marcins / cf-google-authenticator Goto Github PK
View Code? Open in Web Editor NEWColdFusion implementation of Google Authenticator One Time Passwords
License: MIT License
ColdFusion implementation of Google Authenticator One Time Passwords
License: MIT License
G'day - I'm just checking as to how current the Google Authenticator is with regards to the latest version of Google OTP and/or Coldfusion.
Change line 84 from
public string function getOneTimeToken (required string Secret, required numeric counter)
to
public string function getOneTimeToken (required string base32Secret, required numeric counter)
Hi all,
I have installed the cf-google-authenticator on our win2k12 x64 cf9 server.
I received following error message after clicking "Generate" on sample/sample_generate.cfm:
Invalid CFML construct found on line 126 at column 80.
ColdFusion was looking at the following text:
[
The CFML compiler was processing:
A script statement beginning with public on line 126, column 5.
The error occurred in D:\PATH\authenticator\authenticator\GoogleAuthenticator.cfc: line 126
125 :
126 : public string function generateKey (required string password, array salt = [])
127 : {
128 : if (arrayLen(salt) == 0)
Resources:
Check the ColdFusion documentation to verify that you are using the correct syntax.
Search the Knowledge Base to find a solution to your problem.
Browser Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36
Remote Address 1.2.3.4
Referrer http://URL.org/authenticator/sample/sample_generate.cfm
Date/Time 31-Jul-16 03:47 PM
Stack Trace
at cfsample_generate2ecfm178615731.runPage(D:\PATH\authenticator\sample\sample_generate.cfm:26)
coldfusion.compiler.ParseException: Invalid CFML construct found on line 126 at column 80.
I changed following in authenticator\GoogleAuthenticator.cfc:
124 : force_empty_salt = [];
125 :
126 : public string function generateKey (required string password, array salt = force_empty_salt)
And voilà, i received the QR code.
Because of the crack of SHA1, NIST is now preventing its use on federal websites. I took a quick run at it but was unable to get it to work correctly. Maybe someone can figure out how to get this to work with SHA256 or SHA512?
When testing this code on Coldfusion 2023, I recieved this error:
The error occurred in E:/Websites/AdminCopy23/Lib/cfc/Admin/Manage/authenticator/GoogleAuthenticator.cfc: line 140
138 : var keySpec = createObject("java", "javax.crypto.spec.PBEKeySpec").init(arguments.password.toCharArray(), salt, 128, 80); 139 : var secretKey = keyFactory.generateSecret(keySpec); 140 : return Base32encode(secretKey.getEncoded()); 141 : } 142 :
From what I've read here:
This could be caused by the introduction of "Java Platform Module System that was introduced in Java 9, particularly its implementation of strong encapsulation. It only allows access under certain conditions, the most prominent ones are:
the type has to be public
the owning package has to be exported"
I'm puzzled in that this cfc works in CF 2018 which uses Java 10.
I've been using this component for over a year without any issue until today. Today I ran into an issue where the server was out-of-sync with the UTC clock by 10 seconds -- 10 seconds behind. This created an issue of failures because the token provided by the user was the next token as far as the component was concerned. I corrected this by adjusting the verifyGoogleToken function:
/**
* Verifies the submitted value from the user against the user secret, with optional grace for the last few
* token values
*
* @param base32secret the Base32 encoded shared secret key
* @param userValue the value that the user submitted
* @param grace the amount of previous tokens to allow (1 means allow the current, next, and last token value)
* @return a boolean whether the token was valid or not
*/
public boolean function verifyGoogleToken (required string base32Secret, required string userValue, numeric grace = 0)
{
var result = false;
for (var i = 0; i <= grace; i++)
{
result = result
or (getGoogleToken(base32Secret, -i) == userValue)
or (getGoogleToken(base32Secret, -i-120) == userValue) // DST switch-over adjustment - an hour ago
or (getGoogleToken(base32Secret, -i+120) == userValue); // DST switch-over adjustment - an hour from now
}
if(!result)
{
// check for next token in case of clocks not being synchronized to the exact UTC millisecond - only kicks in if grace>0
for (var i = 1; i <= grace; i++)
{
result = result
or (getGoogleToken(base32Secret, i) == userValue)
or (getGoogleToken(base32Secret, i-120) == userValue) // DST switch-over adjustment - an hour ago
or (getGoogleToken(base32Secret, i+120) == userValue); // DST switch-over adjustment - an hour from now
}
}
return result;
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.