Parent5446 has uploaded a new change for review.
https://gerrit.wikimedia.org/r/132784
Change subject: Make authentication window size and leniency configurable
......................................................................
Make authentication window size and leniency configurable
Make window size and radius configurable by the system
administrator, rather than hardcoded.
Bug: 53194
Change-Id: I7fe1bfdfa1e7bfc07646a9704084977e17c65313
---
M OATHAuth.php
M OATHUser.php
2 files changed, 31 insertions(+), 3 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OATHAuth
refs/changes/84/132784/1
diff --git a/OATHAuth.php b/OATHAuth.php
index d5c8c61..fa79c7f 100644
--- a/OATHAuth.php
+++ b/OATHAuth.php
@@ -26,6 +26,32 @@
'descriptionmsg' => 'oathauth-desc',
);
+/**
+ * The size of a window to which a token belongs, in seconds
+ *
+ * In OATHAuth, every number of seconds, a new token is generated.
+ * The number of tokens that are valid at a given time is determined
+ * by $wgOATHAuthWindowRange
+ *
+ * @var int
+ */
+$wgOAUTHAuthWindowSize = 30;
+
+/**
+ * The number of token windows in each direction that should be valid
+ *
+ * This tells OATH to accept tokens for a range of $wgOAUTHAuthWindowRadius *
2 windows
+ * (which is effectively ((1 + 2 * $wgOAUTHAuthWindowRadius) *
$wgOATHAuthWindowSize) seconds).
+ * This range of valid windows is centered around the current time.
+ *
+ * The purpose of this configuration variable is to account for differences
between
+ * the user's clock and the server's clock. However, it is recommended to keep
it as
+ * low as possible.
+ *
+ * @var int
+ */
+$wgOAUTHAuthWindowRadius = 4;
+
$dir = __DIR__ . '/';
$wgMessagesDirs['OATHAuth'] = __DIR__ . '/i18n';
diff --git a/OATHUser.php b/OATHUser.php
index 3606639..7eeeaa6 100644
--- a/OATHUser.php
+++ b/OATHUser.php
@@ -143,7 +143,7 @@
* @return Boolean
*/
public function verifyToken( $token, $reset = false ) {
- global $wgMemc;
+ global $wgMemc, $wgOATHAuthWindowSize, $wgOAUTHAuthWindowRadius;
// Prevent replay attacks
$memcKey = wfMemcKey( 'oauthauth', 'usedtokens', $reset ?
'reset' : null, $token );
@@ -153,7 +153,9 @@
$retval = false;
$secret = $reset ? $this->secretReset : $this->secret;
- $results = HOTP::generateByTimeWindow( Base32::decode( $secret
), 30, -4, 4 );
+ $results = HOTP::generateByTimeWindow(
+ Base32::decode( $secret ),
+ $wgOATHAuthWindowSize, -$wgOAUTHAuthWindowRadius,
$wgOAUTHAuthWindowRadius );
// Check to see if the user's given token is in the list of
tokens generated
// for the time window.
foreach ( $results as $result ) {
@@ -176,7 +178,7 @@
}
if ( $retval ) {
- $wgMemc->set( $memcKey, true, 30 * 8 );
+ $wgMemc->set( $memcKey, true, $wgOATHAuthWindowSize *
(1 + 2 * $wgOAUTHAuthWindowRadius) );
}
return $retval;
--
To view, visit https://gerrit.wikimedia.org/r/132784
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7fe1bfdfa1e7bfc07646a9704084977e17c65313
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OATHAuth
Gerrit-Branch: master
Gerrit-Owner: Parent5446 <tylerro...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
