├── config
├── LICENSE
├── ngx_http_auth_totp.h
├── README.md
└── ngx_http_auth_totp.c


/config:
--------------------------------------------------------------------------------
 1 | ngx_addon_name=ngx_http_auth_totp_module
 2 | 
 3 | DEPS="$ngx_addon_dir/ngx_http_auth_totp.h"
 4 | SRCS="$ngx_addon_dir/ngx_http_auth_totp.c"
 5 | 
 6 | LIBS="-lcrypto"
 7 | 
 8 | if test -n "$ngx_module_link"; then
 9 |     ngx_module_type=HTTP
10 |     ngx_module_name=$ngx_addon_name
11 |     ngx_module_deps=$DEPS
12 |     ngx_module_srcs=$SRCS
13 |     ngx_module_libs=$LIBS
14 |     . auto/module
15 | else
16 |     HTTP_MODULES="$HTTP_MODULES $ngx_addon_name"
17 |     NGX_ADDON_DEPS="$NGX_ADDON_DEPS $DEPS"
18 |     NGX_ADDON_SRCS="$NGX_ADDON_SRCS $SRCS"
19 |     NGX_ADDON_LIBS="$NGX_ADDON_LIBS $LIBS"
20 | fi
21 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2024 Rob Casey
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/ngx_http_auth_totp.h:
--------------------------------------------------------------------------------
 1 | #ifndef _NGX_HTTP_AUTH_TOTP_H_INCLUDED_
 2 | #define _NGX_HTTP_AUTH_TOTP_H_INCLUDED_
 3 | 
 4 | #include <ngx_config.h>
 5 | #include <ngx_core.h>
 6 | #include <ngx_http.h>
 7 | 
 8 | 
 9 | #define MODULE_NAME                     ("totp")
10 | 
11 | #define NGX_HTTP_AUTH_TOTP_BUF_SIZE     (2048)
12 | 
13 | 
14 | /*
15 |     The following enumeration is intended to contain the processing states 
16 |     employed by the configuration file parser.
17 | */
18 | 
19 | typedef enum {
20 |     STATE_USER = 0,
21 |     STATE_SECRET,
22 |     STATE_START,
23 |     STATE_STEP,
24 |     STATE_LENGTH,
25 |     STATE_SKIP
26 | }
27 | ngx_http_auth_totp_state_e;
28 | 
29 | typedef struct {
30 |     ngx_rbtree_t tree;
31 |     ngx_rbtree_node_t sentinel;
32 |     ngx_slab_pool_t *shpool;
33 | }
34 | ngx_http_auth_totp_shm_t;
35 | 
36 | typedef struct {
37 |     ngx_http_complex_value_t *realm;
38 |     ngx_http_complex_value_t *totp_file;
39 |     ngx_int_t length;
40 |     ngx_int_t skew;
41 |     time_t start;
42 |     time_t step;
43 |     ngx_str_t cookie;
44 |     time_t expiry;
45 |     ngx_flag_t reuse;
46 |     ngx_shm_zone_t *shm;
47 | }
48 | ngx_http_auth_totp_loc_conf_t;
49 | 
50 | 
51 | #endif  /* _NGX_HTTP_AUTH_TOTP_H_INCLUDED_ */
52 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # nginx-http-auth-totp
  2 | 
  3 | Time-based one-time password (TOTP) authentication for Nginx
  4 | 
  5 | The Time-based One-Time Password (TOTP) algorithm, provides a secure mechanism for short-lived one-time password values, which are desirable for enhanced security. This algorithm can be used across a wide range of network applications ranging from remote Virtual Private Network (VPN) access, Wi-Fi network logon to transaction-orientated Web applications.
  6 | 
  7 | The nginx-http-auth-totp module provides TOTP authentication for a Nginx server.
  8 | 
  9 | ## Features
 10 | 
 11 | * HTTP basic authentication using time-based one-time password (TOTP)
 12 | * Cookie-based tracking of authenticated clients beyond TOTP validity window
 13 | * Configurable secret, time reference, time step and truncation length for TOTP generation
 14 | * Configurable time-skew for TOTP validation
 15 | 
 16 | ## Build
 17 | 
 18 | To build the nginx-http-auth-totp module from the Nginx source directory:
 19 | 
 20 | ```bash
 21 | ./configure --add-module=/path/to/nginx-http-auth-totp
 22 | make
 23 | make install
 24 | ```
 25 | 
 26 | ## Packages
 27 | 
 28 | For users who prefer pre-built and optimized packages, the nginx-http-auth-totp module can be installed from the [GetPageSpeed repository](https://nginx-extras.getpagespeed.com/modules/auth-totp/):
 29 | 
 30 | ```bash
 31 | dnf -y install https://extras.getpagespeed.com/release-latest.rpm 
 32 | dnf -y install nginx-module-auth-totp
 33 | ```
 34 | 
 35 | ## Configuration
 36 | 
 37 | ```nginx
 38 | server {
 39 |     listen 80;
 40 | 
 41 |     location /protected {
 42 |         auth_totp_realm "Protected";
 43 |         auth_totp_file /etc/nginx/totp.conf;
 44 |         auth_totp_length 8;
 45 |         auth_totp_reuse off;
 46 |         auth_totp_skew 1;
 47 |         auth_totp_step 1m;
 48 |         auth_totp_cookie "totp-session";
 49 |         auth_totp_expiry 1d;
 50 |     }
 51 | }
 52 | ```
 53 | 
 54 | Enable the module by adding the following at the top of `/etc/nginx/nginx.conf`:
 55 | 
 56 | ```nginx
 57 | load_module modules/ngx_http_auth_totp_module.so;
 58 | ```
 59 | 
 60 | ## Directives
 61 | 
 62 | ### auth_totp_cookie
 63 | 
 64 | * **syntax:** `auth_totp_cookie <name>`
 65 | * **default:** `totp`
 66 | * **context:** `http`, `server`, `location`, `limit_except`
 67 | 
 68 | Specifies the name of the HTTP cookie to be used for tracking authenticated clients.
 69 | 
 70 | As the validity of the Time-based One-Time Password (TOTP) used for authentication expires (by design), a HTTP cookie is set following successful authentication in order to persist client authentication beyond the TOTP validity window. This configuration directives specifies the name to be used when setting this cookie while the expiry period for this cookie may be set using the `auth_totp_expiry` directive. 
 71 | 
 72 | ### auth_totp_expiry
 73 | 
 74 | * **syntax:** `auth_totp_expiry <interval>`
 75 | * **default:** `0s`
 76 | * **context:** `http`, `server`, `location`, `limit_except`
 77 | 
 78 | Specifies the expiry time for the HTTP cookie to be used for tracking authenticated clients.
 79 | 
 80 | If this expiry value is not specified (or set to zero), the HTTP cookie used for tracking authenticated clients will be set as a session cookie which will be deleted when the current HTTP client session ends. It is important to note that the browser defines when the "current session" ends, and some browsers use session restoration when restarting, which can cause session cookies to last indefinitely.
 81 | 
 82 | ### auth_totp_file
 83 | 
 84 | * **syntax:** `auth_totp_file <filename>`
 85 | * **default:** -
 86 | * **context:** `http`, `server`, `location`, `limit_except`
 87 | 
 88 | Specifies the file that contains usernames and shared secrets for Time-based One-Time Password (TOTP) authentication. 
 89 | 
 90 | This configuration file has the format:
 91 | 
 92 |     # comment
 93 |     user1:secret1
 94 |     user2:secret2
 95 |     user3:secret3
 96 | 
 97 | ### auth_totp_length
 98 | 
 99 | * **syntax:** `auth_totp_length <number>`
100 | * **default:** `6`
101 | * **context:** `http`, `server`, `location`, `limit_except`
102 | 
103 | Specifies the truncation length of the Time-based One-Time Password (TOTP) code. This truncation length may be between 1 and 8 digits inclusively.
104 | 
105 | If the supplied TOTP is of a different length to this value, the authentication request will fail.
106 | 
107 | ### auth_totp_realm
108 | 
109 | * **syntax:** `auth_totp_realm <string>|off`
110 | * **default:** `off`
111 | * **context:** `http`, `server`, `location`, `limit_except`
112 | 
113 | Enables validation of user name and Time-based One-Time Password (TOTP) using the "HTTP Basic Authentication" protocol. The specified parameter is used as the `realm` for this authentication. This parameter value can contain variables. The special value of `off` cancels the application of any `auth_totp_realm` directive inherited from a higher configuration level.
114 | 
115 | ### auth_totp_reuse
116 | 
117 | * **syntax:** `auth_totp_reuse <on>|<off>`
118 | * **default:** `off`
119 | * **context:**  `http`, `server`, `location`, `limit_except`
120 | 
121 | Enables the reuse of a Time-based One-Time Password (TOTP) within a validity window. While this is non-standard behaviour per [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238), it provides a convenient manner to ensure a minimum window of validity for generated TOTP codes, even if the TOTP has already been presented to the validating system.
122 | 
123 | ### auth_totp_skew
124 | 
125 | * **syntax:** `auth_totp_skew <number>`
126 | * **default:** `1`
127 | * **context:** `http`, `server`, `location`, `limit_except`
128 | 
129 | Specifies the number of time steps by which the time base between the issuing and validating TOTP systems.
130 | 
131 | Due to network latency, the gap between the time that a OTP was generated and the time that the OTP is received at the validating system may be large. Indeed, it is possible that the receiving time at the validating system and that when the OTP was generated by the issuing system may not fall within the same time-step window. Accordingly, the validating system should typically set a policy for an acceptable OTP transmission window for validation. In line with this, the validating system should compare OTPs not only with the receiving timestamp, but also the past timestamps that are within the transmission delay.
132 | 
133 | It is important to note that larger acceptable delay windows represent a larger window for attacks and a balance must be struck between the security and usability of OTPs.
134 | 
135 | ### auth_totp_start
136 | 
137 | * **syntax:** `auth_totp_start <time>`
138 | * **default:** `0`
139 | * **context:** `http`, `server`, `location`, `limit_except`
140 | 
141 | Specifies the UNIX time from which to start counting time steps as part of Time-based One-Time Password (TOTP) algorithm operations.
142 | 
143 | The default value is 0, the UNIX epoch at 1970/01/01. 
144 | 
145 | ### auth_totp_step
146 | 
147 | * **syntax:** `auth_totp_step <interval>`
148 | * **default:** `30s`
149 | * **context:** `http`, `server`, `location`, `limit_except`
150 | 
151 | Specifies the time step as part of Time-based One-Time Password (TOTP) algorithm operations.
152 | 
153 | ## References
154 | 
155 | * [RFC 4226 HOTP: An HMAC-Based One-Time Password Algorithm](https://datatracker.ietf.org/doc/html/rfc4226)
156 | * [RFC 6238 TOTP: Time-Based One-Time Password Algorithm](https://datatracker.ietf.org/doc/html/rfc6238)
157 | * [RFC 7235 Hypertext Transfer Protocol (HTTP/1.1): Authentication](https://datatracker.ietf.org/doc/html/rfc7235)
158 | 
159 | 


--------------------------------------------------------------------------------
/ngx_http_auth_totp.c:
--------------------------------------------------------------------------------
  1 | #include <ngx_config.h>
  2 | #include <ngx_core.h>
  3 | #include <ngx_http.h>
  4 | 
  5 | #include <stdint.h>
  6 | #include <time.h>
  7 | 
  8 | #include <openssl/hmac.h>
  9 | 
 10 | #include "ngx_http_auth_totp.h"
 11 | 
 12 | 
 13 | static uint32_t ngx_http_auth_totp_algorithm_hotp(u_char *key, size_t length, uint64_t count, size_t digits);
 14 | 
 15 | static void * ngx_http_auth_totp_create_loc_conf(ngx_conf_t *cf);
 16 | 
 17 | static char * ngx_http_auth_totp_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
 18 | 
 19 | static ngx_int_t ngx_http_auth_totp_handler(ngx_http_request_t *r);
 20 | 
 21 | static ngx_int_t ngx_http_auth_totp_initialise(ngx_conf_t *cf);
 22 | 
 23 | static char * ngx_http_auth_totp_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child);
 24 | 
 25 | static ngx_int_t ngx_http_auth_totp_reuse_check(ngx_http_request_t *r, uint64_t step);
 26 | 
 27 | static ngx_int_t ngx_http_auth_totp_reuse_cleanup(ngx_http_request_t *r, uint64_t step);
 28 | 
 29 | static ngx_int_t ngx_http_auth_totp_set_cookie(ngx_http_request_t *r);
 30 | 
 31 | static ngx_int_t ngx_http_auth_totp_set_realm(ngx_http_request_t *r, ngx_str_t *realm);
 32 | 
 33 | static ngx_int_t ngx_http_auth_totp_shm_initialise(ngx_shm_zone_t *shm_zone, void *data);
 34 | 
 35 | static ngx_int_t ngx_http_auth_totp_validation(ngx_http_request_t *r, ngx_str_t *realm, u_char *key, size_t length, time_t start, time_t step, size_t digits);
 36 | 
 37 | 
 38 | static ngx_int_t powi[] = { 1, 10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000 };
 39 | 
 40 | 
 41 | static ngx_command_t ngx_http_auth_totp_directives[] = {
 42 | 
 43 |     { ngx_string("auth_totp_cookie"),
 44 |             NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF|NGX_CONF_TAKE1,
 45 |             ngx_conf_set_str_slot,
 46 |             NGX_HTTP_LOC_CONF_OFFSET,
 47 |             offsetof(ngx_http_auth_totp_loc_conf_t, cookie),
 48 |             NULL },
 49 | 
 50 |     { ngx_string("auth_totp_expiry"),
 51 |             NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF|NGX_CONF_TAKE1,
 52 |             ngx_conf_set_sec_slot,
 53 |             NGX_HTTP_LOC_CONF_OFFSET,
 54 |             offsetof(ngx_http_auth_totp_loc_conf_t, expiry),
 55 |             NULL },
 56 | 
 57 |     { ngx_string("auth_totp_file"),
 58 |             NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF|NGX_CONF_TAKE1,
 59 |             ngx_http_auth_totp_file,
 60 |             NGX_HTTP_LOC_CONF_OFFSET,
 61 |             offsetof(ngx_http_auth_totp_loc_conf_t, totp_file),
 62 |             NULL },
 63 | 
 64 |     { ngx_string("auth_totp_length"),
 65 |             NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF|NGX_CONF_TAKE1,
 66 |             ngx_conf_set_num_slot,
 67 |             NGX_HTTP_LOC_CONF_OFFSET,
 68 |             offsetof(ngx_http_auth_totp_loc_conf_t, length),
 69 |             NULL },
 70 | 
 71 |     { ngx_string("auth_totp_realm"),
 72 |             NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF|NGX_CONF_TAKE1,
 73 |             ngx_http_set_complex_value_slot,
 74 |             NGX_HTTP_LOC_CONF_OFFSET,
 75 |             offsetof(ngx_http_auth_totp_loc_conf_t, realm),
 76 |             NULL },
 77 | 
 78 |     { ngx_string("auth_totp_reuse"),
 79 |             NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF|NGX_CONF_TAKE1,
 80 |             ngx_conf_set_flag_slot,
 81 |             NGX_HTTP_LOC_CONF_OFFSET,
 82 |             offsetof(ngx_http_auth_totp_loc_conf_t, reuse),
 83 |             NULL },
 84 | 
 85 |     { ngx_string("auth_totp_skew"),
 86 |             NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF|NGX_CONF_TAKE1,
 87 |             ngx_conf_set_num_slot,
 88 |             NGX_HTTP_LOC_CONF_OFFSET,
 89 |             offsetof(ngx_http_auth_totp_loc_conf_t, skew),
 90 |             NULL },
 91 | 
 92 |     { ngx_string("auth_totp_start"),
 93 |             NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF|NGX_CONF_TAKE1,
 94 |             ngx_conf_set_sec_slot,
 95 |             NGX_HTTP_LOC_CONF_OFFSET,
 96 |             offsetof(ngx_http_auth_totp_loc_conf_t, start),
 97 |             NULL },
 98 | 
 99 |     { ngx_string("auth_totp_step"),
100 |             NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF|NGX_CONF_TAKE1,
101 |             ngx_conf_set_sec_slot,
102 |             NGX_HTTP_LOC_CONF_OFFSET,
103 |             offsetof(ngx_http_auth_totp_loc_conf_t, step),
104 |             NULL },
105 | 
106 |     ngx_null_command
107 | };
108 | 
109 | static ngx_http_module_t ngx_http_auth_totp_ctx = {
110 |     NULL,                               /* preconfiguration */
111 |     ngx_http_auth_totp_initialise,      /* postconfiguration */
112 |     NULL,                               /* create main configuration */
113 |     NULL,                               /* init main configuration */
114 |     NULL,                               /* create server configuration */
115 |     NULL,                               /* merge server configuration */
116 |     ngx_http_auth_totp_create_loc_conf, /* create location configuration */
117 |     ngx_http_auth_totp_merge_loc_conf   /* merge location configuration */
118 | };
119 | 
120 | ngx_module_t ngx_http_auth_totp_module = {
121 |     NGX_MODULE_V1,
122 |     &ngx_http_auth_totp_ctx,            /* module context */
123 |     ngx_http_auth_totp_directives,      /* module directives */
124 |     NGX_HTTP_MODULE,                    /* module type */
125 |     NULL,                               /* init master */
126 |     NULL,                               /* init module */
127 |     NULL,                               /* init process */
128 |     NULL,                               /* init thread */
129 |     NULL,                               /* exit thread */
130 |     NULL,                               /* exit process */
131 |     NULL,                               /* exit master */
132 |     NGX_MODULE_V1_PADDING
133 | };
134 | 
135 | 
136 | static uint32_t 
137 | ngx_http_auth_totp_algorithm_hotp(u_char *key, size_t length, uint64_t count, size_t digits) {
138 |     uint64_t value;
139 |     uint32_t bin;
140 |     uint8_t buffer[8], offset, *result;
141 |     int index;
142 | 
143 |     /*
144 |         This function implements the hash-based one-time password (HTOP) algorithm 
145 |         as defined in RFC 4226, which serves as the base of the time-based one-time 
146 |         password (TOTP) algorithm defined in RFC 6238.
147 |     */
148 | 
149 |     //  Step 1: Generate HMAC-SHA-1 value
150 |     for (value = count, index = 7; index >= 0; index--) {
151 |         buffer[index] = (uint8_t)(value & 0xff);
152 |         value >>= 8;
153 |     }
154 |     result = HMAC(EVP_sha1(), key, length, (const unsigned char *)buffer, sizeof(buffer), NULL, 0);
155 |     //  Step 2: Generate four-byte string (dynamic truncation)
156 |     offset = result[19] & 0x0f;
157 |     bin = ((result[offset] & 0x7f) << 24) |
158 |             ((result[offset + 1] & 0xff) << 16) |
159 |             ((result[offset + 2] & 0xff) << 8) |
160 |             (result[offset + 3] & 0xff);
161 |     //  Step 3: Compute HOTP value
162 |     return (bin % powi[digits]);
163 | }
164 | 
165 | 
166 | static void * 
167 | ngx_http_auth_totp_create_loc_conf(ngx_conf_t *cf) {
168 |     ngx_http_auth_totp_loc_conf_t *lcf;
169 |     ngx_str_t name;
170 | 
171 |     lcf = ngx_pcalloc(cf->pool, sizeof(ngx_http_auth_totp_loc_conf_t));
172 |     if (lcf == NULL) {
173 |         return NULL;
174 |     }
175 |     lcf->realm = NGX_CONF_UNSET_PTR;
176 |     lcf->totp_file = NGX_CONF_UNSET_PTR;
177 |     lcf->length = NGX_CONF_UNSET;
178 |     lcf->skew = NGX_CONF_UNSET;
179 |     lcf->start = NGX_CONF_UNSET;
180 |     lcf->step = NGX_CONF_UNSET;
181 |     /* lcf->cookie = { 0, NULL }; */
182 |     lcf->expiry = NGX_CONF_UNSET;
183 |     lcf->reuse = NGX_CONF_UNSET;
184 | 
185 |     /*
186 |         The following creates shared memory where successful authentication for 
187 |         current time-step windows can be recorded. This is to prevent the re-use of 
188 |         TOTP codes (for a given user) against the validating system in line with 
189 |         RFC 6238. The use of shared memory is so that this information may be shared 
190 |         between nginx worker processes. 
191 |     */
192 | 
193 |     ngx_str_set(&name, MODULE_NAME);
194 |     lcf->shm = ngx_shared_memory_add(cf, &name, 65536, &ngx_http_auth_totp_module);
195 |     if (lcf->shm == NULL) {
196 |         return NULL;
197 |     }
198 |     lcf->shm->init = ngx_http_auth_totp_shm_initialise;
199 | 
200 |     return lcf;
201 | }
202 | 
203 | 
204 | static ngx_int_t 
205 | ngx_http_auth_totp_get_cookie(ngx_http_request_t *r) {
206 |     ngx_http_auth_totp_loc_conf_t *lcf;
207 |     ngx_table_elt_t *cookie;
208 |     ngx_str_t value;
209 |     uint32_t result, value1, value2;
210 |     u_char buffer[9];
211 | 
212 |     /*
213 |         This function is intended to return true if a HTTP cookie has been set 
214 |         indicating successful authentication previously by the current HTTP client. 
215 |     */
216 | 
217 |     lcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_totp_module);
218 |     /* assert(lcf != NULL); */
219 |     cookie = ngx_http_parse_multi_header_lines(r, r->headers_in.cookie,
220 |             &lcf->cookie,
221 |             &value);
222 |     if (cookie == NULL) {
223 |         return 0;
224 |     }
225 | 
226 |     /*
227 |         It should be noted that the validation mechanism for the cookie value is 
228 |         very primitive, merely checking to see whether the value appears to have 
229 |         been set by this module. This is because there is no inherent value in the
230 |         cookie beyond its' presence in the HTTP request.
231 |     */
232 | 
233 |     if (value.len != 24) {
234 |         return 0;
235 |     }
236 |     ngx_memzero(buffer, sizeof(buffer));
237 |     ngx_memmove(buffer, &value.data[0], 8);
238 |     value1 = strtoul((char *)buffer, (char **)NULL, 16);
239 |     ngx_memmove(buffer, &value.data[8], 8);
240 |     value2 = strtoul((char *)buffer, (char **)NULL, 16);
241 |     ngx_memmove(buffer, &value.data[16], 8);
242 |     result = strtoul((char *)buffer, (char **)NULL, 16);
243 | 
244 |     return ((value1 ^ value2) == result);
245 | }
246 | 
247 | 
248 | static char * 
249 | ngx_http_auth_totp_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
250 |     ngx_http_auth_totp_loc_conf_t *lcf = conf;
251 |     ngx_http_compile_complex_value_t cv;
252 |     ngx_str_t *value;
253 | 
254 |     if (lcf->totp_file != NGX_CONF_UNSET_PTR) {
255 |         return "is duplicate";
256 |     }
257 | 
258 |     lcf->totp_file = ngx_pcalloc(cf->pool, sizeof(ngx_http_complex_value_t));
259 |     if (lcf->totp_file == NULL) {
260 |         return NGX_CONF_ERROR;
261 |     }
262 | 
263 |     value = cf->args->elts;
264 | 
265 |     ngx_memzero(&cv, sizeof(ngx_http_compile_complex_value_t));
266 |     cv.cf = cf;
267 |     cv.complex_value = lcf->totp_file;
268 |     cv.value = &value[1];
269 |     cv.conf_prefix = 1;
270 |     cv.zero = 1;
271 | 
272 |     if (ngx_http_compile_complex_value(&cv) != NGX_OK) {
273 |         return NGX_CONF_ERROR;
274 |     }
275 | 
276 |     return NGX_CONF_OK;
277 | }
278 | 
279 | 
280 | static ngx_int_t 
281 | ngx_http_auth_totp_handler(ngx_http_request_t *r) {
282 |     ngx_http_auth_totp_loc_conf_t *lcf;
283 |     ngx_err_t err;
284 |     ngx_fd_t fd;
285 |     ngx_file_t file;
286 |     ngx_int_t rc;
287 |     ngx_str_t filename, realm;
288 |     ngx_uint_t count, index, length, level, state;
289 |     u_char buffer[NGX_HTTP_AUTH_TOTP_BUF_SIZE];
290 |     off_t offset;
291 |     ssize_t rv;
292 | 
293 |     lcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_totp_module);
294 |     /* assert(lcf != NULL); */
295 |     if ((lcf->realm == NULL) ||
296 |             (lcf->totp_file == NULL)) {
297 |         return NGX_DECLINED;
298 |     }
299 | 
300 |     if (ngx_http_complex_value(r, lcf->realm, &realm) != NGX_OK) {
301 |         return NGX_ERROR;
302 |     }
303 |     if ((realm.len == 3) &&
304 |             (ngx_strncasecmp(realm.data, (u_char *) "off", 3) == 0)) {
305 |         return NGX_DECLINED;
306 |     }
307 |     if (ngx_http_auth_totp_get_cookie(r) != 0) {
308 |         return NGX_OK;
309 |     }
310 | 
311 |     /*
312 |         If the client has not provided username and/or password, the WWW-Authenticate 
313 |         header is sent to demand basic authentication.
314 |     */
315 |     
316 |     rc = ngx_http_auth_basic_user(r);
317 |     if (rc == NGX_DECLINED) {
318 |         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
319 |                 "no user/password was provided for basic authentication");
320 |         return ngx_http_auth_totp_set_realm(r, &realm);
321 |     }
322 |     if (rc == NGX_ERROR) {
323 |         return NGX_HTTP_INTERNAL_SERVER_ERROR;
324 |     }
325 | 
326 |     /*
327 |         The following code is intended to perform parsing of the TOTP configuration 
328 |         file to read the parameters to be employed in association witht he TOTP 
329 |         algorithm based on the user name included in Basic Authentication headers.
330 |     */
331 | 
332 |     if (ngx_http_complex_value(r, lcf->totp_file, &filename) != NGX_OK) {
333 |         return NGX_ERROR;
334 |     }
335 | 
336 |     fd = ngx_open_file(filename.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
337 |     if (fd == NGX_INVALID_FILE) {
338 |         err = ngx_errno;
339 | 
340 |         if (err == NGX_ENOENT) {
341 |             level = NGX_LOG_ERR;
342 |             rc = NGX_HTTP_FORBIDDEN;
343 |         }
344 |         else {
345 |             level = NGX_LOG_CRIT;
346 |             rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
347 |         }
348 | 
349 |         ngx_log_error(level, r->connection->log, err,
350 |                 ngx_open_file_n " \"%s\" failed", filename.data);
351 | 
352 |         return rc;
353 |     }
354 | 
355 |     ngx_memzero(&file, sizeof(ngx_file_t));
356 |     file.fd = fd;
357 |     file.name = filename;
358 |     file.log = r->connection->log;
359 | 
360 |     count = 0;
361 |     length = 0;
362 |     offset = 0;
363 |     state = STATE_USER;
364 |     rc = NGX_OK;
365 | 
366 |     for (;;) {
367 |         rv = ngx_read_file(&file, buffer + count, NGX_HTTP_AUTH_TOTP_BUF_SIZE - count, offset);
368 |         if (rv == NGX_ERROR) {
369 |             rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
370 |             goto finish;
371 |         }
372 |         if (rv == 0) {
373 |             break;
374 |         }
375 | 
376 |         /* assert(rv > 0); */
377 |         for (index = count; index < (count + rv); index++) {
378 |             switch (state) {
379 |                 case STATE_USER:
380 | 
381 |                     /*
382 |                         This parsing code differs from the reference code within the 
383 |                         src/http/modules/ngx_http_auth_basic_module.c in that matching against the 
384 |                         user name is not performed until the entire field has been parsed from the 
385 |                         TOTP file. 
386 |                     */
387 | 
388 |                     if (length == 0) {
389 |                         if ((buffer[index] == '#') ||
390 |                                 (buffer[index] == CR)) {
391 |                             state = STATE_SKIP;
392 |                             break;
393 |                         }
394 |                         if ((buffer[index] == ' ') ||
395 |                                 (buffer[index] == '\t') ||
396 |                                 (buffer[index] == LF)) {
397 |                             break;
398 |                         }
399 |                     }
400 |                     if (buffer[index] == ':') {
401 |                         if (length == 0) {
402 | 
403 |                             /*
404 |                                 If no user name has been specified within the TOTP file, the line is treated 
405 |                                 as junk and ignored. An alternate approach may however be to use associated 
406 |                                 TOTP algorithm parameters to match any user name provided - This behaviour 
407 |                                 may be adopted in the future.
408 |                             */
409 | 
410 |                             state = STATE_SKIP;
411 |                             break;
412 |                         }
413 |                         /* assert(index >= length); */
414 |                         if ((r->headers_in.user.len != length) ||
415 |                                 (ngx_strncasecmp(r->headers_in.user.data, 
416 |                                         &buffer[index - length], 
417 |                                         length) != 0)) {
418 |                             state = STATE_SKIP;
419 |                             break;
420 |                         }
421 | 
422 |                         state = STATE_SECRET;
423 |                         length = 0;
424 |                         break;
425 |                     }
426 | 
427 |                     ++length;
428 |                     break;
429 | 
430 |                 case STATE_SECRET:
431 |                     if ((buffer[index] == CR) ||
432 |                             (buffer[index] == LF)) {
433 |                         rc = ngx_http_auth_totp_validation(r, 
434 |                                 &realm, 
435 |                                 &buffer[index - length], 
436 |                                 length, 
437 |                                 lcf->start, 
438 |                                 lcf->step, 
439 |                                 lcf->length);
440 |                         goto finish;
441 |                     }
442 | 
443 |                     ++length;
444 |                     break;
445 | 
446 |                 case STATE_START:   //  For future use
447 |                 case STATE_STEP:    //  For future use
448 |                 case STATE_LENGTH:  //  For future use
449 |                 case STATE_SKIP:
450 |                 default:
451 |                     if (buffer[index] == LF) {
452 |                         state = STATE_USER;
453 |                         length = 0;
454 |                     }
455 |                     break;
456 |             }
457 |         }
458 |         offset += rv;
459 |     }
460 |     // user not found in TOTP file
461 |     rc = ngx_http_auth_totp_set_realm(r, &realm);
462 | 
463 | finish:
464 |     if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
465 |         ngx_log_error(NGX_LOG_ALERT, r->connection->log, ngx_errno,
466 |                 ngx_close_file_n " \"%s\" failed", filename.data);
467 |     }
468 |     ngx_explicit_memzero(buffer, NGX_HTTP_AUTH_TOTP_BUF_SIZE);
469 | 
470 |     return rc;
471 | }
472 | 
473 | 
474 | static ngx_int_t
475 | ngx_http_auth_totp_initialise(ngx_conf_t *cf) {
476 |     ngx_http_core_main_conf_t *cmcf;
477 |     ngx_http_handler_pt *h;
478 | 
479 |     cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
480 |     h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers);
481 |     if (h == NULL) {
482 |         return NGX_ERROR;
483 |     }
484 |     *h = ngx_http_auth_totp_handler;
485 | 
486 |     return NGX_OK;
487 | }
488 | 
489 | 
490 | static char * 
491 | ngx_http_auth_totp_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) {
492 |     ngx_http_auth_totp_loc_conf_t *prev = parent;
493 |     ngx_http_auth_totp_loc_conf_t *conf = child;
494 | 
495 |     ngx_conf_merge_ptr_value(conf->realm, prev->realm, NULL);
496 |     ngx_conf_merge_ptr_value(conf->totp_file, prev->totp_file, NULL);
497 |     ngx_conf_merge_value(conf->length, prev->length, 6);
498 |     ngx_conf_merge_value(conf->skew, prev->skew, 1);
499 |     ngx_conf_merge_sec_value(conf->start, prev->start, 0);
500 |     ngx_conf_merge_sec_value(conf->step, prev->start, 30);
501 |     ngx_conf_merge_str_value(conf->cookie, prev->cookie, "totp");
502 |     ngx_conf_merge_sec_value(conf->expiry, prev->expiry, 0);
503 |     ngx_conf_merge_value(conf->reuse, prev->reuse, 0);
504 | 
505 |     if (conf->shm == NULL) {
506 |         conf->shm = prev->shm;
507 |     }
508 | 
509 |     return NGX_CONF_OK;
510 | }
511 | 
512 | 
513 | static ngx_int_t 
514 | ngx_http_auth_totp_reuse_check(ngx_http_request_t *r, uint64_t step) {
515 |     ngx_http_core_loc_conf_t *clcf;
516 |     ngx_http_auth_totp_loc_conf_t *lcf;
517 |     ngx_http_auth_totp_shm_t *shm; 
518 |     ngx_str_node_t *n;
519 |     u_char buffer[NGX_HTTP_AUTH_TOTP_BUF_SIZE], *ptr;
520 |     ngx_str_t value;
521 |     ngx_int_t result;
522 |     uint32_t hash;
523 | 
524 |     /*
525 |         This function is intended to check for previous successful authentication by 
526 |         the current user for the given TOTP step window. If the user has already 
527 |         successfully authenticated within the given step window for the given 
528 |         location directive, a non-zero value will returned by this function.
529 | 
530 |         The inclusion of the URI from the associated location directive allows for 
531 |         authentication to be independent between location directives.
532 |     */
533 | 
534 |     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
535 |     /* assert(clcf != NULL); */
536 |     lcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_totp_module);
537 |     /* assert(lcf != NULL); */
538 |     if (lcf->reuse != 0) {
539 |         return 0;
540 |     }
541 | 
542 |     /*
543 |         The step value must be at the start of the red-black tree key - This is so 
544 |         as to facilitate comparison actions in the ngx_http_auth_totp_reuse_cleanup 
545 |         function.
546 |     */
547 | 
548 |     ptr = ngx_snprintf(buffer, sizeof(buffer), "%ui:%V:%V",
549 |             step,
550 |             &clcf->name, 
551 |             &r->headers_in.user);
552 |     value.data = buffer;
553 |     value.len = ptr - buffer;
554 |     hash = ngx_crc32_long(value.data, value.len);
555 | 
556 |     result = -1;
557 |     shm = lcf->shm->data;
558 |     /* assert(shm != NULL); */
559 |     n = (ngx_str_node_t *) ngx_str_rbtree_lookup(&shm->tree, &value, hash);
560 |     if (n != NULL) {
561 |         result = 1;
562 |         goto finish;
563 |     }
564 | 
565 |     n = ngx_slab_alloc(shm->shpool, sizeof(ngx_str_node_t));
566 |     if (n == NULL) {
567 |         goto finish;
568 |     }
569 |     ptr = ngx_slab_alloc(shm->shpool, value.len);
570 |     if (ptr == NULL) {
571 |         goto finish;
572 |     }
573 |     ngx_memcpy(ptr, value.data, value.len);
574 |     n->str.data = ptr;
575 |     n->str.len = value.len;
576 |     n->node.key = hash;
577 |     ngx_shmtx_lock(&shm->shpool->mutex);
578 |     ngx_rbtree_insert(&shm->tree, &n->node);
579 |     ngx_shmtx_unlock(&shm->shpool->mutex);
580 | 
581 |     result = 0;
582 | 
583 | finish:
584 |     return result;
585 | }
586 | 
587 | 
588 | static ngx_int_t 
589 | ngx_http_auth_totp_reuse_cleanup(ngx_http_request_t *r, uint64_t step) {
590 |     ngx_http_auth_totp_loc_conf_t *lcf;
591 |     ngx_http_auth_totp_shm_t *shm;
592 |     ngx_rbtree_t *tree;
593 |     ngx_rbtree_node_t *node;
594 |     ngx_str_node_t *n;
595 |     ngx_array_t entries;
596 |     ngx_uint_t index;
597 |     ngx_str_t *entry, *name;
598 |     uint64_t value;
599 |     uint32_t hash;
600 | 
601 |     /*
602 |         The function is intended to walk through the red-black tree of successful 
603 |         authentication requests and remove any entries whose associated validity 
604 |         window has expired. This is primarily to maintain a "clean" memory 
605 |         environment without any lingering entries associated with expired 
606 |         authentication entries.
607 | 
608 |         This is performed by building an array of expired authentication requests
609 |         and then deleting these _after_ completing the iteration of the red-black
610 |         tree.
611 |     */
612 | 
613 |     lcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_totp_module);
614 |     /* assert(lcf != NULL); */
615 |     shm = lcf->shm->data;
616 |     /* assert(shm != NULL); */
617 |     tree = &shm->tree;
618 | 
619 |     if (tree->root == tree->sentinel) {
620 |         return 0;
621 |     }
622 | 
623 |     ngx_array_init(&entries, r->pool, 16, sizeof(ngx_str_t));
624 |     for (node = ngx_rbtree_min(tree->root, tree->sentinel); 
625 |             node; 
626 |             node = ngx_rbtree_next(tree, node)) {
627 | 
628 |         n = (ngx_str_node_t *) node;
629 |         value = strtoll((char *) n->str.data, NULL, 10);
630 |         if (value < step) {
631 |             name = ngx_pnalloc(r->pool, sizeof(ngx_str_t));
632 |             /* assert(name != NULL); */
633 |             if (name == NULL) {
634 |                 return -1;
635 |             }
636 |             name->data = ngx_pstrdup(r->pool, &n->str);
637 |             /* assert(name->data != NULL); */
638 |             if (name->data == NULL) {
639 |                 return -1;
640 |             }
641 |             name->len = n->str.len;
642 | 
643 |             entry = ngx_array_push(&entries);
644 |             *entry = *name;
645 |         }
646 |     }
647 | 
648 |     for (index = 0, name = entries.elts; 
649 |             index < entries.nelts; 
650 |             ++index) {
651 | 
652 |         hash = ngx_crc32_long(name[index].data, name[index].len);
653 |         n = (ngx_str_node_t *) ngx_str_rbtree_lookup(tree, &name[index], hash);
654 |         if (n != NULL) {
655 |             /* assert(n != NULL); */
656 |             ngx_shmtx_lock(&shm->shpool->mutex);
657 |             ngx_rbtree_delete(tree, (ngx_rbtree_node_t *) n);
658 |             ngx_shmtx_unlock(&shm->shpool->mutex);
659 |         }
660 |     }
661 | 
662 |     return 0;
663 | }
664 | 
665 | 
666 | static ngx_int_t
667 | ngx_http_auth_totp_set_cookie(ngx_http_request_t *r) {
668 |     ngx_http_auth_totp_loc_conf_t *lcf;
669 |     ngx_table_elt_t *set_cookie;
670 |     uint32_t result, value1, value2;
671 |     u_char *cookie, *ptr, expiry[16];
672 |     size_t len;
673 | 
674 |     /*
675 |         This function is intended to set a session cookie following successful 
676 |         authentication by a client. This is required as the password provided by the 
677 |         client in the authentication request will rotate (by design) and cannot be 
678 |         relied upon for continued access to protected resources. Accordingly, a 
679 |         session cookie is set and retrieved by this module, in preference to the 
680 |         TOTP authentication, to ensure continued resource access following 
681 |         authentication.
682 |     */
683 | 
684 |     lcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_totp_module);
685 |     /* assert(lcf != NULL); */
686 |     len = lcf->cookie.len + sizeof("; HttpOnly") + 24 /* - 1 + 1 */;
687 |     if (lcf->expiry) {
688 |         /* ngx_memzero(expiry, sizeof(expiry)); */
689 |         ngx_snprintf(expiry, sizeof(expiry), "%ui", lcf->expiry);
690 |         len += sizeof("; Max-Age=") + ngx_strlen(expiry) - 1;
691 |     }
692 | 
693 |     value1 = (uint32_t) ngx_random();
694 |     value2 = (uint32_t) ngx_random();
695 |     result = value1 ^ value2;
696 | 
697 |     cookie = ngx_pnalloc(r->pool, len);
698 |     if (cookie == NULL) {
699 |         return NGX_ERROR;
700 |     }
701 |     ptr = ngx_copy(cookie, lcf->cookie.data, lcf->cookie.len);
702 |     *ptr++ = '=';
703 |     ptr = ngx_sprintf(ptr, "%08xd%08xd%08xd; HttpOnly",
704 |             value1,
705 |             value2,
706 |             result);
707 |     if (lcf->expiry) {
708 |         ptr = ngx_sprintf(ptr, "; Max-Age=%ui", lcf->expiry);
709 |     }
710 | 
711 |     set_cookie = ngx_list_push(&r->headers_out.headers);
712 |     if (set_cookie == NULL) {
713 |         return NGX_ERROR;
714 |     }
715 |     set_cookie->hash = 1;
716 |     ngx_str_set(&set_cookie->key, "Set-Cookie");
717 |     set_cookie->value.len = ptr - cookie;
718 |     set_cookie->value.data = cookie;
719 | 
720 |     return NGX_OK;
721 | }
722 | 
723 | 
724 | static ngx_int_t 
725 | ngx_http_auth_totp_set_realm(ngx_http_request_t *r, ngx_str_t *realm) {
726 |     u_char *header, *ptr;
727 |     size_t len;
728 | 
729 |     r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers);
730 |     if (r->headers_out.www_authenticate == NULL) {
731 |         return NGX_HTTP_INTERNAL_SERVER_ERROR;
732 |     }
733 | 
734 |     len = sizeof("Basic realm=\"\"") - 1 + realm->len;
735 |     header = ngx_pnalloc(r->pool, len);
736 |     if (header == NULL) {
737 |         r->headers_out.www_authenticate->hash = 0;
738 |         r->headers_out.www_authenticate = NULL;
739 |         return NGX_HTTP_INTERNAL_SERVER_ERROR;
740 |     }
741 | 
742 |     ptr = ngx_cpymem(header, "Basic realm=\"", sizeof("Basic realm=\"") - 1);
743 |     ptr = ngx_cpymem(ptr, realm->data, realm->len);
744 |     *ptr = '"';
745 | 
746 |     r->headers_out.www_authenticate->hash = 1;
747 |     r->headers_out.www_authenticate->next = NULL;
748 |     ngx_str_set(&r->headers_out.www_authenticate->key, "WWW-Authenticate");
749 |     r->headers_out.www_authenticate->value.data = header;
750 |     r->headers_out.www_authenticate->value.len = len;
751 | 
752 |     return NGX_HTTP_UNAUTHORIZED;
753 | }
754 | 
755 | 
756 | static ngx_int_t 
757 | ngx_http_auth_totp_shm_initialise(ngx_shm_zone_t *shm_zone, void *data) {
758 |     ngx_slab_pool_t *shpool;
759 |     ngx_http_auth_totp_shm_t *shm;
760 | 
761 |     if (data) {
762 |         shm_zone->data = data;
763 |         return NGX_OK;
764 |     }
765 | 
766 |     shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
767 |     shm = ngx_slab_alloc(shpool, sizeof(ngx_http_auth_totp_shm_t));
768 |     if (shm == NULL) {
769 |         return NGX_ERROR;
770 |     }
771 |     ngx_rbtree_init(&shm->tree, &shm->sentinel, ngx_str_rbtree_insert_value);
772 |     shm->shpool = shpool;
773 |     shm_zone->data = shm;
774 | 
775 |     return NGX_OK;
776 | }
777 | 
778 | 
779 | static ngx_int_t
780 | ngx_http_auth_totp_validation(ngx_http_request_t *r, ngx_str_t *realm, u_char *key, size_t length, time_t start, time_t step, size_t digits) {
781 |     ngx_http_auth_totp_loc_conf_t *lcf;
782 |     uint64_t count, index;
783 |     u_char buffer[8];
784 |     time_t now;
785 | 
786 |     /*
787 |         This function is intended to validate the time-based one-time password (TOTP) 
788 |         provided by the user, using the HMAC secret, UNIX start time, time step size 
789 |         and truncation length provided. This function additionally loops through the 
790 |         current and previous time steps when performing the TOTP calculation to 
791 |         accommodate skew configuration.
792 |     */
793 | 
794 |     lcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_totp_module);
795 |     /* assert(lcf != NULL); */
796 |     digits = (digits < 1) ? 1 : digits;
797 |     digits = (digits > 8) ? 8 : digits;
798 |     if (r->headers_in.passwd.len != digits) {
799 |         return ngx_http_auth_totp_set_realm(r, realm);
800 |     }
801 | 
802 |     now = time(NULL);
803 |     if (start > now) {
804 |         return ngx_http_auth_totp_set_realm(r, realm);
805 |     }
806 | 
807 |     count = (now - start) / ((step > 0) ? step : 30);
808 |     ngx_http_auth_totp_reuse_cleanup(r, count - lcf->skew);
809 | 
810 |     for (index = 0; index <= (uint64_t)lcf->skew; index++) {
811 |         /* assert(count >= index); */
812 |         ngx_snprintf(buffer, sizeof(buffer), "%0*i", 
813 |                 digits, ngx_http_auth_totp_algorithm_hotp(key, length, count - index, digits));
814 |         if (ngx_strncmp(r->headers_in.passwd.data, buffer, digits) == 0) {
815 | 
816 |             if (ngx_http_auth_totp_reuse_check(r, count - index) != 0) {
817 |                 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
818 |                         "%s: attempted password re-use by user \"%*s\"",
819 |                         MODULE_NAME,
820 |                         r->headers_in.user.len,
821 |                         r->headers_in.user.data);
822 |                 break;
823 |             } 
824 |             ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
825 |                     "%s: user \"%*s\", code %*s, skew %ui",
826 |                     MODULE_NAME,
827 |                     r->headers_in.user.len,
828 |                     r->headers_in.user.data,
829 |                     digits,
830 |                     buffer,
831 |                     index);
832 |             return ngx_http_auth_totp_set_cookie(r);
833 |         }
834 |     }
835 | 
836 |     return ngx_http_auth_totp_set_realm(r, realm);
837 | }
838 | 
839 | 
840 | 


--------------------------------------------------------------------------------