Parent5446 has uploaded a new change for review. https://gerrit.wikimedia.org/r/132784
Change subject: Make authentication window size and leniency configurable ...................................................................... Make authentication window size and leniency configurable Make window size and radius configurable by the system administrator, rather than hardcoded. Bug: 53194 Change-Id: I7fe1bfdfa1e7bfc07646a9704084977e17c65313 --- M OATHAuth.php M OATHUser.php 2 files changed, 31 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OATHAuth refs/changes/84/132784/1 diff --git a/OATHAuth.php b/OATHAuth.php index d5c8c61..fa79c7f 100644 --- a/OATHAuth.php +++ b/OATHAuth.php @@ -26,6 +26,32 @@ 'descriptionmsg' => 'oathauth-desc', ); +/** + * The size of a window to which a token belongs, in seconds + * + * In OATHAuth, every number of seconds, a new token is generated. + * The number of tokens that are valid at a given time is determined + * by $wgOATHAuthWindowRange + * + * @var int + */ +$wgOAUTHAuthWindowSize = 30; + +/** + * The number of token windows in each direction that should be valid + * + * This tells OATH to accept tokens for a range of $wgOAUTHAuthWindowRadius * 2 windows + * (which is effectively ((1 + 2 * $wgOAUTHAuthWindowRadius) * $wgOATHAuthWindowSize) seconds). + * This range of valid windows is centered around the current time. + * + * The purpose of this configuration variable is to account for differences between + * the user's clock and the server's clock. However, it is recommended to keep it as + * low as possible. + * + * @var int + */ +$wgOAUTHAuthWindowRadius = 4; + $dir = __DIR__ . '/'; $wgMessagesDirs['OATHAuth'] = __DIR__ . '/i18n'; diff --git a/OATHUser.php b/OATHUser.php index 3606639..7eeeaa6 100644 --- a/OATHUser.php +++ b/OATHUser.php @@ -143,7 +143,7 @@ * @return Boolean */ public function verifyToken( $token, $reset = false ) { - global $wgMemc; + global $wgMemc, $wgOATHAuthWindowSize, $wgOAUTHAuthWindowRadius; // Prevent replay attacks $memcKey = wfMemcKey( 'oauthauth', 'usedtokens', $reset ? 'reset' : null, $token ); @@ -153,7 +153,9 @@ $retval = false; $secret = $reset ? $this->secretReset : $this->secret; - $results = HOTP::generateByTimeWindow( Base32::decode( $secret ), 30, -4, 4 ); + $results = HOTP::generateByTimeWindow( + Base32::decode( $secret ), + $wgOATHAuthWindowSize, -$wgOAUTHAuthWindowRadius, $wgOAUTHAuthWindowRadius ); // Check to see if the user's given token is in the list of tokens generated // for the time window. foreach ( $results as $result ) { @@ -176,7 +178,7 @@ } if ( $retval ) { - $wgMemc->set( $memcKey, true, 30 * 8 ); + $wgMemc->set( $memcKey, true, $wgOATHAuthWindowSize * (1 + 2 * $wgOAUTHAuthWindowRadius) ); } return $retval; -- To view, visit https://gerrit.wikimedia.org/r/132784 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7fe1bfdfa1e7bfc07646a9704084977e17c65313 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/OATHAuth Gerrit-Branch: master Gerrit-Owner: Parent5446 <tylerro...@gmail.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits