[Include] TFA_SAMP - 1st two-factor authentication method for SA-MP.
#1

TFA_SAMP - 1st two-factor authentication method for SA-MP.
A huge thanks to Authy (https://www.authy.com/) for providing the web APIs.
Include release under GPL v2 OSL (open source license) - click here for more information.
Part of the include is made in PHP.


Hello everyone.

Recently I was thinking of a new include to release, and I thought about a two-factor authentication method for SA-MP, something like it has never existed before. This include does not directly provide the authentication method, it is just a way to communicate with the service that provides so, which in this case is Authy.

Authy provides also free-plans for development or fairly small communities.
Visit https://www.authy.com/ for more information.

If you don't know what a two-factor authentication method is, read this page.

However, here's a short description.
Quote:

Multi-factor authentication (also MFA, Two-factor authentication, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is"). After presentation, each factor must be validated by the other party for authentication to occur.

This include allows you to communicate with API requests to Authy's servers and to use your cellphone as second factor, which is the possession factor. In order to be it two-factor, thus increasing the account' security, you must ask for the password and the token sent via SMS or taken by the phone application.

So, what is Authy? Authy is what gives us the API to communicate with the server and to send the SMS / verify the token taken by your phone.

If you are worried about security, the API requests through the production method are sent through HTTPS requests, and all the information are not saved in any TFA_SAMP database but in Authy's databases which are completely safe and secure.

Available Functions
  • TFASAMP::prepareConnection(host[], password[], api_key[], type[] = "production", bool:tfa_debug = false)
  • TFASAMP::createUser(playerid, email[], cellphone[], area_code[] = "1")
  • TFASAMP::verifyToken(playerid, user_id, token[], bool: force = true)
  • TFASAMP::setPlayerUserID(playerid, userid)
  • TFASAMP::getPlayerUserID(playerid)
Available Callbacks
  • TFASAMP::OnTokenVerify(playerid, result)
Documentation

You may find here the updated functions documentation.

Bug Reporting

Please use GitHub's issues to report bugs by clicking here.

Contributions

Please use GitHub's pull requests to give a contribute by clicking here.

Example

You may find an example of the include here.

Requirements

You need to install this or the include will not work.
You also need y_hooks and y_stringhash from YSI library.

For any other question, feedback or anything else feel free to answer this thread, and don't forget to contribute on GitHub, if you'd like to!

Cheers.
Reply
#2

Updated, fixed some bugs and improved the example in the files.
Reply
#3

Looking great, I might try it.
Reply
#4

Modified the commands structure.

https://github.com/GiampaoloFalqui/T...463d89d74f2f03
Reply
#5

Good job. Worth to give a try.
Reply
#6

This is a very good include developed for servers. Additionally, these keys should be assigned to staff accounts and not just typical players for they are at risk on their own safety.
Reply
#7

Quote:
Originally Posted by Akira297
View Post
This is a very good include developed for servers. Additionally, these keys should be assigned to staff accounts and not just typical players for they are at risk on their own safety.
Of course. I just provided the include, then you are free to do whatever you want with it!
Reply
#8

Released v0.2.2.
  • Added :: syntactic sugar.
  • Added TFASAMP::getPlayerUserID(playerid).
  • Added TFASAMP::setPlayerUserID(playerid).
  • Added versioning check.
  • Internal changes.
Reply
#9

Quote:
Originally Posted by ******
View Post
Why are you using a polling timer to process the reply instead of a callback?
I honestly did not think of it - working it out right now for the v0.2.3.

Quote:
Originally Posted by ******
View Post
Does the authy system handle knowledge as well as possession?
No, only possession therefore you must have already an account system implemented in the server.

Quote:
Originally Posted by ******
View Post
OH PLEASE NO! - have you ever heard of input sanitation?
Fixed it in v0.2.3.

Quote:
Originally Posted by ******
View Post
Why are you using "PREFIX::functionName" syntax instead of the almost universally applied "Prefix_FunctionName" scheme? That's just introducing complexity in the form of inconsistency for no apparent reason. As is using all upper-case letters for variables.
I think it as a neat syntactic sugar - it looks better in my opinion. As for the variables, there isn't really a reason for it.

Quote:
Originally Posted by ******
View Post
The "type" default should, IMHO, be "production" not "development", that way if people forget to set it correctly they don't get an unsafe default and will have issues alerting them to the problem.
Fixed it in v0.2.3.
Reply
#10

Quote:
Originally Posted by ******
View Post
That wasn't the only one - the PHP code is full of holes all over, I just happend to choose that one to point out.
Everything should be fine right now, v0.2.3 released.
Reply
#11

htmlspecialchars() will not provide you any extra "security".
Also you have made a syntax error (https://github.com/GiampaoloFalqui/T...xecute.php#L21).
Reply
#12

Therefore what do you suggest?
Reply
#13

Quote:
Originally Posted by ******
Посмотреть сообщение
Nope, not in any way. You don't check if any of the inputs are strings, or if they contain valid paths only you want. I also find it amusing that using your two factor authentication system is protected by only a password.
I can't think of another system, maybe an IP whitelist (?) - after all if you don't know the API key, which only the owner should possess, you won't be able to call any API.

Also, I was thinking if using POST to send the requests instead of GET, maybe it's more secure?

I am working on a way to sanitize the commands anyway.
Reply
#14

0.2.4 - attempt to improve command security.
Reply
#15

Quote:
Originally Posted by ******
Посмотреть сообщение
Why not just do something like:

pawn Код:
switch ($_GET['command'])
{
    case 'create':
}
Etc? Instead of going to all that effort just to validate the input?
This way when I need to add new commands I won't need to modify the execute.php file, they're read automatically from the directory. In this way people could also create themselves new commands more easily (sort of). I don't think the speed/performance difference is really big.
Reply
#16

Very nice work
Reply
#17

Good system !
Reply
#18

v1.0.0-alpha has been introduced however it's not ready for production.

Please keep using the v0.2.4 for production enviroments.

For more information: https://github.com/GiampaoloFalqui/TFA_SAMP/releases
Reply
#19

v1.0.0-alpha.2 has been released.

https://github.com/GiampaoloFalqui/T...v1.0.0-alpha.2
Reply
#20

Good to know
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)