From 0acd33abe3539fb51960331bf9b7fc43d64f227b Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Mon, 29 Mar 2021 19:22:03 +0300
Subject: [PATCH] OTP: generate longer secrets, also make them easier to
 read/copy

---
 classes/pref/prefs.php         | 10 +++++++---
 classes/userhelper.php         |  2 +-
 plugins/auth_internal/init.php |  2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index 512e31453..1eaa99345 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -469,8 +469,8 @@ class Pref_Prefs extends Handler_Protected {
 					<?= \Controls\hidden_tag("method", "otpenable") ?>
 
 					<fieldset>
-						<label><?= __("OTP Key:") ?></label>
-						<input dojoType='dijit.form.ValidationTextBox' disabled='disabled' value="<?= $otp_secret ?>" style='width : 215px'>
+						<label><?= __("OTP secret:") ?></label>
+						<code><?= $this->format_otp_secret($otp_secret) ?></code>
 					</fieldset>
 
 					<!-- TODO: return JSON from the backend call -->
@@ -496,7 +496,7 @@ class Pref_Prefs extends Handler_Protected {
 					</fieldset>
 
 					<fieldset>
-						<label><?= __("One time password:") ?></label>
+						<label><?= __("Verification code:") ?></label>
 						<input dojoType='dijit.form.ValidationTextBox' autocomplete='off' required='1' name='otp'>
 					</fieldset>
 
@@ -1518,4 +1518,8 @@ class Pref_Prefs extends Handler_Protected {
 		}
 		return "";
 	}
+
+	private function format_otp_secret($secret) {
+		return implode(" ", str_split($secret, 4));
+	}
 }
diff --git a/classes/userhelper.php b/classes/userhelper.php
index ce26e6c71..0bf67243e 100644
--- a/classes/userhelper.php
+++ b/classes/userhelper.php
@@ -299,7 +299,7 @@ class UserHelper {
 					if ($user->otp_enabled) {
 						$user->otp_secret = $salt_based_secret;
 					} else {
-						$user->otp_secret = bin2hex(get_random_bytes(6));
+						$user->otp_secret = bin2hex(get_random_bytes(10));
 					}
 
 					$user->save();
diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php
index 8c1154566..3f5a2e977 100644
--- a/plugins/auth_internal/init.php
+++ b/plugins/auth_internal/init.php
@@ -109,7 +109,7 @@ class Auth_Internal extends Auth_Base {
 										<?= \Controls\hidden_tag("op", "login") ?>
 
 										<fieldset>
-											<label><?= __("Please enter your one time password:") ?></label>
+											<label><?= __("Please enter verification code (OTP):") ?></label>
 											<input id="otp" dojoType="dijit.form.ValidationTextBox" required="1" autocomplete="off" size="6" name="otp" value=""/>
 											<?= \Controls\submit_tag(__("Continue")) ?>
 										</fieldset>
-- 
GitLab