Merge branch 'one-time-password'

lkrms · lkrms · commit 0ef44233537c · 2025-11-15T01:27:36.000+11:00
diff --git a/src/Toolkit/Contract/HasHmacHashAlgorithm.php b/src/Toolkit/Contract/HasHmacHashAlgorithm.php
@@ -0,0 +1,13 @@
+<?php declare(strict_types=1);
+
+namespace Salient\Contract;
+
+/**
+ * @api
+ */
+interface HasHmacHashAlgorithm
+{
+    public const ALGORITHM_SHA1 = 'sha1';
+    public const ALGORITHM_SHA256 = 'sha256';
+    public const ALGORITHM_SHA512 = 'sha512';
+}
diff --git a/src/Toolkit/Contract/Http/OneTimePasswordGeneratorInterface.php b/src/Toolkit/Contract/Http/OneTimePasswordGeneratorInterface.php
@@ -0,0 +1,14 @@
+<?php declare(strict_types=1);
+
+namespace Salient\Contract\Http;
+
+/**
+ * @api
+ */
+interface OneTimePasswordGeneratorInterface
+{
+    /**
+     * @param string $key Base32-encoded shared key.
+     */
+    public function getPassword(string $key): string;
+}
diff --git a/src/Toolkit/Http/HttpUtil.php b/src/Toolkit/Http/HttpUtil.php
@@ -13,8 +13,10 @@
 use Salient\Contract\Http\HasHttpHeader;
 use Salient\Contract\Http\HasMediaType;
 use Salient\Contract\Http\HasRequestMethod;
+use Salient\Contract\HasHmacHashAlgorithm;
 use Salient\Http\Exception\InvalidHeaderException;
 use Salient\Http\Internal\FormDataEncoder;
+use Salient\Http\Internal\TOTPGenerator;
 use Salient\Utility\AbstractUtility;
 use Salient\Utility\Date;
 use Salient\Utility\Package;
@@ -31,6 +33,7 @@
  */
 final class HttpUtil extends AbstractUtility implements
     HasFormDataFlag,
+    HasHmacHashAlgorithm,
     HasHttpHeader,
     HasHttpRegex,
     HasMediaType,
@@ -432,4 +435,20 @@ public static function getNameValuePairs(iterable $items): iterable
             yield $item['name'] => $item['value'];
         }
     }
+
+    /**
+     * Get a time-based one-time password as per [RFC6238]
+     *
+     * @param string $key Base32-encoded shared key.
+     * @param HttpUtil::ALGORITHM_* $algorithm
+     */
+    public static function getTOTP(
+        string $key,
+        int $digits = 6,
+        string $algorithm = HttpUtil::ALGORITHM_SHA1,
+        int $timeStep = 30,
+        int $startTime = 0
+    ): string {
+        return (new TOTPGenerator($digits, $algorithm, $timeStep, $startTime))->getPassword($key);
+    }
 }
diff --git a/src/Toolkit/Http/Internal/TOTPGenerator.php b/src/Toolkit/Http/Internal/TOTPGenerator.php
@@ -0,0 +1,68 @@
+<?php
+
+namespace Salient\Http\Internal;
+
+use Salient\Contract\Http\OneTimePasswordGeneratorInterface;
+use Salient\Contract\HasHmacHashAlgorithm;
+use Salient\Utility\Str;
+
+/**
+ * An [RFC6238] time-based one-time password generator
+ *
+ * @internal
+ */
+final class TOTPGenerator implements
+    OneTimePasswordGeneratorInterface,
+    HasHmacHashAlgorithm
+{
+    private int $Digits;
+    /** @var self::ALGORITHM_* */
+    private string $Algorithm;
+    private int $TimeStep;
+    private int $StartTime;
+
+    /**
+     * @param TOTPGenerator::ALGORITHM_* $algorithm
+     */
+    public function __construct(
+        int $digits = 6,
+        string $algorithm = TOTPGenerator::ALGORITHM_SHA1,
+        int $timeStep = 30,
+        int $startTime = 0
+    ) {
+        $this->Digits = $digits;
+        $this->Algorithm = $algorithm;
+        $this->TimeStep = $timeStep;
+        $this->StartTime = $startTime;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function getPassword(string $key): string
+    {
+        // Get time steps between T0 and now as per [RFC6238] Section 4.2
+        $X = $this->TimeStep;
+        $T0 = $this->StartTime;
+        $T = (int) floor((time() - $T0) / $X);
+
+        /** @var string */
+        $T = hex2bin(sprintf('%016s', dechex($T)));
+        $K = Str::decodeBase32($key, true);
+
+        $hash = hash_hmac($this->Algorithm, $T, $K, true);
+
+        // Use dynamic truncation as per [RFC4226] Section 5.3
+        $offset = ord($hash[-1]) & 0xF;
+
+        $binaryCode = ((ord($hash[$offset]) & 0x7F) << 24)
+            | ((ord($hash[$offset + 1]) & 0xFF) << 16)
+            | ((ord($hash[$offset + 2]) & 0xFF) << 8)
+            | (ord($hash[$offset + 3]) & 0xFF);
+
+        return sprintf(
+            '%0' . $this->Digits . 's',
+            substr((string) $binaryCode, -$this->Digits),
+        );
+    }
+}
diff --git a/src/Toolkit/Utility/Str.php b/src/Toolkit/Utility/Str.php
@@ -39,6 +39,8 @@ final class Str extends AbstractUtility
      */
     public const DEFAULT_ITEM_REGEX = '/^(?<indent>\h*[-*] )/';
 
+    private const BASE32_INDEX = ['A' => 0, 'B' => 1, 'C' => 2, 'D' => 3, 'E' => 4, 'F' => 5, 'G' => 6, 'H' => 7, 'I' => 8, 'J' => 9, 'K' => 10, 'L' => 11, 'M' => 12, 'N' => 13, 'O' => 14, 'P' => 15, 'Q' => 16, 'R' => 17, 'S' => 18, 'T' => 19, 'U' => 20, 'V' => 21, 'W' => 22, 'X' => 23, 'Y' => 24, 'Z' => 25, '2' => 26, '3' => 27, '4' => 28, '5' => 29, '6' => 30, '7' => 31];
+
     /**
      * Get the first string that is not null or empty, or return the last value
      *
@@ -492,6 +494,60 @@ public static function expandLeadingTabs(
         return $expanded;
     }
 
+    /**
+     * Decode data encoded with base32
+     *
+     * @param bool $strict If `true`, throw an exception if any characters in
+     * `$string` are not in the \[RFC4648] "base32" alphabet after removing
+     * padding characters ('=') and converting ASCII letters to uppercase:
+     *
+     * ```
+     * ABCDEFGHIJKLMNOPQRSTUVWXYZ234567
+     * ```
+     *
+     * Otherwise, discard invalid characters.
+     */
+    public static function decodeBase32(string $string, bool $strict = false): string
+    {
+        $string = self::upper(rtrim($string, '='));
+
+        // Handle different `str_split('')` behaviour between PHP 8.2+ and
+        // earlier versions
+        if ($string === '') {
+            return '';
+        }
+
+        $bytes = '';
+        $currentByte = 0;
+        $currentBits = 0;
+        foreach (str_split($string) as $character) {
+            $value = self::BASE32_INDEX[$character] ?? null;
+            if ($value === null) {
+                if ($strict) {
+                    throw new InvalidArgumentException(
+                        sprintf('Character not in base32 alphabet: %s', $character),
+                    );
+                }
+                continue;
+            }
+            // `$value` won't complete a byte without 3 or more existing bits
+            if ($currentBits < 3) {
+                $currentByte <<= 5;
+                $currentByte += $value;
+                $currentBits += 5;
+            } else {
+                $useBits = 8 - $currentBits;
+                $carryBits = 5 - $useBits;
+                $currentByte <<= $useBits;
+                $currentByte += $value >> $carryBits;
+                $bytes .= chr($currentByte);
+                $currentByte = $value & ((1 << $carryBits) - 1);
+                $currentBits = $carryBits;
+            }
+        }
+        return $bytes;
+    }
+
     /**
      * Copy a string to a php://temp stream
      *
diff --git a/tests/unit/Toolkit/Http/HttpUtilTest.php b/tests/unit/Toolkit/Http/HttpUtilTest.php
@@ -423,4 +423,58 @@ public static function replaceQueryProvider(): array
             ],
         ];
     }
+
+    /**
+     * @dataProvider getTOTPProvider
+     *
+     * @param HttpUtil::ALGORITHM_* $algorithm
+     */
+    public function testGetTOTP(
+        string $expected,
+        string $key,
+        int $digits = 6,
+        string $algorithm = HttpUtil::ALGORITHM_SHA1,
+        int $timeStep = 30,
+        int $secondsSinceStartTime = 0
+    ): void {
+        $startTime = time() - $secondsSinceStartTime;
+        $this->assertSame(
+            $expected,
+            HttpUtil::getTOTP($key, $digits, $algorithm, $timeStep, $startTime),
+        );
+    }
+
+    /**
+     * @return array<array{string,string,2?:int,3?:HttpUtil::ALGORITHM_*,4?:int,5?:int}>
+     */
+    public static function getTOTPProvider(): array
+    {
+        // 12345678901234567890 (20 bytes)
+        $key1 = 'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ';
+        // 12345678901234567890123456789012 (32 bytes)
+        $key256 = 'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZA====';
+        // 1234567890123456789012345678901234567890123456789012345678901234 (64 bytes)
+        $key512 = 'GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQGEZDGNA=';
+
+        return [
+            ['94287082', $key1, 8, HttpUtil::ALGORITHM_SHA1, 30, 59],
+            ['46119246', $key256, 8, HttpUtil::ALGORITHM_SHA256, 30, 59],
+            ['90693936', $key512, 8, HttpUtil::ALGORITHM_SHA512, 30, 59],
+            ['07081804', $key1, 8, HttpUtil::ALGORITHM_SHA1, 30, 1111111109],
+            ['68084774', $key256, 8, HttpUtil::ALGORITHM_SHA256, 30, 1111111109],
+            ['25091201', $key512, 8, HttpUtil::ALGORITHM_SHA512, 30, 1111111109],
+            ['14050471', $key1, 8, HttpUtil::ALGORITHM_SHA1, 30, 1111111111],
+            ['67062674', $key256, 8, HttpUtil::ALGORITHM_SHA256, 30, 1111111111],
+            ['99943326', $key512, 8, HttpUtil::ALGORITHM_SHA512, 30, 1111111111],
+            ['89005924', $key1, 8, HttpUtil::ALGORITHM_SHA1, 30, 1234567890],
+            ['91819424', $key256, 8, HttpUtil::ALGORITHM_SHA256, 30, 1234567890],
+            ['93441116', $key512, 8, HttpUtil::ALGORITHM_SHA512, 30, 1234567890],
+            ['69279037', $key1, 8, HttpUtil::ALGORITHM_SHA1, 30, 2000000000],
+            ['90698825', $key256, 8, HttpUtil::ALGORITHM_SHA256, 30, 2000000000],
+            ['38618901', $key512, 8, HttpUtil::ALGORITHM_SHA512, 30, 2000000000],
+            ['65353130', $key1, 8, HttpUtil::ALGORITHM_SHA1, 30, 20000000000],
+            ['77737706', $key256, 8, HttpUtil::ALGORITHM_SHA256, 30, 20000000000],
+            ['47863826', $key512, 8, HttpUtil::ALGORITHM_SHA512, 30, 20000000000],
+        ];
+    }
 }
diff --git a/tests/unit/Toolkit/Utility/StrTest.php b/tests/unit/Toolkit/Utility/StrTest.php
@@ -875,6 +875,42 @@ public static function expandLeadingTabsProvider(): array
         ];
     }
 
+    /**
+     * @dataProvider decodeBase32provider
+     */
+    public function testDecodeBase32(?string $expected, string $string, bool $strict = false): void
+    {
+        if ($expected === null) {
+            $this->expectException(InvalidArgumentException::class);
+        }
+        $this->assertSame($expected, Str::decodeBase32($string, $strict));
+    }
+
+    /**
+     * @return array<array{string|null,string,2?:bool}>
+     */
+    public function decodeBase32provider(): array
+    {
+        return [
+            ['', ''],
+            ['f', 'MY======'],
+            ['fo', 'MZXQ===='],
+            ['foo', 'MZXW6==='],
+            ['foob', 'mzxw6yq='],
+            ['fooba', 'mzxw6ytb'],
+            ['foobar', 'mzxw6ytBOI======'],
+            ['foobar', 'MZXW6YTBOI01===='],
+            ['', '', true],
+            ['f', 'my======', true],
+            ['fo', 'mzxq====', true],
+            ['foo', 'mzxw6===', true],
+            ['foob', 'MZXW6YQ=', true],
+            ['fooba', 'MZXW6YTB', true],
+            ['foobar', 'MZXW6YTboi======', true],
+            [null, 'mzxw6ytboi01====', true],
+        ];
+    }
+
     /**
      * @dataProvider splitDelimitedProvider
      *
