├── README
├── README.adoc
├── composer.json
├── readme.txt
└── u2f.php


/README:
--------------------------------------------------------------------------------
 1 | == U2F for Wordpress
 2 | 
 3 | NOTE: This project is deprecated and is no longer being maintained.
 4 | 
 5 | This plugin adds support for the two factor authentication standard U2F.
 6 | 
 7 | The functionality is similar to the U2F (Security Key) support available for Google accounts:
 8 | 
 9 | * Users registers U2F devices themselves.
10 | * Users are not required to register devices.
11 | * A user can have multiple devices registered.
12 | * Currently, only Google Chrome is supported.
13 | 
14 | 
15 | === Installation
16 | 
17 | . Install the dependencies using http://getcomposer.org[Composer].
18 | . Move the wordpress-u2f directory into the `/wp-content/plugins/` directory.
19 | . Activate the plugin through the 'Plugins' menu in WordPress.
20 | . Go to _Settings_ -> _U2F_.
21 | . Set https://developers.yubico.com/U2F/App_ID.html[App ID] to the the base URL of your website, for example _https://mysite.wordpress.com_.
22 | 
23 | === Managing devices
24 | U2F devices can be added and removed from the profile screen (accessible by clicking on your name at the top of the screen).
25 | 


--------------------------------------------------------------------------------
/README.adoc:
--------------------------------------------------------------------------------
1 | README


--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
1 | {
2 |     "require": {
3 |         "yubico/u2flib-server": "dev-master"
4 |     }
5 | }


--------------------------------------------------------------------------------
/readme.txt:
--------------------------------------------------------------------------------
 1 | === U2F for Wordpress ===
 2 | Contributors: yubico
 3 | Tags: authentication, login
 4 | Requires at least: 4.0
 5 | Tested up to: 4.1
 6 | Stable tag: trunk
 7 | License: GPLv2
 8 | License URI: http://www.gnu.org/licenses/gpl-2.0.html
 9 | 
10 | Allows users to login using U2F devices.
11 | 
12 | == Description ==
13 | 
14 | This plugin adds support for the two factor authentication standard U2F.
15 | 
16 | The functionality is similar to the U2F (Security Key) support available for Google accounts:
17 | 
18 | * Users registers U2F devices themselves.
19 | * Users are not required to register devices.
20 | * A user can have multiple devices registered.
21 | * Currently, only Google Chrome is supported.
22 |  
23 | 
24 | == Installation ==
25 | 
26 | 1. Move the wordpress-u2f directory into the `/wp-content/plugins/` directory
27 | 1. Activate the plugin through the 'Plugins' menu in WordPress
28 | 1. Go to _Settings_ -> _U2F_.
29 | 1. Set https://developers.yubico.com/U2F/App_ID.html[App ID] to the the base URL of your website, for example _https://mysite.wordpress.com_.
30 | 
31 | == Changelog ==
32 | 
33 | = 0.2 =
34 | * Initial release.
35 | 
36 | == Upgrade Notice ==
37 | 
38 | = 0.2 =
39 | None
40 | 


--------------------------------------------------------------------------------
/u2f.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /**
  3 | * Plugin Name: U2F for WordPress
  4 | * Plugin URI: http://developers.yubico.com/wordpress-u2f
  5 | * Description: Enables U2F authentication for WordPress.
  6 | * Version: 0.2
  7 | * Author: Yubico
  8 | * Author URI: http://www.yubico.com
  9 | * License: GPLv2
 10 | */
 11 | 
 12 | require_once('vendor/autoload.php');
 13 | 
 14 | if(!function_exists('_log')){
 15 |   function _log($message ) {
 16 |     if(WP_DEBUG === true ){
 17 |       if(is_array($message ) || is_object($message ) ){
 18 |         error_log(print_r($message, true ) );
 19 |       } else {
 20 |         error_log($message );
 21 |       }
 22 |     }
 23 |   }
 24 | }
 25 | 
 26 | function init_u2f() {
 27 |   $options = get_option('u2f_settings');
 28 |   return new u2flib_server\U2F($options['appId']); //, $options['attestDir']);
 29 | }
 30 | 
 31 | $u2f = init_u2f();
 32 | 
 33 | /*
 34 |  * ADMIN MANAGEMENT
 35 |  */
 36 | 
 37 | function u2f_add_admin_menu() { 
 38 |   add_options_page('U2F', 'U2F', 'manage_options', 'u2f', 'u2f_options_page');
 39 | }
 40 | 
 41 | function sanitize_u2f_settings($settings) {
 42 |   return $settings;
 43 | }
 44 | 
 45 | function u2f_settings_init() { 
 46 |   register_setting('pluginPage', 'u2f_settings', 'sanitize_u2f_settings');
 47 | 
 48 |   add_settings_section(
 49 |     'u2f_pluginPage_section', 
 50 |     'U2F settings',
 51 |     'u2f_settings_section_callback', 
 52 |     'pluginPage'
 53 |   );
 54 | 
 55 |   add_settings_field(
 56 |     'appId', 
 57 |     'Application ID',
 58 |     'u2f_appId_render', 
 59 |     'pluginPage', 
 60 |     'u2f_pluginPage_section' 
 61 |   );
 62 | 
 63 |   /*
 64 |   add_settings_field(
 65 |     'attestDir', 
 66 |     'Attestation directory',
 67 |     'u2f_attestDir_render', 
 68 |     'pluginPage', 
 69 |     'u2f_pluginPage_section' 
 70 |   );
 71 |   */
 72 | }
 73 | 
 74 | 
 75 | function u2f_appId_render() { 
 76 |   $options = get_option('u2f_settings');
 77 | ?>
 78 |   <input type='text' name='u2f_settings[appId]' value='<?php echo $options['appId']; ?>' class="regular-text code">
 79 | <?php
 80 | }
 81 | 
 82 | 
 83 | function u2f_val_attestDir_render() { 
 84 |   $options = get_option('u2f_settings');
 85 | ?>
 86 |   <input type='text' name='u2f_settings[attestDir]' value='<?php echo $options['attestDir']; ?>' class="regular-text">
 87 |   <?php
 88 | }
 89 | 
 90 | 
 91 | function u2f_settings_section_callback() {
 92 |   // TODO: validate settings?
 93 | }
 94 | 
 95 | 
 96 | function u2f_options_page() { 
 97 |   ?>
 98 |   <div class="wrap">
 99 |   <h2>U2F Settings</h2>
100 |   <form action='options.php' method='post'>
101 |   
102 |   <?php
103 |   settings_fields('pluginPage');
104 |   do_settings_sections('pluginPage');
105 |   submit_button();
106 |   ?>
107 |   
108 |   </form>
109 |   </div>
110 |   <?php
111 | }
112 | 
113 | add_action('admin_menu', 'u2f_add_admin_menu');
114 | add_action('admin_init', 'u2f_settings_init');
115 | 
116 | /*
117 |  * USER MANAGEMENT
118 |  */
119 | 
120 | function u2f_get_registrations($user_id) {
121 |   $regs = get_user_option('u2f_user_registrations', $user_id);
122 |   return $regs ? $regs : [];
123 | }
124 | 
125 | function u2f_profile_fields($user) {
126 |   global $u2f;
127 |   $options = get_option('u2f_settings');
128 |   if(empty($options)) return;
129 | 
130 |   $devices = u2f_get_registrations($user->ID);
131 |   ?>
132 |   <h3>U2F Devices</h3>
133 |   <table class="form-table">
134 |     <tr>
135 |       <th>Registered Devices</th>
136 |       <td>
137 |         <table>
138 |         <tr><th>Device</th><th>Delete</th></tr>
139 |         <?php foreach($devices as $device): ?>
140 |         <tr>
141 |         <td>
142 |           <label for="u2f_unregister_<?php echo $device->keyHandle; ?>">
143 |             <?php
144 |             $registered = new DateTime();
145 |             $registered->setTimestamp($device->dateRegistered);
146 |             echo 'Registered: ' . $registered->format('Y-m-d');
147 |             ?>
148 |           </label>
149 |         </td>
150 |         <td>
151 |           <input type="checkbox" name="u2f_unregister[]" id="u2f_unregister_<?php echo $device->keyHandle; ?>" value="<?php echo $device->keyHandle; ?>">
152 |         </td>
153 |         </tr>
154 |         <?php endforeach; ?>
155 |         </table>
156 |         <br />
157 |         <input type="hidden" name="u2f_register_response" id="u2f_register_response" />
158 |         <a id="u2f_register" href="#" class="button">Register a new U2F Device</a>
159 |         <div id="u2f_touch_notice" style="display: none;">
160 |           Touch the flashing button on your U2F device now.
161 |         </div>
162 |       </td>
163 |     </tr>
164 |   </table>
165 |   <script src="chrome-extension://pfboblefjcgdjicmnffhdgionmgcdmne/u2f-api.js"></script>
166 |   <script>
167 |     jQuery(document).ready(function($) {
168 |       $('#u2f_register').click(function() {
169 |         $('#u2f_register').hide();
170 |         $('#u2f_touch_notice').addClass('updated').show();
171 |         $.post(ajaxurl, {
172 |           'action': 'u2f_register'
173 |         }, function(resp) {
174 |           resp = JSON.parse(resp);
175 |           var req = resp[0];
176 |           var auth = resp[1];
177 |           u2f.register([req], auth, function(data) {
178 |             $('#u2f_touch_notice').hide();
179 |             $('#u2f_register_response').val(JSON.stringify(data));
180 |             $('#submit').click();
181 |           });
182 |         });
183 |         return false;
184 |       });
185 |     });
186 |   </script>
187 |   <?php
188 | }
189 | 
190 | function u2f_profile_save($user_id) {
191 |   global $u2f;
192 |   if(!empty($_POST['u2f_register_response'])) {
193 |     $req = get_user_option('u2f_user_regData', $user_id);
194 |     if(empty($req)) {
195 |       return new WP_Error('u2f_registration_failed', "There was no outstanding registration request for user $user_id");
196 |     }
197 |     update_user_option($user_id, 'u2f_user_regData', '');
198 |     if($req->time < time() - 300) {
199 |       return new WP_Error('u2f_registration_failed', "The u2f registration request for $user_id expired before reply");
200 |     }
201 |     unset($req->time);
202 |     $registerResponse = $_POST['u2f_register_response'];
203 | 
204 |     $registration = $u2f->doRegister($req, json_decode(stripslashes($registerResponse)));
205 |     $now = new DateTime();
206 |     $registration->dateRegistered = $now->getTimeStamp();
207 | 
208 |     $regs = u2f_get_registrations($user_id);
209 |     array_push($regs, $registration);
210 |     update_user_option($user_id, 'u2f_user_registrations', $regs);
211 |   } else if(isset($_POST['u2f_unregister'])) {
212 |     $handles = $_POST['u2f_unregister'];
213 |     $regs = u2f_get_registrations($user_id);
214 | 
215 |     foreach($handles as $handle) {
216 |       foreach($regs as $key => $reg) {
217 |         if($reg->keyHandle == $handle) {
218 |           unset($regs[$key]);
219 |         }
220 |       }
221 |     }
222 |     update_user_option($user_id, 'u2f_user_registrations', $regs);
223 |   }
224 | }
225 | 
226 | function u2f_store_regData($user, $regData) {
227 |   $regData->time = time();
228 |   update_user_option($user->ID, 'u2f_user_regData', $regData);
229 | }
230 | 
231 | function ajax_u2f_register_begin() {
232 |   global $u2f;
233 |   $user = wp_get_current_user();
234 |   if(is_user_logged_in()) {
235 | 
236 |     try {
237 |       $regData = $u2f->getRegisterData(u2f_get_registrations($user->ID));
238 |     } catch( Exception $e ) {
239 |       $errors->add('u2f_error', "<strong>ERROR</strong>: There was an error obtaining U2F registration data: " . $data->errorMessage);
240 |     }
241 | 
242 |     u2f_store_regData($user, $regData[0]);
243 |     echo json_encode($regData);
244 |   }
245 |   die();
246 | }
247 | add_action('wp_ajax_u2f_register', 'ajax_u2f_register_begin');
248 | 
249 | function validate_u2f_register(&$errors, $update=null, &$user=null) {
250 |   if(isset($_POST['u2f_register_response'])) {
251 |     $data = json_decode(stripslashes($_POST['u2f_register_response']), true);
252 |     if(isset($data['errorCode'])) {
253 |       $errors->add('u2f_error', "<strong>ERROR</strong>: There was an error registering your U2F device (error code ".$data['errorCode'].").");
254 |     }
255 |   }   
256 | }
257 | add_action('user_profile_update_errors', 'validate_u2f_register');
258 | 
259 | add_action('profile_personal_options', 'u2f_profile_fields');
260 | add_action('personal_options_update', 'u2f_profile_save');
261 | 
262 | /*
263 |  * AUTHENTICATION
264 |  */
265 | 
266 | $u2f_transient = null;
267 | 
268 | function u2f_login($user) {
269 |   global $u2f;
270 |   $options = get_option('u2f_settings');
271 | 
272 |   if(empty($options['appId'])) return $user;
273 | 
274 |   if(wp_check_password($_POST['pwd'], $user->data->user_pass, $user->ID) && !isset($_POST['u2f'])) {
275 |     $registrations = u2f_get_registrations($user->ID);
276 |     if(!$registrations) {
277 |       return $user;
278 |     }
279 |     $authData = $u2f->getAuthenticateData($registrations);
280 |     //if(false) {
281 |     //  return new WP_Error('u2f_error_'.$authData['errorCode'], 'The U2F validation server is unreachable.');
282 |     //}
283 |     global $u2f_transient;
284 |     $u2f_transient = $authData;
285 | 
286 |     update_user_option($user->ID, 'u2f_user_reqData', $authData);
287 | 
288 |     if(has_devices($authData)) {
289 |       return new WP_Error('authentication_failed', 'Touch your U2F device now.');
290 |     }
291 |   } else if(isset($_POST['u2f'])) {
292 |     $authenticateResponse = json_decode(stripslashes($_POST['u2f']));
293 | 
294 |     if(property_exists($authenticateResponse, 'errorCode')) {
295 |       switch($authenticateResponse->errorCode) {
296 |         case 4:
297 |           return new WP_Error('u2f_error', 'Device ineligible. Try another device.');
298 |         case 5:
299 |           return new WP_Error('u2f_error', 'Authentication timed out. Please try again.');
300 |         default:
301 |           return new WP_Error('u2f_error', 'Client error.');
302 |       }
303 |     }
304 | 
305 |     //$properties = array('last-ip' => $_SERVER['REMOTE_ADDR']);
306 |     $authRequest = get_user_option('u2f_user_reqData', $user->ID);
307 | 
308 |     $u2f->doAuthenticate($authRequest, u2f_get_registrations($user->ID), $authenticateResponse);
309 |   }
310 | 
311 |   return $user;
312 | }
313 | 
314 | function has_devices($authData) {
315 |   return sizeof($authData > 0);
316 | }
317 | 
318 | function u2f_form() {
319 |   global $u2f_transient;
320 |   $options = get_option('u2f_settings');
321 | 
322 |   if(empty($options['appId'])) {
323 |     _log("No appId set!");
324 |     ?>
325 | <p>
326 | <strong>WARNING:</strong> The U2F plugin has not been configured, and is therefore disabled.
327 | </p>
328 |     <?php
329 |     return;
330 |   } else if(!empty($u2f_transient)) {
331 |     ?>
332 | <script src="chrome-extension://pfboblefjcgdjicmnffhdgionmgcdmne/u2f-api.js"></script>
333 | <script>
334 |   window.onload = function() {
335 |     if(window.u2f === undefined) {
336 |       document.getElementById("login_error").innerHTML = "U2F login requires the <a href='https://chrome.google.com/webstore/detail/fido-u2f-universal-2nd-fa/pfboblefjcgdjicmnffhdgionmgcdmne'>Google U2F Extension for Chrome</a>!";
337 |     }
338 |   };
339 | 
340 |   var u2f_data = <?php echo json_encode($u2f_transient); ?>;
341 |   var form = document.getElementById('loginform');
342 |   form.style.display = 'none';
343 | 
344 |   //Run this after the entire form has been drawn.
345 |   setTimeout(function() {
346 |     // Re-populate any form fields.
347 |     <?php foreach($_POST as $name => $value): ?>
348 |     var fields = document.getElementsByName("<?php echo $name; ?>");
349 |     if(fields.length == 1) {
350 |       fields[0].value = "<?php echo $value; ?>";
351 |     }
352 |     <?php endforeach; ?>
353 |   }, 0);
354 | 
355 |   console.log("u2f_data: " + JSON.stringify(u2f_data));
356 | 
357 |   u2f.sign(u2f_data, function(resp) {
358 |     var u2f_f = document.createElement('input');
359 |     u2f_f.name = 'u2f';
360 |     u2f_f.type = 'hidden';
361 |     u2f_f.value = JSON.stringify(resp);
362 |     form.appendChild(u2f_f);
363 |     form.submit();
364 |   });
365 | </script>
366 |     <?php
367 |   }
368 | }
369 | 
370 | add_action('login_form', 'u2f_form');
371 | add_filter('wp_authenticate_user', 'u2f_login');
372 | 
373 | ?>
374 | 


--------------------------------------------------------------------------------