From 904ecc31e2ad743d5c0779d5be2d0c7cbc3865e8 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Fri, 1 Nov 2019 10:32:58 +0300
Subject: [PATCH] allow using OTP without GD

---
 classes/pref/prefs.php | 62 ++++++++++++++++++++++++++++--------------
 1 file changed, 41 insertions(+), 21 deletions(-)

diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index 2862a84b2..1cf751b62 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -439,17 +439,28 @@ class Pref_Prefs extends Handler_Protected {
 
 					print "</form>";
 
-				} else if (function_exists("imagecreatefromstring")) {
+				} else {
 
 					print_warning("You will need a compatible Authenticator to use this. Changing your password would automatically disable OTP.");
-					print_notice("Scan the following code by the Authenticator application:");
 
-					$csrf_token = $_SESSION["csrf_token"];
+					print_notice("Scan the following code by the Authenticator application or use OTP key (below).");
 
-					print "<img alt='otp qr-code' src='backend.php?op=pref-prefs&method=otpqrcode&csrf_token=$csrf_token'>";
+					if (function_exists("imagecreatefromstring")) {
+						$csrf_token = $_SESSION["csrf_token"];
+						print "<img alt='otp qr-code' src='backend.php?op=pref-prefs&method=otpqrcode&csrf_token=$csrf_token'>";
+					} else {
+						print_error("PHP GD functions are required to generate QR codes.");
+					}
 
 					print "<form dojoType='dijit.form.Form' id='changeOtpForm'>";
 
+					$otp_secret = $this->otpsecret();
+
+					print "<fieldset>";
+					print "<label>".__("OTP Key:")."</label>";
+					print "<input dojoType='dijit.form.ValidationTextBox' disabled='disabled' value='$otp_secret' size='32'>";
+					print "</fieldset>";
+
 					print_hidden("op", "pref-prefs");
 					print_hidden("method", "otpenable");
 
@@ -490,8 +501,6 @@ class Pref_Prefs extends Handler_Protected {
 
 					print "</form>";
 
-				} else {
-					print_notice("PHP GD functions are required for OTP support.");
 				}
 			}
 
@@ -922,27 +931,42 @@ class Pref_Prefs extends Handler_Protected {
 		$_SESSION["prefs_show_advanced"] = !$_SESSION["prefs_show_advanced"];
 	}
 
+	function otpsecret() {
+		$sth = $this->pdo->prepare("SELECT salt, otp_enabled
+			FROM ttrss_users
+			WHERE id = ?");
+		$sth->execute([$_SESSION['uid']]);
+
+		if ($row = $sth->fetch()) {
+			$otp_enabled = sql_bool_to_bool($row["otp_enabled"]);
+
+			if (!$otp_enabled) {
+				$base32 = new \OTPHP\Base32();
+				$secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false);
+
+				return $secret;
+			}
+		}
+
+		return false;
+	}
+
 	function otpqrcode() {
 		require_once "lib/phpqrcode/phpqrcode.php";
 
-		$sth = $this->pdo->prepare("SELECT login,salt,otp_enabled
+		$sth = $this->pdo->prepare("SELECT login
 			FROM ttrss_users
 			WHERE id = ?");
 		$sth->execute([$_SESSION['uid']]);
 
 		if ($row = $sth->fetch()) {
 
-			$base32 = new \OTPHP\Base32();
-
-			$login = $row["login"];
-			$otp_enabled = sql_bool_to_bool($row["otp_enabled"]);
-
-			if (!$otp_enabled) {
-				$secret = $base32->encode(sha1($row["salt"]));
+			$secret = $this->otpsecret();
+			$login = $row['login'];
 
+			if ($secret) {
 				QRcode::png("otpauth://totp/".urlencode($login).
 					"?secret=$secret&issuer=".urlencode("Tiny Tiny RSS"));
-
 			}
 		}
 	}
@@ -956,16 +980,12 @@ class Pref_Prefs extends Handler_Protected {
 
 		if ($authenticator->check_password($_SESSION["uid"], $password)) {
 
-			$sth = $this->pdo->prepare("SELECT salt
-				FROM ttrss_users
-				WHERE id = ?");
-			$sth->execute([$_SESSION['uid']]);
+			$secret = $this->otpsecret();
 
-			if ($row = $sth->fetch()) {
+			if ($secret) {
 
 				$base32 = new \OTPHP\Base32();
 
-				$secret = $base32->encode(sha1($row["salt"]));
 				$topt = new \OTPHP\TOTP($secret);
 
 				$otp_check = $topt->now();