TFS 1.2+ Two-Factor Authentication system.

RFC6238 Implementation of the OTP algorythm, tested with the app "Authy" from the iOS iPhone app store.

login.php

@@ -4,12 +4,14 @@ logged_in_redirect();
 include 'layout/overall/header.php';
 
 if (empty($_POST) === false) {
+
 	if ($config['log_ip']) {
 		znote_visitor_insert_detailed_data(5);
 	}
+	
 	$username = $_POST['username'];
 	$password = $_POST['password'];
-	//data_dump($_POST, false, "POST");
+
 	if (empty($username) || empty($password)) {
 		$errors[] = 'You need to enter a username and password.';
 	} else if (strlen($username) > 32 || strlen($password) > 64) {
@@ -42,20 +44,62 @@ if (empty($_POST) === false) {
 			} else $status = true;
 			
 			if ($status) {
-				setSession('user_id', $login);
-			
-				// if IP is not set (etc acc created before Znote AAC was in use)
-				$znote_data = user_znote_account_data($login);
-				if ($znote_data['ip'] == 0) {
-					$update_data = array(
-					'ip' => getIPLong(),
-					);
-					user_update_znote_account($update_data);
-				}
+				// Regular login success, now lets check authentication token code
+				if ($config['TFSVersion'] == 'TFS_10' && $config['twoFactorAuthenticator']) {
+					require_once("engine/function/rfc6238.php");
+
+					// Two factor authentication code / token
+					$authcode = (isset($_POST['authcode'])) ? getValue($_POST['authcode']) : false;
+
+					// Load secret values from db
+					$query = mysql_select_single("SELECT `a`.`secret` AS `secret`, `za`.`secret` AS `znote_secret` FROM `accounts` AS `a` INNER JOIN `znote_accounts` AS `za` ON `a`.`id` = `za`.`account_id` WHERE `a`.`id`='".(int)$login."' LIMIT 1;");
+					
+					// If account table HAS a secret, we need to validate it
+					if ($query['secret'] !== NULL) {
+
+						// Validate the secret first to make sure all is good.
+						if (TokenAuth6238::verify($query['znote_secret'], $authcode) !== true) {
+							$errors[] = "Submitted Two-Factor Authentication token is wrong.";
+							$errors[] = "Make sure to type the correct token from your mobile authenticator.";
+							$status = false;
+						}
+
+					} else {
+
+						// secret from accounts table is null/not set. Perhaps we can activate it:
+						if ($query['znote_secret'] !== NULL && $authcode !== false && !empty($authcode)) {
+
+							// Validate the secret first to make sure all is good.
+							if (TokenAuth6238::verify($query['znote_secret'], $authcode)) {
+								// Success, enable the 2FA system
+								mysql_update("UPDATE `accounts` SET `secret`= '$authcode' WHERE `id`='$login';");
+							} else {
+								$errors[] = "Activating Two-Factor authentication failed.";
+								$errors[] = "Try to login without token and configure your app properly.";
+								$errors[] = "Submitted Two-Factor Authentication token is wrong.";
+								$errors[] = "Make sure to type the correct token from your mobile authenticator.";
+								$status = false;
+							}
+						}
+					}
+				} // End tfs 1.0+ with 2FA auth
 				
-				// Send them to myaccount.php
-				header('Location: myaccount.php');
-				exit();
+				if ($status) {
+					setSession('user_id', $login);
+					
+					// if IP is not set (etc acc created before Znote AAC was in use)
+					$znote_data = user_znote_account_data($login);
+					if ($znote_data['ip'] == 0) {
+						$update_data = array(
+						'ip' => getIPLong(),
+						);
+						user_update_znote_account($update_data);
+					}
+					
+					// Send them to myaccount.php
+					header('Location: myaccount.php');
+					exit();
+				}
 			}
 		}
 	}
@@ -64,10 +108,10 @@ if (empty($_POST) === false) {
 }
 
 if (empty($errors) === false) {
-?>
+	?>
 	<h2>We tried to log you in, but...</h2>
-<?php
+	<?php
 	echo output_errors($errors);
 }
-include 'layout/overall/footer.php';
-?>
+
+include 'layout/overall/footer.php'; ?>