<?php

/**
 * A class for generating the codes compatible with the Google Authenticator and similar TOTP
 * clients.
 *
 * NOTE: A lot of the logic from this class has been borrowed from this class:
 * https://www.idontplaydarts.com/wp-content/uploads/2011/07/ga.php_.txt
 *
 * @author Chris Cornutt <ccornutt@phpdeveloper.org>
 * @package GAuth
 * @license MIT
 *
 * Simple Machines Forum (SMF)
 *
 * @package SMF
 * @author Simple Machines https://www.simplemachines.org
 * @copyright 2022 Simple Machines and individual contributors
 * @license https://www.simplemachines.org/about/smf/license.php BSD
 *
 * @version 2.1.0
 */

namespace TOTP;

/**
 * Class Auth
 *
 * @package TOTP
 */
class Auth
{
	/**
	 * @var array Internal lookup table
	 */
	private $lookup = array();

	/**
	 * @var string Initialization key
	 */
	private $initKey = null;

	/**
	 * @var integer Seconds between key refreshes
	 */
	private $refreshSeconds = 30;

	/**
	 * @var integer The length of codes to generate
	 */
	private $codeLength = 6;

	/**
	 * @var integer Range plus/minus for "window of opportunity" on allowed codes
	 */
	private $range = 2;

	/**
	 * Initialize the object and set up the lookup table
	 *     Optionally the Initialization key
	 *
	 * @param string $initKey Initialization key
	 */
	public function __construct($initKey = null)
	{
		$this->buildLookup();

		if ($initKey !== null)
		{
			$this->setInitKey($initKey);
		}
	}

	/**
	 * Build the base32 lookup table
	 */
	public function buildLookup()
	{
		$lookup = array_combine(
			array_merge(range('A', 'Z'), range(2, 7)),
			range(0, 31)
		);
		$this->setLookup($lookup);
	}

	/**
	 * Get the current "range" value
	 *
	 * @return integer Range value
	 */
	public function getRange()
	{
		return $this->range;
	}

	/**
	 * Set the "range" value
	 *
	 * @param integer $range Range value
	 * @return \TOTP\Auth instance
	 */
	public function setRange($range)
	{
		if (!is_numeric($range))
		{
			throw new \InvalidArgumentException('Invalid window range');
		}
		$this->range = $range;
		return $this;
	}

	/**
	 * Set the initialization key for the object
	 *
	 * @param string $key Initialization key
	 * @throws \InvalidArgumentException If hash is not valid base32
	 * @return \TOTP\Auth instance
	 */
	public function setInitKey($key)
	{
		if (preg_match('/^[' . implode('', array_keys($this->getLookup())) . ']+$/', $key) == false)
		{
			throw new \InvalidArgumentException('Invalid base32 hash!');
		}
		$this->initKey = $key;
		return $this;
	}

	/**
	 * Get the current Initialization key
	 *
	 * @return string Initialization key
	 */
	public function getInitKey()
	{
		return $this->initKey;
	}

	/**
	 * Set the contents of the internal lookup table
	 *
	 * @param array $lookup Lookup data set
	 * @throws \InvalidArgumentException If lookup given is not an array
	 * @return \TOTP\Auth instance
	 */
	public function setLookup($lookup)
	{
		if (!is_array($lookup))
		{
			throw new \InvalidArgumentException('Lookup value must be an array');
		}
		$this->lookup = $lookup;
		return $this;
	}

	/**
	 * Get the current lookup data set
	 *
	 * @return array Lookup data
	 */
	public function getLookup()
	{
		return $this->lookup;
	}

	/**
	 * Get the number of seconds for code refresh currently set
	 *
	 * @return integer Refresh in seconds
	 */
	public function getRefresh()
	{
		return $this->refreshSeconds;
	}

	/**
	 * Set the number of seconds to refresh codes
	 *
	 * @param integer $seconds Seconds to refresh
	 * @throws \InvalidArgumentException If seconds value is not numeric
	 * @return \TOTP\Auth instance
	 */
	public function setRefresh($seconds)
	{
		if (!is_numeric($seconds))
		{
			throw new \InvalidArgumentException('Seconds must be numeric');
		}
		$this->refreshSeconds = $seconds;
		return $this;
	}

	/**
	 * Get the current length for generated codes
	 *
	 * @return integer Code length
	 */
	public function getCodeLength()
	{
		return $this->codeLength;
	}

	/**
	 * Set the length of the generated codes
	 *
	 * @param integer $length Code length
	 * @return \TOTP\Auth instance
	 */
	public function setCodeLength($length)
	{
		$this->codeLength = $length;
		return $this;
	}

	/**
	 * Validate the given code
	 *
	 * @param string $code Code entered by user
	 * @param string $initKey Initialization key
	 * @param string $timestamp Timestamp for calculation
	 * @param integer $range Seconds before/after to validate hash against
	 * @throws \InvalidArgumentException If incorrect code length
	 * @return boolean Pass/fail of validation
	 */
	public function validateCode($code, $initKey = null, $timestamp = null, $range = null)
	{
		if (strlen($code) !== $this->getCodeLength())
		{
			throw new \InvalidArgumentException('Incorrect code length');
		}

		$range = ($range == null) ? $this->getRange() : $range;
		$timestamp = ($timestamp == null) ? $this->generateTimestamp() : $timestamp;
		$initKey = ($initKey == null) ? $this->getInitKey() : $initKey;

		$binary = $this->base32_decode($initKey);

		for ($time = ($timestamp - $range); $time <= ($timestamp + $range); $time++)
		{
			if ($this->generateOneTime($binary, $time) == $code)
			{
				return true;
			}
		}
		return false;
	}

	/**
	 * Generate a one-time code
	 *
	 * @param string $initKey Initialization key [optional]
	 * @param string $timestamp Timestamp for calculation [optional]
	 * @return string Generated code/hash
	 */
	public function generateOneTime($initKey = null, $timestamp = null)
	{
		$initKey = ($initKey == null) ? $this->getInitKey() : $initKey;
		$timestamp = ($timestamp == null) ? $this->generateTimestamp() : $timestamp;

		$hash = hash_hmac(
			'sha1',
			pack('N*', 0) . pack('N*', $timestamp),
			$initKey,
			true
		);

		return str_pad($this->truncateHash($hash), $this->getCodeLength(), '0', STR_PAD_LEFT);
	}

	/**
	 * Generate a code/hash
	 *     Useful for making Initialization codes
	 *
	 * @param integer $length Length for the generated code
	 * @return string Generated code
	 */
	public function generateCode($length = 16)
	{
		global $smcFunc;

		$lookup = implode('', array_keys($this->getLookup()));
		$code = '';

		for ($i = 0; $i < $length; $i++)
		{
			$code .= $lookup[$smcFunc['random_int'](0, strlen($lookup) - 1)];
		}

		return $code;
	}

	/**
	 * Generate the timestamp for the calculation
	 *
	 * @return integer Timestamp
	 */
	public function generateTimestamp()
	{
		return floor(microtime(true) / $this->getRefresh());
	}

	/**
	 * Truncate the given hash down to just what we need
	 *
	 * @param string $hash Hash to truncate
	 * @return string Truncated hash value
	 */
	public function truncateHash($hash)
	{
		$offset = ord($hash[19]) & 0xf;

		return (
			((ord($hash[$offset + 0]) & 0x7f) << 24) |
			((ord($hash[$offset + 1]) & 0xff) << 16) |
			((ord($hash[$offset + 2]) & 0xff) << 8) |
			(ord($hash[$offset + 3]) & 0xff)
		) % pow(10, $this->getCodeLength());
	}

	/**
	 * Base32 decoding function
	 *
	 * @param string $hash The base32-encoded hash
	 * @throws \InvalidArgumentException When hash is not valid
	 * @return string Binary value of hash
	 */
	public function base32_decode($hash)
	{
		$lookup = $this->getLookup();

		if (preg_match('/^[' . implode('', array_keys($lookup)) . ']+$/', $hash) == false)
		{
			throw new \InvalidArgumentException('Invalid base32 hash!');
		}

		$hash = strtoupper($hash);
		$buffer = 0;
		$length = 0;
		$binary = '';

		for ($i = 0; $i < strlen($hash); $i++)
		{
			$buffer = $buffer << 5;
			$buffer += $lookup[$hash[$i]];
			$length += 5;

			if ($length >= 8)
			{
				$length -= 8;
				$binary .= chr(($buffer & (0xFF << $length)) >> $length);
			}
		}

		return $binary;
	}

	/**
	 * Returns a URL to QR code for embedding the QR code
	 *
	 * @param string $name The name
	 * @param string $code The generated code
	 * @return string The URL to the QR code
	 */
	public function getQrCodeUrl($name, $code)
	{
		$url = 'otpauth://totp/' . urlencode($name) . '?secret=' . $code;
		return $url;
	}
}

?>