Home

Awesome

otp-thing

One time password generator, validator, and qrcode generator that has no web dependencies (self-contained) in PHP

Introduction

This started out as a straight drop-in class which you can still download from here, however it has been developed into a full admin/usercp system using the gentelella theme converted to smarty 3.

Attribution to other Authors

All other 3rd party libraries (jquery, jquery extensions, etc) and languages (javascript/ecma, css, etc) are under their respective licenses having attribution included in the respective file(s), or in the directory containing the file(s). Absense of said license does not mean that no license applies, but it is assumed the strongest license in this project would then apply where no other license is available. If a license file/attribution was not included and you believe this to be an error, please submit it as a bug report or pull request with any license details that may have been omitted.

Installation

Download the application, and set the appropriate values in config.inc.php, then run /app/install . If everything passes, the database will be installed if it doesn't exist, and a new user admin with the the password admin will be created using ACL 9999 which should give plenty of access levels to play with for lower level users or admins.

Once installed, all users and administrators have access to add an authenticator to their account, and edit the following basic settings for their own account : Name, Password, Email

Requirements

This was tested and runs well on the following detailed lists of all modules and extensions loaded for Apache and PHP. Many of the modules or extensions come pre-loaded but since this varies between distributions, I have included a more comprehensive list which you can tweak.

Apache/2.4.10

Loaded Modules:

PHP 5.6.17

[PHP Modules]

[Zend Modules]

MariaDB 10.0.23

This should not matter too much which database platform you choose either MariaDB or MySQL, however you will need it compiled with mysqlnd (native driver) support as well as compiled into PHP.


Login

If an authenticator is not on the users account, the authenticator code field is disregarded. If any part of the credentials fail including if the authenticator code is invalid or not a valid scratch code, a generic message is displayed stating 'Invalid Credentials' so that no clue is given making it more difficult for an attacker to guess which part of the credential system was correct by messages such as 'Invalid Password'.

image

Dashboard

image

Settings

image

Authenticator

If no authenticator is on the users account

image

image

If an authenticator exists on the users account:

image

image

Accounts : Add

image

Accounts : Added

image

Accounts : List

image

Notifications

image

image

Generic Error Page handles

410 Gone instead of 404 for pages that do not have a valid modal. This script only checks for the physical existence of resource files (jpg, png, js, etc.) and denies any direct access to physical php/html/etc files. As you can see in the screenshot, if the physical resource file is missing, it will also trigger a 410 gone, showing the missing element and virtual path in the address bar. image

400 error message for resources that the user does not have permission to access. image