jenkins-bot has submitted this change and it was merged. Change subject: Make authentication window leniency configurable ......................................................................
Make authentication window leniency configurable Make window radius configurable by the system administrator, rather than hardcoded. Bug: 53194 Change-Id: I7fe1bfdfa1e7bfc07646a9704084977e17c65313 --- M OATHAuth.php M OATHUser.php 2 files changed, 21 insertions(+), 2 deletions(-) Approvals: CSteipp: Looks good to me, approved jenkins-bot: Verified diff --git a/OATHAuth.php b/OATHAuth.php index f8c0a4a..60bc2e8 100644 --- a/OATHAuth.php +++ b/OATHAuth.php @@ -26,6 +26,21 @@ 'descriptionmsg' => 'oathauth-desc', ); +/** + * The number of token windows in each direction that should be valid + * + * This tells OATH to accept tokens for a range of $wgOATHAuthWindowRadius * 2 windows + * (which is effectively ((1 + 2 * $wgOATHAuthWindowRadius) * 30) seconds). + * This range of valid windows is centered around the current time. + * + * The purpose of this configuration variable is to account for differences between + * the user's clock and the server's clock. However, it is recommended to keep it as + * low as possible. + * + * @var int + */ +$wgOATHAuthWindowRadius = 4; + $dir = __DIR__ . '/'; $wgMessagesDirs['OATHAuth'] = __DIR__ . '/i18n'; diff --git a/OATHUser.php b/OATHUser.php index 2e35266..f46d95f 100644 --- a/OATHUser.php +++ b/OATHUser.php @@ -143,6 +143,8 @@ * @return Boolean */ public function verifyToken( $token, $reset = false ) { + global $wgOATHAuthWindowRadius; + $memc = ObjectCache::newAnything( array() ); // Prevent replay attacks @@ -151,7 +153,9 @@ $retval = false; $secret = $reset ? $this->secretReset : $this->secret; - $results = HOTP::generateByTimeWindow( Base32::decode( $secret ), 30, -4, 4 ); + $results = HOTP::generateByTimeWindow( + Base32::decode( $secret ), + 30, -$wgOATHAuthWindowRadius, $wgOATHAuthWindowRadius ); // Check to see if the user's given token is in the list of tokens generated // for the time window. foreach ( $results as $window => $result ) { @@ -175,7 +179,7 @@ } if ( $retval ) { - $memc->set( $memcKey, $lastWindow, 30 * 8 ); + $memc->set( $memcKey, $lastWindow, 30 * (1 + 2 * $wgOATHAuthWindowRadius) ); } return $retval; -- To view, visit https://gerrit.wikimedia.org/r/132784 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7fe1bfdfa1e7bfc07646a9704084977e17c65313 Gerrit-PatchSet: 9 Gerrit-Project: mediawiki/extensions/OATHAuth Gerrit-Branch: master Gerrit-Owner: Parent5446 <tylerro...@gmail.com> Gerrit-Reviewer: CSteipp <cste...@wikimedia.org> Gerrit-Reviewer: Jjanes <jeff.ja...@gmail.com> Gerrit-Reviewer: Parent5446 <tylerro...@gmail.com> Gerrit-Reviewer: Reedy <s...@reedyboy.net> Gerrit-Reviewer: Ryan Lane <r...@ryandlane.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits