search

antonioribeiro / google2fa

A One Time Password Authentication package, compatible with Google Authenticator.
MIT License
1.83k stars 199 forks source link

verifyKey always fail - simple demo #171

Closed hycday closed 3 years ago

hycday commented 3 years ago

I am trying to implement a simple page to try this out. I am able to generate a QR code, and I get the secret code. I add the QR code to an app, and it works fine. Then when I try to test the OTP code in order to validate it, it always fails.

Below the code I have.

index.php :


<?php
require_once __DIR__ . '/vendor/autoload.php'; 

use PragmaRX\Google2FA\Google2FA;
use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\Image\ImagickImageBackEnd;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;

$google2fa = new Google2FA();

$g2faUrl = $google2fa->getQRCodeUrl(
    'pragmarx',
    'google2fa@pragmarx.com',
    $google2fa->generateSecretKey()
);

$writer = new Writer(
    new ImageRenderer(
        new RendererStyle(400),
        new ImagickImageBackEnd()
    )
);

$qrcode_image = base64_encode($writer->writeString($g2faUrl));
$secret = $google2fa->generateSecretKey();

?>
<img src="data:image/png;base64, <?php echo $qrcode_image; ?> "/>
<br/>
<?php echo $secret; ?>

I scan the QR code with my app, then I save $secret, keep the page open and open a new tab and go to url verif.php?secret=$secret&code=XXXXXX with $secret being the $secret from output of index.php and XXXXXX being what the app gives me.

In verif.php I have the following :

<?php
require_once __DIR__ . '/vendor/autoload.php'; 

use PragmaRX\Google2FA\Google2FA;
use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\Image\ImagickImageBackEnd;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;

$google2fa = new Google2FA();

$secret = $_GET['secret'];
$check_this_code = $_GET['code'];

$valid = $google2fa->verifyKey($secret, $check_this_code);
if ($valid) {
$msg = 'ok';}
else 
{$msg='not ok';}
?>
<?php echo $msg; ?>

As there are no clear full code and always small parts of code, I find it difficult to implement. I am new to that but I am trying.

Thank for your help.

hycday commented 3 years ago

my bad....I generate a second time "$secret = $google2fa->generateSecretKey();" which is therefore not the same secret as the QR code...hence it always fails...

changed index.php to the following and it all works better of course.

index.php

<?php

require_once __DIR__ . '/vendor/autoload.php'; 

use PragmaRX\Google2FA\Google2FA;
use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\Image\ImagickImageBackEnd;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;

$google2fa = new Google2FA();
$secret = $google2fa->generateSecretKey(32);
$g2faUrl = $google2fa->getQRCodeUrl(
    'pragmarx',
    'google2fa@pragmarx.com',
    $secret
);

$writer = new Writer(
    new ImageRenderer(
        new RendererStyle(400),
        new ImagickImageBackEnd()
    )
);

$qrcode_image = base64_encode($writer->writeString($g2faUrl));

?>
<img src="data:image/png;base64, <?php echo $qrcode_image; ?> "/>
<br/> 
<?php echo $secret; ?>