    {
+        if (null !== $this->rngprovider) {
+            return $this->rngprovider;
+        }
+        if (function_exists('random_bytes')) {
+            return $this->rngprovider = new Providers\Rng\CSRNGProvider();
+        }
+        if (function_exists('mcrypt_create_iv')) {
+            return $this->rngprovider = new Providers\Rng\MCryptRNGProvider();
+        }
+        if (function_exists('openssl_random_pseudo_bytes')) {
+            return $this->rngprovider = new Providers\Rng\OpenSSLRNGProvider();
+        }
+        if (function_exists('hash')) {
+            return $this->rngprovider = new Providers\Rng\HashRNGProvider();
+        }
+        throw new TwoFactorAuthException('Unable to find a suited RNGProvider');
+    }
+
+    /**
+     * @return ITimeProvider
+     * @throws TwoFactorAuthException
+     */
+    public function getTimeProvider()
+    {
+        // Set default time provider if none was specified
+        if (null === $this->timeprovider) {
+            return $this->timeprovider = new Providers\Time\LocalMachineTimeProvider();
+        }
+        return $this->timeprovider;
+    }
+}

web/inc/2fa/TwoFactorAuthException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace RobThree\Auth;
+
+use Exception;
+
+class TwoFactorAuthException extends \Exception {}

web/inc/2fa/check.php

@@ -0,0 +1,27 @@
+<?php
+
+if (isset($argv[1]) && isset($argv[2])) {
+    $secret = $argv[1];
+    $token = $argv[2];
+} elseif (isSet($_GET['secret']) && isSet($_GET['token'])) {
+    $secret = htmlspecialchars($_GET['secret']);
+    $token = htmlspecialchars($_GET['token']);
+} else {
+    echo 'ERROR: Secret or Token is not set as argument!';
+    exit;
+}
+
+
+require_once '/usr/local/hestia/web/inc/2fa/loader.php';
+Loader::register('./','RobThree\\Auth');
+
+use \RobThree\Auth\TwoFactorAuth;
+
+$tfa = new TwoFactorAuth('Hestia Control Panel');
+
+// Verify code
+$result = $tfa->verifyCode($secret, $token);
+
+if ($result){
+    echo "ok";
+}

web/inc/2fa/loader.php

@@ -0,0 +1,50 @@
+<?php
+
+//http://www.leaseweblabs.com/2014/04/psr-0-psr-4-autoloading-classes-php/
+class Loader
+{
+    protected static $parentPath = null;
+    protected static $paths = null;
+    protected static $files = null;
+    protected static $nsChar = '\\';
+    protected static $initialized = false;
+    
+    protected static function initialize()
+    {
+        if (static::$initialized) return;
+        static::$initialized = true;
+        static::$parentPath = __FILE__;
+        for ($i=substr_count(get_class(), static::$nsChar);$i>=0;$i--) {
+            static::$parentPath = dirname(static::$parentPath);
+        }
+        static::$paths = array();
+        static::$files = array(__FILE__);
+    }
+    
+    public static function register($path,$namespace) {
+        if (!static::$initialized) static::initialize();
+        static::$paths[$namespace] = trim($path,DIRECTORY_SEPARATOR);
+    }
+    
+    public static function load($class) {
+        if (class_exists($class,false)) return;
+        if (!static::$initialized) static::initialize();
+        
+        foreach (static::$paths as $namespace => $path) {
+            if (!$namespace || $namespace.static::$nsChar === substr($class, 0, strlen($namespace.static::$nsChar))) {
+                
+                $fileName = substr($class,strlen($namespace.static::$nsChar)-1);
+                $fileName = str_replace(static::$nsChar, DIRECTORY_SEPARATOR, ltrim($fileName,static::$nsChar));
+                $fileName = static::$parentPath.DIRECTORY_SEPARATOR.$path.DIRECTORY_SEPARATOR.$fileName.'.php';
+                
+                if (file_exists($fileName)) {
+                    include $fileName;
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+}
+
+spl_autoload_register(array('Loader', 'load'));

web/inc/2fa/secret.php

@@ -0,0 +1,13 @@
+<?php
+
+require_once '/usr/local/hestia/web/inc/2fa/loader.php';
+Loader::register('./','RobThree\\Auth');
+
+use \RobThree\Auth\TwoFactorAuth;
+
+$tfa = new TwoFactorAuth('Hestia Control Panel');
+
+$secret = $tfa->createSecret(160);  // Though the default is an 80 bits secret (for backwards compatibility reasons) we recommend creating 160+ bits secrets (see RFC 4226 - Algorithm Requirements)
+$qrcode = $tfa->getQRCodeImageAsDataUri('Hestia Control Panel', $secret);
+
+echo $secret . "-" . $qrcode;