From c9bd429208c9eb66e44dc6f3e0cf6a6a21c67050 Mon Sep 17 00:00:00 2001
From: Antonio Carlos Ribeiro <acr@antoniocarlosribeiro.com>
Date: Mon, 23 Sep 2019 15:25:03 -0300
Subject: [PATCH] Throw exception if algorithm is not valid

---
 src/Exceptions/Contracts/InvalidAlgorithm.php |  7 ++++
 src/Exceptions/InvalidAlgorithmException.php  | 12 +++++++
 src/Google2FA.php                             | 36 ++++++++++++-------
 src/Support/Base32.php                        |  2 +-
 tests/Google2FATest.php                       | 21 +++++++----
 5 files changed, 58 insertions(+), 20 deletions(-)
 create mode 100644 src/Exceptions/Contracts/InvalidAlgorithm.php
 create mode 100644 src/Exceptions/InvalidAlgorithmException.php

diff --git a/src/Exceptions/Contracts/InvalidAlgorithm.php b/src/Exceptions/Contracts/InvalidAlgorithm.php
new file mode 100644
index 0000000..63d08f8
--- /dev/null
+++ b/src/Exceptions/Contracts/InvalidAlgorithm.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace PragmaRX\Google2FA\Exceptions\Contracts;
+
+interface InvalidAlgorithm
+{
+}
diff --git a/src/Exceptions/InvalidAlgorithmException.php b/src/Exceptions/InvalidAlgorithmException.php
new file mode 100644
index 0000000..9acf7d9
--- /dev/null
+++ b/src/Exceptions/InvalidAlgorithmException.php
@@ -0,0 +1,12 @@
+<?php
+
+namespace PragmaRX\Google2FA\Exceptions;
+
+use Exception;
+use PragmaRX\Google2FA\Exceptions\Contracts\Google2FA as Google2FAExceptionContract;
+use PragmaRX\Google2FA\Exceptions\Contracts\InvalidAlgorithm as InvalidAlgorithmExceptionContract;
+
+class InvalidAlgorithmException extends Google2FAException implements Google2FAExceptionContract, InvalidAlgorithmExceptionContract
+{
+    protected $message = 'Invalid HMAC algorithm.';
+}
diff --git a/src/Google2FA.php b/src/Google2FA.php
index fd2ecb9..f474611 100644
--- a/src/Google2FA.php
+++ b/src/Google2FA.php
@@ -2,10 +2,11 @@
 
 namespace PragmaRX\Google2FA;
 
-use PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException;
 use PragmaRX\Google2FA\Support\Base32;
-use PragmaRX\Google2FA\Support\Constants;
 use PragmaRX\Google2FA\Support\QRCode;
+use PragmaRX\Google2FA\Support\Constants;
+use PragmaRX\Google2FA\Exceptions\InvalidAlgorithmException;
+use PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException;
 
 class Google2FA
 {
@@ -84,7 +85,7 @@ public function findValidOTP(
      * @param $counter
      * @return string
      */
-    protected function generateHotp($secret, $counter): string
+    protected function generateHotp($secret, $counter)
     {
         return hash_hmac(
             $this->getAlgorithm(),
@@ -181,6 +182,20 @@ public function getTimestamp()
         return (int) floor(microtime(true) / $this->keyRegeneration);
     }
 
+    /**
+     * Get a list of valid HMAC algorithms.
+     *
+     * @return array
+     */
+    protected function getValidAlgorithms()
+    {
+        return [
+            Constants::SHA1,
+            Constants::SHA256,
+            Constants::SHA512,
+        ];
+    }
+
     /**
      * Get the OTP window.
      *
@@ -308,23 +323,18 @@ public function setEnforceGoogleAuthenticatorCompatibility(
      * Set the HMAC hashing algorithm.
      *
      * @param mixed $algorithm
+     * @return \PragmaRX\Google2FA\Google2FA
      */
     public function setAlgorithm($algorithm)
     {
-        $validAlgorithms = [
-            Constants::SHA1,
-            Constants::SHA256,
-            Constants::SHA512,
-        ];
-
         // Default to SHA1 HMAC algorithm
-        if (! in_array($algorithm, $validAlgorithms)) {
-            $this->algorithm = Constants::SHA1;
-
-            return;
+        if (! in_array($algorithm, $this->getValidAlgorithms())) {
+            throw new InvalidAlgorithmException();
         }
 
         $this->algorithm = $algorithm;
+
+        return $this;
     }
 
     /**
diff --git a/src/Support/Base32.php b/src/Support/Base32.php
index ce5cbb6..475712d 100644
--- a/src/Support/Base32.php
+++ b/src/Support/Base32.php
@@ -72,7 +72,7 @@ public function base32Decode($b32)
      * @param $b32
      * @return bool
      */
-    protected function isCharCountNotAPowerOfTwo($b32): bool
+    protected function isCharCountNotAPowerOfTwo($b32)
     {
         return (strlen($b32) & (strlen($b32) - 1)) !== 0;
     }
diff --git a/tests/Google2FATest.php b/tests/Google2FATest.php
index 5c472e4..eebe657 100644
--- a/tests/Google2FATest.php
+++ b/tests/Google2FATest.php
@@ -303,6 +303,7 @@ public function testVerifiesSha256Keys()
                 26213400
             )
         ); // 26213398
+
         $this->assertTrue(
             $this->google2fa->verifyKey(
                 Constants::SECRET,
@@ -311,6 +312,7 @@ public function testVerifiesSha256Keys()
                 26213400
             )
         ); // 26213399
+
         $this->assertTrue(
             $this->google2fa->verifyKey(
                 Constants::SECRET,
@@ -319,6 +321,7 @@ public function testVerifiesSha256Keys()
                 26213400
             )
         ); // 26213400
+
         $this->assertTrue(
             $this->google2fa->verifyKey(
                 Constants::SECRET,
@@ -327,6 +330,7 @@ public function testVerifiesSha256Keys()
                 26213400
             )
         ); // 26213401
+
         $this->assertTrue(
             $this->google2fa->verifyKey(
                 Constants::SECRET,
@@ -344,6 +348,7 @@ public function testVerifiesSha256Keys()
                 26213400
             )
         ); // 26213403
+
         $this->assertFalse(
             $this->google2fa->verifyKey(
                 Constants::SECRET,
@@ -691,12 +696,6 @@ public function testSetsTheSecret()
 
     public function testGetsAlgorithm()
     {
-        $this->google2fa->setAlgorithm('md5');
-
-        $this->assertNotEquals('md5', $this->google2fa->getAlgorithm());
-        $this->assertEquals('sha1', $this->google2fa->getAlgorithm());
-        $this->assertEquals(Google2FAConstants::SHA1, $this->google2fa->getAlgorithm());
-
         $this->google2fa->setAlgorithm('sha1');
 
         $this->assertEquals('sha1', $this->google2fa->getAlgorithm());
@@ -713,6 +712,16 @@ public function testGetsAlgorithm()
         $this->assertEquals(Google2FAConstants::SHA512, $this->google2fa->getAlgorithm());
     }
 
+    public function testSetWrongAlgorithm()
+    {
+        $this->expectException(\PragmaRX\Google2FA\Exceptions\InvalidAlgorithmException::class);
+
+        $this->google2fa->setAlgorithm('md5');
+
+        $this->assertEquals('sha1', $this->google2fa->getAlgorithm());
+        $this->assertEquals(Google2FAConstants::SHA1, $this->google2fa->getAlgorithm());
+    }
+
     public function testGetsKeyRegeneration()
     {
         $this->google2fa->setKeyRegeneration(11);