starred/google2fa
1
0
Fork 0
mirror of https://github.com/antonioribeiro/google2fa.git synced 2026-04-25 08:05:49 +03:00
Code Issues 19 Projects Releases 3 Packages Wiki Activity

[GH-ISSUE #86] External Service for QR-Code that includes the secret code #504

New issue
Closed
opened 2026-03-14 11:59:27 +03:00 by kerem · 3 comments
kerem commented 2026-03-14 11:59:27 +03:00
Owner
Copy link

Originally created by @apreiml on GitHub (Oct 11, 2017).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/86

Hello,

regarding QRCode::getQRCodeGoogleUrl. I don't think it is a good idea to use an external service for showing the qr code containing the secret key. Shouldn't this secret key be only in the hands of the one to be authenticated? If you use this method, also an external service gets this secret information.

A major security flaw imho.

Kind Regards

Originally created by @apreiml on GitHub (Oct 11, 2017). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/86 Hello, regarding `QRCode::getQRCodeGoogleUrl`. I don't think it is a good idea to use an external service for showing the qr code containing the secret key. Shouldn't this secret key be only in the hands of the one to be authenticated? If you use this method, also an external service gets this secret information. A major security flaw imho. Kind Regards
kerem closed this issue 2026-03-14 11:59:33 +03:00
kerem commented 2026-03-14 11:59:39 +03:00
Author
Owner
Copy link

@tankerkiller125 commented on GitHub (Jan 31, 2018):

There is an option for people who don't want to send it to google, simply put though some servers people use are very ill equipped to generate and show QR codes (generally cheap shared hosting) and because of this they need the option to have google or another provider generate the code for them.

<!-- gh-comment-id:362103527 --> @tankerkiller125 commented on GitHub (Jan 31, 2018): There is an option for people who don't want to send it to google, simply put though some servers people use are very ill equipped to generate and show QR codes (generally cheap shared hosting) and because of this they need the option to have google or another provider generate the code for them.
kerem commented 2026-03-14 11:59:44 +03:00
Author
Owner
Copy link

@antonioribeiro commented on GitHub (Mar 7, 2018):

@apreiml, people should know it's better inline their QRCode themselves via bacon-qr-code or anything else, but you are right, to not inform this is security issue, so I just changed the way it works: user (developer) has now to authorize it by

$google2fa->setAllowInsecureCallToGoogleApis(true);

Before

$google2fa->getQRCodeGoogleUrl(
    'YourCompany',
    $user->email,
    $user->google2fa_secret
);

Otherwise it will throw an exception with the following message:

It's not secure to send secret keys to Google Apis, you have to explicitly allow it by calling $google2fa->setAllowInsecureCallToGoogleApis(true).

Tagged v3.0.0, since this is a huge breaking change.

Thanks for reporting it.

<!-- gh-comment-id:371293674 --> @antonioribeiro commented on GitHub (Mar 7, 2018): @apreiml, people should know it's better inline their QRCode themselves via bacon-qr-code or anything else, but you are right, to not inform this is security issue, so I just changed the way it works: user (developer) has now to authorize it by ```php $google2fa->setAllowInsecureCallToGoogleApis(true); ``` Before ```php $google2fa->getQRCodeGoogleUrl( 'YourCompany', $user->email, $user->google2fa_secret ); ``` Otherwise it will throw an exception with the following message: ``` It's not secure to send secret keys to Google Apis, you have to explicitly allow it by calling $google2fa->setAllowInsecureCallToGoogleApis(true). ``` Tagged v3.0.0, since this is a huge breaking change. Thanks for reporting it.
kerem commented 2026-03-14 11:59:49 +03:00
Author
Owner
Copy link

@vdomah commented on GitHub (May 15, 2019):

Hi!
Why can't I find methods getQRCodeGoogleUrl and setAllowInsecureCallToGoogleApis in the sources? I'm getting errors about absence if this methods and I indeed can't find them in this package
Thanks in advance!

<!-- gh-comment-id:492585708 --> @vdomah commented on GitHub (May 15, 2019): Hi! Why can't I find methods getQRCodeGoogleUrl and setAllowInsecureCallToGoogleApis in the sources? I'm getting errors about absence if this methods and I indeed can't find them in this package Thanks in advance!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
9.x
fix-coverage
bump-to-version-9
10.x
reformat-code
add-linting
reorder-imports
8.x
install-php-84
test-on-php84
github-actions
master
7.x
pspstan
revert-124-123-google2fa_fix
v9.0.0
v8.0.3
v8.0.2
v8.0.1
8.0.0
v7.0.0
v6.1.3
v6.1.0
v6.0.1
v6.0.0
v4.0.2
v4.0.1
v5.0.0
v4.0.0
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.0.1
v1.0.0
v0.8.1
v0.8.0
v0.7.1
v0.7.0
v0.6.0
v0.5.0
v0.1.0
Labels
Clear labels   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/google2fa#504
No description provided.