php-yubico
php-yubico copied to clipboard
Yubico
PHP class for Yubico authentication
Hey Guys, have a note at deprecated warnings. Rename the file to Auth_Yubico.php and change the Constructor to __construct. Line: 35 Methods with the same name as their class will...
These standards are becoming very prevalent in the PHP community. I wouldn't mind going through and refactoring if you guys don't have the time.
In parsePasswordOTP, if the user is using the DVORAK keyboard layout, you take care of fixing the OTP, but leave the rest of the values mangled. This means that if...
The client should transcode non-qwerty OTPs into qwerty-style before sending it to the server.
Make attribute private Remove $_url atribute (no more used, $_url_list is used instead) Add getter and setter for $_url_list Yubico URLs set in constructor (instead of getNextURLpart)
The following changes should be made to Auth/Yubico.php to silence some warnings PHP gives with strict error reporting: $ch[$handle] = $handle; on line 331 should be $ch[(int)$handle] = $handle; and...
https://github.com/Yubico/php-yubico/blob/master/Yubico.php#L331 and the httpsverify option. This option should be removed. Theres never a time you could safely disable peer verification. Correct fix for validation/self-signed issues is to apply a cainfo/cabundle...
https://github.com/Yubico/php-yubico/blob/master/Yubico.php#L291 Another instance of predictable nonce. Not sure of implication (if any) given request is hmac'd under shared key. Should probably be openssl_random_pseudo_bytes anyway.