Tuskfish API
  • Package
  • Class

Packages

  • content
  • core
  • database
  • installation
  • security
  • user
  • utilities

Classes

  • TfishFilter
  • TfishSecurityUtility
  • TfishSession
  • TfishYubikeyAuthenticator

Class TfishYubikeyAuthenticator

Two-factor authentication class.

Handles two-factor authentication via a Yubikey hardware token, available from yubico.com. Set up requires obtaining a Client ID and secret key from Yubico, please refer to the manual for instructions on how to set it up.

Note that the Yubikey authentication methods within this class are Copyright Tom Corwine and distributed under the GPL (V2). Please see the separate copyright block within the class file.

Do not attempt to use this file without reading the manual.

Package: security
Copyright: Simon Wilkinson 2013-2017 (https://tuskfish.biz)
License: GNU General Public License (GPL) V2
Author: Simon Wilkinson simon@isengard.biz
Version: Release: 1.0
Since: 1.0
Located at trust_path/libraries/tuskfish/class/TfishYubikeyAuthenticator.php

Methods summary

public
# __construct( )

Initialise default property values and unset unneeded ones.

Initialise default property values and unset unneeded ones.
public integer
# getTimestampTolerance( )

Returns the timestamp tolerance (seconds).

Returns the timestamp tolerance (seconds).

Timestamp tolerance is how long an authentication request will be accepted after it is generated. You need to allow some time for discrepancies between clocks and user delays. Default: 10 minutes.

Returns

integer
Timestamp tolerance (seconds).
public boolean
# setTimestampTolerance( integer $int )

Set the timestamp tolerance.

Set the timestamp tolerance.

Parameters

$int
Timestamp tolerance (seconds).

Returns

boolean
True on success, false on failure.
public integer
# getCurlTimeout( )

Get the timeout for cURL requests, in seconds.

Get the timeout for cURL requests, in seconds.

Returns

integer
cURL timeout (seconds).
public boolean
# setCurlTimeout( integer $int )

Set the cURL timeout.

Set the cURL timeout.

Parameters

$int
cURL timeout (seconds).

Returns

boolean
True on success, false on failure.
public string
# getLastResponse( )

Returns response message from last verification attempt.

Returns response message from last verification attempt.

Returns

string
Last response message.
public boolean
# verify( string $otp )

Authenticate using a Yubikey one-time password.

Authenticate using a Yubikey one-time password.

Parameters

$otp
One time password generated by Yubikey hardware token.

Returns

boolean
True for successful authentication, false if fail.
protected string
# createSignedRequest( string $urlParams )

Create URL with embedded and signed authentication request for Yubico authentication server.

Create URL with embedded and signed authentication request for Yubico authentication server.

Parameters

$urlParams
URL parameters.

Returns

string
URL to Yubico authentication server with query string parameters attached.
protected string
# curlRequest( string $url )

Make cURL request.

Make cURL request.

Parameters

$url
Target URL.

Returns

string
Error message.
protected boolean
# otpIsProperLength( string $otp )

Check Yubikey one time password is expected length.

Check Yubikey one time password is expected length.

Parameters

$otp
Yubikey one-time password.

Returns

boolean
True if length is ok, otherwise false.
protected boolean
# otpIsModhex( string $otp )

Check Yubikey one time password is modhex encoded.

Check Yubikey one time password is modhex encoded.

Parameters

$otp
Yubikey one-time password.

Returns

boolean
True if modhex encoded, otherwise false.
protected boolean
# resultTimestampIsGood( string $timestamp )

Check timestamp is within tolerance.

Check timestamp is within tolerance.

Parameters

$timestamp
Timestamp to check.

Returns

boolean
True if timestamp is within tolerance, otherwise false.
protected boolean
# resultSignatureIsGood( string $signedMessage, string $signature )

Validate result signature.

Validate result signature.

Parameters

$signedMessage
Signed message.
$signature
Signature.

Returns

boolean
True if signature is good, otherwise false.
Tuskfish API API documentation generated by ApiGen