Changeset 1325628

Timestamp:

01/11/2016 07:29:35 AM (10 years ago)

Author:

2fa

Message:

Plugin update

Location:

cryptophoto-two-and-multi-factor-authentication/trunk

Files:

• Readme.txt (modified) (4 diffs)
• cryptophoto.php (modified) (30 diffs)
• images/icon-grey.png (modified) (previous)
• images/icon.png (modified) (previous)
• include/CryptoPhotoUsersListTable.php (modified) (2 diffs)
• include/CryptoPhotoUtils.php (modified) (13 diffs)
• screenshot-1.png (modified) (previous)
• screenshot-2.png (modified) (previous)
• screenshot-3.png (modified) (previous)
• screenshot-4.png (added)

cryptophoto-two-and-multi-factor-authentication/trunk/Readme.txt

@@ -4 +4 @@
 Tags: crypto, photo, 2-factor, multi-factor, authentication, token, password, security, login, phishing, keylogger, secure
 Requires at least: 3.5
-Tested up to: 3.6.1
+Tested up to: 4.3
 Stable tag: 1.0
 License: GPLv2 or later
@@ -43 +43 @@
 MANUAL INSTALLATION
 
-1. Download and extract the "cryptophoto-1.20131017.wordpress.zip" archive
+1. Download and extract the "cryptophoto-1.20150909.wordpress.zip" archive
 2. Upload* the extracted "cryptophoto.zip" file using the regular "Add New" and "Upload" options of your "Plugins" menu
 
@@ -90 +90 @@
 == Changelog ==
 
+= 1.20150909 =
+* UI Changes
+* CryptoPhoto lib update
+
 = 1.20131021 =
 * Prevented possible conflicts with other plugins or themes
@@ -103 +107 @@
 == Upgrade Notice ==
 
+= 1.20150909 =
+UI Changes. CryptoPhoto lib update
+
 = 1.20131021 =
 Randomized the Cryptophoto menu position

cryptophoto-two-and-multi-factor-authentication/trunk/cryptophoto.php

@@ -5 +5 @@
 Plugin URI: https://github.com/cryptophoto/cryptophoto_wordpress
 Description: This plugin enables CryptoPhoto authentication for WordPress logins.
-Version: 1.20131021
+Version: 1.20150909
 Author: CryptoPhoto
 Author URI: http://cryptophoto.com
@@ -35 +35 @@
     $exptime = time() + 1800; // let the duo login form expire within 1 hour
     if(isset($err) && $err) {
-      $err = '<div id="login_error">'.$err.'</div>';
+      $err = '<div id="login_error" style="width:320px;">'.$err.'</div>';
     } else {
       $err = "";
     }       
-?>
-  <html>
-      <head>
-          <?php
-              global $wp_version;
-              // select the CSS based on the current WP version 
-              if(version_compare($wp_version, "3.3", "<=")){
-          ?>
-                  <link rel="stylesheet" type="text/css" href="<?php echo admin_url('css/login.css'); ?>" />
-          <?php
-              }
-              else{
-          ?>
-                  <link rel="stylesheet" type="text/css" href="<?php echo admin_url('css/wp-admin.css'); ?>" />
-                  <link rel="stylesheet" type="text/css" href="<?php echo admin_url('css/colors-fresh.css'); ?>" />
-          <?php
-              }
-          ?>
-
-          <style>
-              body {
-                  background:#F9F9F9;
-              }
-              div {
-                  background: transparent;
-              }
-          </style>
-      </head>
-            
-<body class="login">
-<div id="login">
-<h1><a href="http://wordpress.org/" title="Powered by WordPress"><?php echo get_bloginfo('name'); ?></a></h1>
+?><!DOCTYPE html>
+  <!--[if IE 8]>
+    <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" <?php language_attributes(); ?>>
+  <![endif]-->
+  <!--[if !(IE 8) ]><!-->
+    <html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
+  <!--<![endif]-->
+  <head>
+  <meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
+  <title><?php bloginfo('name'); ?> &rsaquo; <?php echo $title; ?></title>
+  <?php
+
+  wp_admin_css( 'login', true );
+
+  do_action( 'login_enqueue_scripts' );
+  do_action( 'login_head' );
+
+  if ( is_multisite() ) {
+    $login_header_url   = network_home_url();
+    $login_header_title = get_current_site()->site_name;
+  } else {
+    $login_header_url   = __( 'https://wordpress.org/' );
+    $login_header_title = __( 'Powered by WordPress' );
+  }
+
+  $login_header_url = apply_filters( 'login_headerurl', $login_header_url );
+  $login_header_title = apply_filters( 'login_headertitle', $login_header_title );
+
+  $classes = array( 'login-action-' . $action, 'wp-core-ui' );
+  if ( wp_is_mobile() )
+    $classes[] = 'mobile';
+  if ( is_rtl() )
+    $classes[] = 'rtl';
+  if ( $interim_login ) {
+    $classes[] = 'interim-login';
+    ?>
+    <style type="text/css">html{background-color: transparent;}</style>
+    <?php
+
+    if ( 'success' ===  $interim_login )
+      $classes[] = 'interim-login-success';
+  }
+  $classes[] =' locale-' . sanitize_html_class( strtolower( str_replace( '_', '-', get_locale() ) ) );
+  $classes = apply_filters( 'login_body_class', $classes, $action );
+  ?>
+  </head>
+
+<body class="login <?php echo esc_attr( implode( ' ', $classes ) ); ?>">
+  <div id="login">
+    <h1><a href="<?php echo esc_url( $login_header_url ); ?>" title="<?php echo esc_attr( $login_header_title ); ?>" tabindex="-1"><?php bloginfo( 'name' ); ?></a></h1>
+              
 <?php echo $err; 
 
@@ -77 +96 @@
 <form method="post" style='width:300px'>
   <?php echo $widget; ?>
-  <p class="submit">
-    <input type="submit" name="cp_auth" id="cp_auth" class="button-primary" value="Authenticate" tabindex="100" />
+  <p class="submit" style="text-align:center">
+    <input type="submit" name="cp_auth" id="cp_auth" class="button-primary" value="Authenticate" tabindex="100" style="float:none" />
     <input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect); ?>" />
     <input type="hidden" name="u" value="<?php echo esc_attr($username); ?>" />
@@ -85 +104 @@
   </p>
 </form>
-</div>
-</body>
-</html>
+<?php if ( ! $interim_login ): ?>
+  <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Are you lost?' ); ?>"><?php printf( __( '&larr; Back to %s' ), get_bloginfo( 'title', 'display' ) ); ?></a></p>
+<?php endif; ?>
+
+  </div>
+<?php do_action( 'login_footer' ); ?>
+  <div class="clear"></div>
+  </body>
+  </html>
 <?php
   }//"
@@ -120 +145 @@
     $privatekey = get_option("cryptophoto_privatekey", "");
     $salt = get_option("cryptophoto_salt", "");
+    $server = get_option("cryptophoto_server", "");
 
     // CryptoPhoto isn't set up for this certain site
@@ -128 +154 @@
     // check for non-empty CryptoPhoto authentication fields
     if (isset($_POST['cp_auth']) || isset($_POST["cp_phc"])) {
-      error_log('isset($_POST["cp_auth"])');
 
       // forcefully log the current user out
@@ -145 +170 @@
           $user = get_user_by('login', $username);
           // new CryptoPhoto class instance
-          $cp = new CryptoPhotoUtils($privatekey, $publickey, md5($salt . $user->ID));
+          $cp = new CryptoPhotoUtils($server, $privatekey, $publickey, md5($salt . $user->ID));
 
           // check for posted token
@@ -153 +178 @@
           else {
             if((isset($_POST["token_response_field_col"]) || isset($_POST["token_response_field_row"])) && (isset($_POST["cp_phc"])) ) {
-              $err = "Invalid authentication";
+              $err = "Missing required codes. Invalid authentication";
             }
           }
@@ -182 +207 @@
               if($cperror == "incorrect-retry-count") {
                 $err = "";
-              }
-
-              if($cperror == "incorrect-verify-call") {
+              } else {
                 $err = "Codes don't match";//'
-              }
+              }              
             }
           }
@@ -224 +247 @@
       // get the CryptoPhoto status of a user, by ID
       $isactive = get_user_option("cryptophoto_enabled", $user->ID);
-      error_log("isactive=$isactive",0);
       
       // check the user's CryptoPhoto status
@@ -235 +257 @@
       if ($cryptophoto_auth == true) {
         // start new CryptoPhoto session
-        $cp = new CryptoPhotoUtils($privatekey, $publickey, md5($salt . $user->ID));
+        $cp = new CryptoPhotoUtils($server, $privatekey, $publickey, md5($salt . $user->ID));
         $cp->start_session($_SERVER['REMOTE_ADDR']);
         $cryptophoto_auth = $cp->has_token == 'true' ? true : false;
-        error_log("has_token=".$cp->has_token, 0);
       }
       
@@ -287 +308 @@
     // render the CryptoPhoto settings page
     else {
+
+      $ip = file_get_contents('http://cryptophoto.com/show_my_ip');
+
 ?>
-
 
       <form action="options.php" method="post">
         <?php settings_fields('cryptophoto_settings'); ?>
         <?php do_settings_sections('cryptophoto_settings'); ?> 
-        <p class="submit">
-          <input name="Submit" type="submit" value="<?php esc_attr_e("Save Changes"); ?>" />         
-          <input style="margin:25px 135px;" name="Test" type="button" onclick="return testConfig()" value="<?php esc_attr_e("Test Configuration"); ?>" />
+        <div style="margin:0 10px;" style="font-size:12px; font-weight:bold;">
+            <div id='testconfig'> </div>
+        </div>
+        <p class="submit" style="margin-top:0">
+          <input style="margin:15px 10px 0 10px;" name="Submit" type="submit" value="<?php esc_attr_e("Save Settings"); ?>" />
+          <input style="margin:15px 10px 0 10px;" name="Wizard" type="button" onclick="return CPPluginWizard.start_wizard()" value="<?php esc_attr_e("Wizard"); ?>" />
+          <input style="margin:15px 10px 0 10px;" name="Test" type="button" onclick="return testConfig()" value="<?php esc_attr_e("Test Configuration"); ?>" />
+          <span id="cpspinner" class="spinner" style="float:none;margin-bottom:10px;"></span> 
         </p>
       </form>
 
-
-      <div style="margin:0px 235px; font-size:12px; font-weight:bold;">
-        <div id='testconfig'> </div>
-      </div>
-
+      
+      <p class='description' id='tagline-description'><strong>Note:</strong> Save your changes then click on "Test Configuration" in order to do a test CryptoPhoto API call.</p>
 
 <script type="text/javascript">
+
+if (typeof CPPluginWizard !== 'object') CPPluginWizard = {};
+
+CPPluginWizard.serverip = "<?php echo $ip ?>";
+CPPluginWizard.callback = function(keys) {
+
+  if(keys.PRIVATE_KEY && keys.PUBLIC_KEY) {
+    document.getElementById("cryptophoto_publickey").value = keys.PUBLIC_KEY;
+    document.getElementById("cryptophoto_privatekey").value = keys.PRIVATE_KEY;
+    if (!!!document.getElementById("cryptophoto_salt").value) {
+      document.getElementById("cryptophoto_salt").value = guid();
+    }
+    testConfig();
+  }
+
+};
 
 //Browser Support Code
 function testConfig() {
+
+  document.getElementById("cpspinner").className = "spinner is-active";
+
   var ajaxRequest;  // The variable that makes Ajax possible!
 
@@ -333 +377 @@
     if(ajaxRequest.readyState == 4 && ajaxRequest.status == 200) {
       
+      document.getElementById("cpspinner").className = "spinner";
+
       if(ajaxRequest.responseText.indexOf('success') > -1) {
-        document.getElementById("testconfig").innerHTML="Cryptophoto plugin is configured properly.";
+        document.getElementById("testconfig").innerHTML="CryptoPhoto plugin is configured properly. You can save your settings now.";
         document.getElementById("testconfig").setAttribute("style","color:green"); 
       }
@@ -369 +415 @@
     }
   }
- 
   var data = "action=cryptophoto_test&test=true";
+
+  data += "&cryptophoto_publickey=" + encodeURIComponent(document.getElementById("cryptophoto_publickey").value);
+  data += "&cryptophoto_privatekey=" + encodeURIComponent(document.getElementById("cryptophoto_privatekey").value);
+  data += "&cryptophoto_salt=" + encodeURIComponent(document.getElementById("cryptophoto_salt").value);
+  data += "&cryptophoto_server=" + encodeURIComponent(document.getElementById("cryptophoto_server").value);
+  
   ajaxRequest.open("POST", ajaxurl, true);
   ajaxRequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
@@ -378 +429 @@
 }
 
+function guid() {
+  var chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'.split(''); 
+  var uuid = new Array(36), rnd=0, r;
+  for (var i = 0; i < 36; i++) {
+    if (i==8 || i==13 ||  i==18 || i==23) {
+      uuid[i] = '';
+    } else if (i==14) {
+      uuid[i] = '4';
+    } else {
+      if (rnd <= 0x02) rnd = 0x2000000 + (Math.random()*0x1000000)|0;
+      r = rnd & 0xf;
+      rnd = rnd >> 4;
+      uuid[i] = chars[(i == 19) ? (r & 0x3) | 0x8 : r];
+    }
+  }
+  return uuid.join('');
+}
+
+function add_script (a) {
+  var b = document.createElement("script");
+  b.type = "text/javascript";
+  b.src = a;
+  document.body.appendChild(b);
+}
+
+var server = document.getElementById("cryptophoto_server").value;
+if(server.indexOf("http") > -1) {
+  add_script(server+"/api/plugin/config.js");
+}
+
 </script>
 
@@ -394 +475 @@
     if(isset($_POST['test'])) {
      
-      $publickey = esc_attr(get_option('cryptophoto_publickey'));
-      $privatekey = esc_attr(get_option('cryptophoto_privatekey'));
-      $salt = esc_attr(get_option('cryptophoto_salt'));
+      $publickey = $_POST['cryptophoto_publickey'];
+      $privatekey = $_POST['cryptophoto_privatekey'];
+      $salt = $_POST['cryptophoto_salt'];
+      $server = $_POST['cryptophoto_server'];
      
       // check that all parameters are set
       if($publickey != "" && isset($publickey) && $privatekey != "" && isset($privatekey) && $salt != "" && isset($salt)) {
 
-
         // new CP instance
-        $cp = new CryptoPhotoUtils($privatekey, $publickey, md5($salt . $userid));
+        $cp = new CryptoPhotoUtils($server, $privatekey, $publickey, md5($salt . $userid));
         $session = $cp->start_session($_SERVER['REMOTE_ADDR']);
 
         // new session started successfully
         if($session[0] == TRUE) {
+          update_option('cryptophoto_publickey', $publickey);
+          update_option('cryptophoto_privatekey', $privatekey);
+          update_option('cryptophoto_salt', $salt);
+          $server = $server ? $server : "https://cryptophoto.com";
+          update_option('cryptophoto_server', $server);
           $result = "success";
         } 
@@ -445 +531 @@
       $publickey = esc_attr(get_option('cryptophoto_publickey'));
       echo "<input id='cryptophoto_publickey' name='cryptophoto_publickey' size='40' type='text' value='$publickey' />";
+      echo "<p class='description' id='tagline-description'>You CryptoPhoto API Public Key.</p>";
   }
 
@@ -452 +539 @@
       $privatekey = esc_attr(get_option('cryptophoto_privatekey'));
       echo "<input id='cryptophoto_privatekey' name='cryptophoto_privatekey' size='40' type='text' value='$privatekey' />";
+      echo "<p class='description' id='tagline-description'>You CryptoPhoto API Private Key.</p>";
   }
 
@@ -459 +547 @@
       $salt = esc_attr(get_option('cryptophoto_salt'));
       echo "<input id='cryptophoto_salt' name='cryptophoto_salt' size='40' type='text' value='$salt' />";
+      echo "<p class='description' id='tagline-description'>The \"Salt\" is used to create unique user IDs. It is recomended to use a random string and once set, not to change it, otherwise the CryptoPhoto settings of each of your users will be reset.</p>";
+  }
+
+  // the salt text input
+  function cryptophoto_settings_server() {
+      $server = esc_attr(get_option('cryptophoto_server'));
+      $server = $server ? $server : "https://cryptophoto.com";
+      echo "<input id='cryptophoto_server' name='cryptophoto_server' size='40' type='text' value='$server' />";
+      echo "<p class='description' id='tagline-description'>Set a server url if you're using a CryptoPhoto appliance, otherwise leave this field as is.</p>";
   }
 
@@ -536 +633 @@
   }
 
+  // validate salt
+  function cryptophoto_server_validate($server) {
+      if (strlen($server) == 0 || !preg_match('|^http(s)?://[a-z0-9-]+(.[a-z0-9-]+)*(:[0-9]+)?(/.*)?$|i', $server)) {
+          add_settings_error('cryptophoto_server', '', 'Server is not valid');
+          return "";
+      } 
+      else {
+          return $server;
+      }
+  }
+
 
   // register fields to pages, settings and callbacks
   function cryptophoto_admin_init() {
       add_settings_section('cryptophoto_settings', 'Plugin Settings', 'cryptophoto_settings_text', 'cryptophoto_settings');
-      add_settings_field('cryptophoto_publickey', 'Public Key', 'cryptophoto_settings_publickey', 'cryptophoto_settings', 'cryptophoto_settings');
-      add_settings_field('cryptophoto_privatekey', 'Private Key', 'cryptophoto_settings_privatekey', 'cryptophoto_settings', 'cryptophoto_settings');
+      add_settings_field('cryptophoto_publickey', 'Public Key:', 'cryptophoto_settings_publickey', 'cryptophoto_settings', 'cryptophoto_settings');
+      add_settings_field('cryptophoto_privatekey', 'Private Key:', 'cryptophoto_settings_privatekey', 'cryptophoto_settings', 'cryptophoto_settings');
       add_settings_field('cryptophoto_salt', 'Salt:', 'cryptophoto_settings_salt', 'cryptophoto_settings', 'cryptophoto_settings');
+      add_settings_field('cryptophoto_server', 'Server:', 'cryptophoto_settings_server', 'cryptophoto_settings', 'cryptophoto_settings');
       add_settings_field('cryptophoto_roles', 'Enable for roles:', 'cryptophoto_settings_roles', 'cryptophoto_settings', 'cryptophoto_settings');
       register_setting('cryptophoto_settings', 'cryptophoto_publickey', 'cryptophoto_publickey_validate');
       register_setting('cryptophoto_settings', 'cryptophoto_privatekey', 'cryptophoto_privatekey_validate');
       register_setting('cryptophoto_settings', 'cryptophoto_salt', 'cryptophoto_salt_validate');
+      register_setting('cryptophoto_settings', 'cryptophoto_server', 'cryptophoto_server_validate');
       register_setting('cryptophoto_settings', 'cryptophoto_roles', 'cryptophoto_roles_validate');
   }
@@ -589 +699 @@
     if (!$this_plugin) $this_plugin = plugin_basename(__FILE__);
     if ($file == $this_plugin) {
-      $settings_link = '<a href="options-general.php?page=cryptophoto_wordpress">'.__("Settings", "cryptophoto_wordpress").'</a>';
+      $settings_link = '<a href="'.get_admin_url(null, 'options-general.php?page=cryptophoto_wordpress').'">'.__("Settings", "cryptophoto_wordpress").'</a>';
       array_unshift($links, $settings_link);
     }
@@ -601 +711 @@
     global $usersListTable;
 
-    if(isset($_POST['s'])) {
+    if(isset($_POST['s']) && $_POST['s'] != "") {
       $filter = 'WHERE user_nicename LIKE "%' . $_POST['s'] . '%" OR user_login LIKE "%' . $_POST['s'] . '%" OR user_email LIKE "%' . $_POST['s'] . '%"';
     }
@@ -651 +761 @@
 
     // a valid action was posted
-    if(isset($_POST['action']) && $_POST['action'] != -1) {
-      if($_POST['action'] == 'disable' || $_POST['action'] == 'enable') {
+    if((isset($_POST['action']) && $_POST['action'] != -1) || (isset($_POST['action2']) && $_POST['action2'] != -1)) {
+      if($_POST['action'] == 'disable' || $_POST['action'] == 'enable' || $_POST['action2'] == 'disable' || $_POST['action2'] == 'enable') {
         // there were selected users
         if(isset($_POST['user'])) {
@@ -662 +772 @@
             $cp_status = get_user_option("cryptophoto_enabled", intval($multiusers[$i]));
 
-            if($_POST['action'] == 'disable') {
+            if($_POST['action'] == 'disable' || $_POST['action2'] == 'disable') {
               if($cp_status == 1) {
                 update_user_option ( intval($multiusers[$i]), "cryptophoto_enabled", 0);
@@ -668 +778 @@
             }
 
-            if($_POST['action'] == 'enable') {
+            if($_POST['action'] == 'enable' || $_POST['action2'] == 'enable') {
               if($cp_status == 0) {
                 update_user_option ( intval($multiusers[$i]), "cryptophoto_enabled", 1);
@@ -726 +836 @@
       $usersListTable->res[$key]['cryptophoto'] = '<a align="left" href="#" title="' . $title . '" ' .  
                                                   'onclick="return switchStatus(this, ' . $row['id'] . ')">' .
-                                                  '<img src="' . $image . '">'.
+                                                  '<img style="position:relative;top:5px;" src="' . $image . '">'.
                                                   '</a>';
     }
@@ -855 +965 @@
     if (!$this_plugin) $this_plugin = plugin_basename(__FILE__);
     if ($file == $this_plugin) {
-      $users_link = '<a href="options-general.php?page=cryptophoto_wordpress&tab=users">'.__("Users", "cryptophotousers_wordpress").'</a>';
+      $users_link = '<a href="'.get_admin_url(null, 'options-general.php?page=cryptophoto_wordpress&tab=users').'">'.__("Users", "cryptophotousers_wordpress").'</a>';
       array_unshift($links, $users_link);
     }
@@ -868 +978 @@
     $privatekey = get_option('cryptophoto_privatekey');
     $publickey   = get_option('cryptophoto_publickey');
-    $salt = get_option('cryptophoto_salt');       
+    $salt = get_option('cryptophoto_salt'); 
+    $server = get_option('cryptophoto_server');       
 
     // check for valid CryptoPhoto configuration
@@ -874 +985 @@
      echo '<p class="submit"> The plugin is not properly configured. ';
      if (current_user_can( "administrator" )) {
-       echo 'You can configure it <a href="http://wplocal.com/wp-admin/options-general.php?page=cryptophoto_wordpress">here</a>.';
+       echo 'You can configure it <a href="'.get_admin_url(null, 'options-general.php?page=cryptophoto_wordpress').'">here</a>.';
      } else {
        echo 'Contact your administrator.';
@@ -905 +1016 @@
 <?php 
      //"
-     $cp = new CryptoPhotoUtils($privatekey,  $publickey, md5($salt . $userid));
+     $cp = new CryptoPhotoUtils($server, $privatekey,  $publickey, md5($salt . $userid));
      $rv = $cp->start_session($_SERVER['REMOTE_ADDR']);
      

cryptophoto-two-and-multi-factor-authentication/trunk/include/CryptoPhotoUsersListTable.php

@@ -150 +150 @@
     $filter = "";
     if ($this->filter) {
-      $filter = $this->filter;
+      $filter = " " . $this->filter;
     }
 
     $current_page = $this->get_pagenum();
 
-    $this->res = $wpdb->get_results("SELECT id, user_nicename, user_login, user_email, user_status FROM wp_users " . $filter . 
-                 " LIMIT " . ( ( $current_page-1 ) * $per_page ) . "," . $per_page, ARRAY_A);
+    $sql_query = "SELECT id, user_nicename, user_login, user_email, user_status FROM ".$wpdb->users. $filter . 
+                 " LIMIT " . ( ( $current_page-1 ) * $per_page ) . "," . $per_page;
+
+    $this->res = $wpdb->get_results($sql_query, ARRAY_A);
     usort( $this->res, array( &$this, 'usort_reorder' ) );
 
@@ -164 +166 @@
     $this->_column_headers = array( $columns, $hidden, $sortable );
 
-    $total_items = $wpdb->get_results("SELECT COUNT(id) FROM wp_users " . $filter, ARRAY_N);
+    $total_items = $wpdb->get_results("SELECT COUNT(id) FROM ".$wpdb->users. $filter, ARRAY_N);
     $total_items = $total_items[0][0];
 

cryptophoto-two-and-multi-factor-authentication/trunk/include/CryptoPhotoUtils.php

@@ -10 +10 @@
  *        http://cryptophoto.com/register/
  *
- * VERSION: 1.20131017
- * COPYRIGHT(c) 2013 CryptoPhoto -- http://cryptophoto.com/
+ * VERSION: 1.20150825
+ * COPYRIGHT(c) 2015 CryptoPhoto -- http://cryptophoto.com/
  * AUTHOR: CryptoPhoto
  *
@@ -35 +35 @@
 
 
-//server URLs
-define("CRYPTO_SERVER", "cryptophoto.com/api/");
-define("SERVER_ERROR", "error-cryptophoto-not-reachable");
+//server
+define("SERVER_ERROR", "error-server-not-reachable");
 define("REQUEST_ERROR", "error-bad-request");
 define("PORT", 80);
@@ -45 +44 @@
 
   //userdata
+  var $server;
   var $privatekey;
   var $publickey;
@@ -56 +56 @@
 
   //constructor
-  function CryptoPhotoUtils($privatekey, $publickey, $uid) {
+  function CryptoPhotoUtils($server, $privatekey="", $publickey="", $uid="") {
     $this->privatekey = $privatekey;
     $this->publickey = $publickey;
     $this->uid = $uid;
-  }
+    
+    if(!empty($server)) {
+      $this->server = $server;      
+      $this->server = rtrim($this->server, '/');    
+
+      if( ( strcmp(substr($server, 0, 7), "http://") != 0 ) && (strcmp(substr($server, 0, 8), "https://") != 0)) {
+        $this->server = "http://" . $server;          
+      }
+    }
+    else {
+      $this->server = "https://cryptophoto.com";  
+    }
+  }
+
 
   /**
@@ -86 +99 @@
 
     if(function_exists('curl_init')) {
+
       $req = $this->string_encode($udata);
       $cookies = "";
       $response = "";
-
       $data = array (
                   'http' => array ( 
@@ -101 +114 @@
 
       $ch = curl_init ($url);
+      curl_setopt ($ch, CURLOPT_CAINFO, dirname(__FILE__) . '/cacert.pem');
       curl_setopt ($ch, CURLOPT_POST, true);
       curl_setopt ($ch, CURLOPT_POSTFIELDS, $req);
       curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true);
       $response = curl_exec($ch);
+      if(curl_errno($ch)) { error_log("CURL error: " . curl_error ($ch)); }
     }
 
@@ -151 +166 @@
       $response = explode("\r\n\r\n", $response, 2);
     }
-
+    
     return $response;
 }
@@ -168 +183 @@
     $data['signature'] = $this->make_signature($this->uid, $this->publickey, $this->privatekey, $time);
     $data['ip'] = $ip;
-  
-    if(function_exists('curl_init')) {
-      $response = $this->post_request("https://".CRYPTO_SERVER."get/session", $data);
-    }
-    else {
-      $response = $this->post_request("http://".CRYPTO_SERVER."get/session", $data);
-    }
+
+    $scheme = parse_url($this->server);
+       
+    if($scheme['scheme'] == 'https') {
+      if(function_exists('curl_init')) {
+        $response = $this->post_request($this->server . "/api/get/session", $data);
+      }
+      else {
+        $this->server = str_replace("https://", "http://" , $this->server); 
+        $response = $this->post_request($this->server . "/api/get/session", $data);
+      }
+    }   
+    else {
+      $response = $this->post_request($this->server . "/api/get/session", $data);
+    }   
 
     if($response != null && $response != '') {
@@ -217 +240 @@
   function get_gen_widget() {
     if($this->sid != null && $this->sid != '') {
-      return '<script type="text/javascript" src="https://'.CRYPTO_SERVER.'token?sd='.$this->sid.'"></script>';
+      return '<script type="text/javascript" src="' . $this->server . '/api/token?sd=' . $this->sid . '"></script>';
     } 
     else {
@@ -229 +252 @@
   function get_auth_widget() {
     if($this->sid != null && $this->sid != '') {
-      return '<script type="text/javascript" src="https://'.CRYPTO_SERVER.'challenge?sd='.$this->sid.'"></script>';
+      return '<script type="text/javascript" src="' . $this->server . '/api/challenge?sd=' . $this->sid . '"></script>';
     } 
     else {
@@ -260 +283 @@
     }
 
-    $time = time();  
+    $time = time(); 
     //compose userdata
     $data['publickey'] = $this->publickey;
@@ -272 +295 @@
     $data['ip'] = $ip;
 
-    //post userdata and his challenge response
-    if(function_exists('curl_init')) {
-      $resp = $this->post_request("https://".CRYPTO_SERVER."verify", $data);
-    }
-    else {
-      $resp = $this->post_request("http://".CRYPTO_SERVER."verify", $data);
-    }
-
-    if($resp != null && $resp !='') {
-
+    $scheme = parse_url($this->server);
+       
+    if($scheme['scheme'] == 'https') {
       if(function_exists('curl_init')) {
-        $answer = explode("\n", $resp);
+        $response = $this->post_request($this->server . "/api/verify", $data);
       }
       else {
-        $answer = explode("\n", $resp[1]);
+        $this->server = str_replace("https://", "http://", $this->server); 
+        $response = $this->post_request($this->server . "/api/verify", $data);
+      }
+    }   
+    else {
+      $response = $this->post_request($this->server . "/api/verify", $data);
+    }   
+    
+    if($response != null && $response !='') {
+
+      if(function_exists('curl_init')) {
+        $answer = explode("\n", $response);
+      }
+      else {
+        $answer = explode("\n", $response[1]);
       }
 
@@ -311 +341 @@
   }
 
-  /**
-  * creates the user signature 
-  * @param string $uid
-  * @param string $publickey
-  * @param string $privatekey
-  * @param string $time
-  * @return string */
-  function make_signature($uid, $publickey, $privatekey, $time) {
-    if(function_exists("hash_hmac")) {
-      return hash_hmac("sha1", $privatekey . $time . $uid . $publickey, $privatekey, false);
-    }
-    else {
-      $this->hmac($privatekey . $time . $uid . $publickey, $privatekey);
-    }
-  }
-  
-  // RFC 2104 HMAC implementation for php.
-  function hmac ($key, $data) { 
-    $b = 64; // byte length for md5
-    if (strlen($key) > $b) {
-        $key = pack("H*",md5($key));
-    }
-    $key  = str_pad($key, $b, chr(0x00));
-    $ipad = str_pad('', $b, chr(0x36));
-    $opad = str_pad('', $b, chr(0x5c));
-    $k_ipad = $key ^ $ipad ;
-    $k_opad = $key ^ $opad;
+
+  /** 
+  * creates the user signature  
+  * @param string $uid 
+  * @param string $publickey 
+  * @param string $privatekey 
+  * @param string $time 
+  * @return string */ 
+  function make_signature($uid, $publickey, $privatekey, $time) { 
+
+    if (function_exists("hash_hmac")) { 
+      return hash_hmac("sha1", $privatekey . $time . $uid . $publickey, $privatekey, false); 
+    } 
+    else { 
+      return $this->hmac("sha1", $privatekey . $time . $uid . $publickey, $privatekey, false); 
+    } 
+  } 
+   
+   
+  function hmac($algo, $data, $key, $raw_output = false) { 
+    $algo = strtolower($algo); 
+    $pack = 'H'.strlen($algo('test')); 
+    $size = 64; 
+    $opad = str_repeat(chr(0x5C), $size); 
+    $ipad = str_repeat(chr(0x36), $size); 
  
-    return md5($k_opad  . pack("H*",md5($k_ipad . $data)));
-  }
-  
-}
+    if (strlen($key) > $size) { 
+        $key = str_pad(pack($pack, $algo($key)), $size, chr(0x00)); 
+    } else { 
+        $key = str_pad($key, $size, chr(0x00)); 
+    } 
+ 
+    for ($i = 0; $i < strlen($key) - 1; $i++) { 
+        $opad[$i] = $opad[$i] ^ $key[$i]; 
+        $ipad[$i] = $ipad[$i] ^ $key[$i]; 
+    } 
+ 
+    $output = $algo($opad.pack($pack, $algo($ipad.$data))); 
+ 
+    return ($raw_output) ? pack($pack, $output) : $output; 
+  } 
+
+  function verify_cptv_response ($parms) {
+
+     if (isset($parms['cpJWSrfc7515'])) {
+
+       $scheme = parse_url($this->server);
+
+       $data['token'] = $parms['cpJWSrfc7515'];
+
+       if ($scheme['scheme'] == 'https') {
+         if (function_exists('curl_init')) {
+           $response = $this->post_request($this->server . "/api/verify/cptv.json", $data);
+         }
+         else {
+           $this->server = str_replace("https://", "http://", $this->server);
+           $response = $this->post_request($this->server . "/api/verify/cptv.json", $data);
+         }
+       }
+       else {
+         $response = $this->post_request($this->server . "/api/verify/cptv.json", $data);
+       }
+
+       if ($response != null && $response != '') {
+         $obj = $this->jsonDecode($response);
+
+         if ($obj != null) {
+
+           if ($this->property_exists($obj, "success") && $obj->success) {
+
+             $jwt = $parms['cpJWSrfc7515'];
+
+             $tks = explode('.', $jwt);
+
+             $payload = $this->jsonDecode($this->urlsafeB64Decode($tks[1]));
+
+             if ($payload != null && $this->property_exists($payload, "fieldsOrder") && $this->property_exists($payload, "fieldsSha256")) {
+
+               $fieldsOrder = $payload->fieldsOrder;
+               $fieldsSha256 = $payload->fieldsSha256;
+
+               $fields = explode(",", $fieldsOrder);
+
+               $shacontent="";
+
+               foreach ($fields as $field) {
+                 if(isset($parms[$field]) && $parms[$field]) $shacontent .= $parms[$field];
+               }
+
+               $shacontent = base64_encode($this->hash256($shacontent));
+               $shacontent = str_replace('=', '', $shacontent); // remove the padding bit, they might not match because of it
+               $fieldsSha256 = str_replace('=', '', $fieldsSha256);
+
+               if ($fieldsSha256 == $shacontent) {
+                 return array("is_valid" => TRUE);
+               } else {
+                 return array("is_valid" => FALSE, "error" => "POSTed field values have been changed");
+               }
+
+             }
+
+           } else {
+             return array("is_valid" => FALSE, "error" => $obj->description);
+           }
+        
+         } else {
+           return array("is_valid" => FALSE, "error" => "CRYPTOPHOTO responded with invalid format");
+         }
+         
+       } else {
+         return array("is_valid" => FALSE, "error" => SERVER_ERROR);
+       }
+    }  
+
+    return array("is_valid" => FALSE, "error" => "JWT token not provided");
+
+  }
+
+  function property_exists ($obj, $property) {
+    if ( !function_exists( 'property_exists' ) ) {
+      if ( is_object( $obj ) ) {
+        $vars = get_object_vars( $obj );
+      } else {
+        $vars = get_class_vars( $obj );
+      }
+      return array_key_exists( $property, $vars );
+    }
+    return property_exists($obj, $property);
+  }
+
+  function hash256($input) {
+    if ( !function_exists('hash') ) {
+      require_once("sha256.php");
+      return SHA256::hash($input, "bin");
+    }
+
+    return hash("sha256", $input, True);
+  }
+
+  function jsonDecode($input) {
+
+    if ( !function_exists('json_decode') ) {
+      require_once("JSON.php");
+      $json = new Services_JSON();
+      return $json->decode($input);
+    }
+
+    if (version_compare(PHP_VERSION, '5.4.0', '>=') && !(defined('JSON_C_VERSION') && PHP_INT_SIZE > 4)) {
+      $obj = json_decode($input, false, 512, JSON_BIGINT_AS_STRING);
+    } else {
+      $max_int_length = strlen((string) PHP_INT_MAX) - 1;
+      $json_without_bigints = preg_replace('/:\s*(-?\d{'.$max_int_length.',})/', ': "$1"', $input);
+      $obj = json_decode($json_without_bigints);
+    }
+    if (function_exists('json_last_error') && $errno = json_last_error()) {
+      return null;
+    } elseif ($obj === null && $input !== 'null') {
+      return null;
+    }
+    return $obj;
+  }
+
+  function urlsafeB64Decode($input) {
+    $remainder = strlen($input) % 4;
+    if ($remainder) {
+      $padlen = 4 - $remainder;
+      $input .= str_repeat('=', $padlen);
+    }
+    return base64_decode(strtr($input, '-_', '+/'));
+  }
+    
+} 
 
 ?>