====== OTP ====== ===== Background ===== * A One Time Password or OTP is a common method used for user verification. * A user will typically provide a **mobile number** or **email address**. * The system will then send a code to the mobile number using SMS or to the email address using an email. * This code will be used by the user to validate itself to the system. * As for February 2023 RADIUSdesk includes support for OTP verification for Captive Portal (Hotspot) users. * We support the following ways to send the OTP: * SMS * Email * We support OTP with: * Permanent User Registration * Click-To-Connet * The rest of this page will discuss the configuration and technical detail of the OTP functionality. ===== Enable System To Send OTPs ===== * In order for RADIUSdesk to send an OTP you have to configure the system to be able to send the OTP using email or SMS. * RADIUSdesk allows for you to configure a system wide configuration but it also allows you to define per cloud settings which will take preference over the system wide settings. * See the following screenshot for the email configuration: {{:radiusdesk:login_pages:sendgrid_config.png?nolink|}} * We support Sendgrid and normal SMTP as a transport for the email. * After you specified the config press **Save**. * After you saved the configuration you can test it by clicking the **Test Email Settings** button. * You can also view the history of all the emails that the system sent out using this particular configuration by clicking the **Show Sent History** button. * See the following screenshot for the SMS configuration. {{:radiusdesk:login_pages:sms_config.png?nolink|}} * Most SMS providers has an API that you use to send SMSs. * RADIUSdesk allows you to specify two SMS Providers. Both can be active however the system will only use the first active one it finds. * As with the email settings you are also able to test the SMS Settings after configuration. * You can also view the history of all the SMSs that the system sent out using that particular configuration by clicking the **Show Sent History** button. * These settings can also be specified per Cloud. * Go to **Other** -> **Clouds**. * Simply select the cloud for which you want to add more specific settings and edit it. * These settings will take preference. ===== OTP For User Registration ===== {{:radiusdesk:login_pages:user_registration.png?nolink|}} * The above screenshot should be mostly self explanatory. * There is however one important point that should be mentioned on using Email for OTP. * We sit with a bit of a chicken and egg situation since the person will need Internet access to get to their email to retrieve the OTP. * We will thus provide them temporary Internet access for this action. * This is what the **Temp login user** is for. * You are advised to create a dedicated user with a special profile for this purpose. * The profile should be * Time limited. e.g. Session-Timeout should be 360 seconds (5minutes) * The bandwidth should be limited. * This will allow for the user that registers to retrieve the OTP from their email but not much beyond that in terms of Internet connection. * The email with the OTP will also contain a link which the user can click to confirm the OTP to the system. * This makes is easy if the WebView with the Captive Portal Login Page closed while the user retrieved the OTP from their email. ===== OTP For Click To Connect ===== {{:radiusdesk:login_pages:otp_click_to_connect.png?nolink|}} * With OTP for Click To Connect there are one of two options. * If you select the email option for the OTP, again you have to provide temporary Internet access to the user as with User Registration above. * If you select SMS option (the user's mobile number) you don't need to provide anything since the OTP will be delivered as an SMS. * We also again added a link in the email for the user to conveniently confirm the OTP by clicking on the link. ===== Some Technical Items ===== ==== Expiry of the OTP ==== * The current expiry time for an OTP is two minutes. * This can be adjusted by editing **/var/www/html/cake4/rd_cake/src/Controller/RegisterUsersController.php** and **/var/www/html/cake4/rd_cake/src/Controller/DataCollectortsController.php** files. * Look for this line and adjust acordingly. protected $valid_minutes = 2; //The time that an OTP will be valid (in minutes) * For the verification through the Email link we expire the OTP after** $valid_minutes times two**. (4minutes) ==== Disconnecting Temp Connection ==== * The URL link in the email will cause a redirect to a special CoovaChilli URL that will log the user out (http://1.0.0.0). * For this to happen the user should be connected to the Captive Portal so that this URL can log them out. if($otp == $q_r->value){ $success = true; $this->{'PermanentUserOtps'}->patchEntity($q_r, ['status' => 'otp_confirmed']); $this->{'PermanentUserOtps'}->save($q_r); $user_id = $q_r->permanent_user_id; $q_pu = $this->{'PermanentUsers'}->find()->where(['PermanentUsers.id' =>$user_id])->first(); if($q_pu){ $this->{'PermanentUsers'}->patchEntity($q_pu, ['active' => 1]); $this->{'PermanentUsers'}->save($q_pu); } $this->response = $this->response->withHeader('Location', "http://1.0.0.0"); return $this->response; }else{ We are still looking for a similar way to disconnect users on a Mikrotik based Hotspot.