search

alexandregz / twofactor_gauthenticator

This RoundCube plugin adds the 2-step verification(OTP) to the login proccess
MIT License
221 stars 78 forks source link

Update PHPGangsta code snippet and de-Google #200

Closed RealSebFox closed 1 month ago

RealSebFox commented 1 month ago

Hello,

I just compare your code with the original code from @PHPGangsta and I noticed one particular difference. This is the currently used getQRCodeGoogleUrl function:

    public function getQRCodeGoogleUrl($name, $secret, $title=null) {
        $urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');
    if(isset($title)) $urlencoded .= urlencode('&issuer='.$title);
        return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl='.$urlencoded.'';
    }

...and this is the current version from PHPGangsta:

    public function getQRCodeGoogleUrl($name, $secret, $title = null, $params = array())
    {
        $width = !empty($params['width']) && (int) $params['width'] > 0 ? (int) $params['width'] : 200;
        $height = !empty($params['height']) && (int) $params['height'] > 0 ? (int) $params['height'] : 200;
        $level = !empty($params['level']) && array_search($params['level'], array('L', 'M', 'Q', 'H')) !== false ? $params['level'] : 'M';

        $urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');
        if (isset($title)) {
            $urlencoded .= urlencode('&issuer='.urlencode($title));
        }

        return "https://api.qrserver.com/v1/create-qr-code/?data=$urlencoded&size=${width}x${height}&ecc=$level";
    }

I think, the improved version from PHPGangsta is much better, also because it doesn't send my data to Google. Can you please update your code to reflect the changes PHPGangsta made?

Also, it's worth considering to say "TOTP Authenticator" instead of "Google Authenticator". That is more correct, because the functionality is unrelated to Google.

And last but not least: Can you please recommend a non-Google app for authentication in the front-end? Open Authenticator is my personal preference.

Thank you!

alexandregz commented 1 month ago

thx for the feedback.

Actually, PHPGangsta/GoogleAuthenticator.php is used only to create secrets but not to see qrcode. To see the QR code, now is used qrcode.min.js, a js file, so logic is executed in your browser, not in Google machines.

You can see commented code here:

https://github.com/alexandregz/twofactor_gauthenticator/blob/75c8754fc8a3b55fde13cde927d99f49c02e1514/twofactor_gauthenticator.php#L485

    // Commented. If you have problems with qr-code.js, you can uncomment and use this
    //

About app: you can change README.md and send merge request to promove Open Authenticar, for example 👍