[MediaWiki-commits] [Gerrit] Make authentication window leniency configurable - change (mediawiki...OATHAuth)

[jenkins-bot (Code Review)]

jenkins-bot has submitted this change and it was merged.

Change subject: Make authentication window leniency configurable
......................................................................


Make authentication window leniency configurable

Make window radius configurable by the system administrator, rather than
hardcoded.

Bug: 53194
Change-Id: I7fe1bfdfa1e7bfc07646a9704084977e17c65313
---
M OATHAuth.php
M OATHUser.php
2 files changed, 21 insertions(+), 2 deletions(-)

Approvals:
  CSteipp: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/OATHAuth.php b/OATHAuth.php
index f8c0a4a..60bc2e8 100644
--- a/OATHAuth.php
+++ b/OATHAuth.php
@@ -26,6 +26,21 @@
        'descriptionmsg' => 'oathauth-desc',
 );
 
+/**
+ * The number of token windows in each direction that should be valid
+ *
+ * This tells OATH to accept tokens for a range of $wgOATHAuthWindowRadius * 2 
windows
+ * (which is effectively ((1 + 2 * $wgOATHAuthWindowRadius) * 30) seconds).
+ * This range of valid windows is centered around the current time.
+ *
+ * The purpose of this configuration variable is to account for differences 
between
+ * the user's clock and the server's clock. However, it is recommended to keep 
it as
+ * low as possible.
+ *
+ * @var int
+ */
+$wgOATHAuthWindowRadius = 4;
+
 $dir = __DIR__ . '/';
 
 $wgMessagesDirs['OATHAuth'] = __DIR__ . '/i18n';
diff --git a/OATHUser.php b/OATHUser.php
index 2e35266..f46d95f 100644
--- a/OATHUser.php
+++ b/OATHUser.php
@@ -143,6 +143,8 @@
         * @return Boolean
         */
        public function verifyToken( $token, $reset = false ) {
+               global $wgOATHAuthWindowRadius;
+
                $memc = ObjectCache::newAnything( array() );
 
                // Prevent replay attacks
@@ -151,7 +153,9 @@
 
                $retval = false;
                $secret = $reset ? $this->secretReset : $this->secret;
-               $results = HOTP::generateByTimeWindow( Base32::decode( $secret 
), 30, -4, 4 );
+               $results = HOTP::generateByTimeWindow(
+                       Base32::decode( $secret ),
+                       30, -$wgOATHAuthWindowRadius, $wgOATHAuthWindowRadius );
                // Check to see if the user's given token is in the list of 
tokens generated
                // for the time window.
                foreach ( $results as $window => $result ) {
@@ -175,7 +179,7 @@
                }
 
                if ( $retval ) {
-                       $memc->set( $memcKey, $lastWindow, 30 * 8 );
+                       $memc->set( $memcKey, $lastWindow, 30 * (1 + 2 * 
$wgOATHAuthWindowRadius) );
                }
 
                return $retval;

-- 
To view, visit https://gerrit.wikimedia.org/r/132784
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I7fe1bfdfa1e7bfc07646a9704084977e17c65313
Gerrit-PatchSet: 9
Gerrit-Project: mediawiki/extensions/OATHAuth
Gerrit-Branch: master
Gerrit-Owner: Parent5446 <tylerro...@gmail.com>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>
Gerrit-Reviewer: Jjanes <jeff.ja...@gmail.com>
Gerrit-Reviewer: Parent5446 <tylerro...@gmail.com>
Gerrit-Reviewer: Reedy <s...@reedyboy.net>
Gerrit-Reviewer: Ryan Lane <r...@ryandlane.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits