<nav type="pills" justified="false">
  * [[:user_manuals|Back to Documentation]]
  * [[:radius:login_otp|OTP]]
</nav>

-----
====== OTP ======
===== Background =====
  * A One Time Password or OTP is a common method of user verification.
  * A user usually enters a **cell phone number** or an **email address**.
  * The system then sends a code via SMS to the cell phone number or via e-mail to the email address.
  * This code is used by the user to verify themselves to the system.
  * From February 2023, RADIUSdesk will provide support for OTP verification for Captive Portal (Hotspot) users.
  * We support the following ways to send the OTP:
        * SMS
        * Email
  * We support OTP with:
        * Permanent user registration
        * Click-To-Connet
  * The rest of this page deals with the configuration and technical details of the OTP functionality.

===== Activating the system for sending OTPs =====
  * For RADIUSdesk to be able to send an OTP, you must configure the system so that it can send the OTP by email or SMS.
  * RADIUSdesk offers you the option of making a system-wide configuration, but you can also define settings per cloud, which then take precedence over the system-wide settings.
  * The following screenshot shows the email configuration:
<panel type="primary">
{{:radius:login_pages:sendgrid_config.png?nolink|}}
</panel>
  * We support Sendgrid and normal SMTP as a means of transport for the email.
  * Once you have defined the configuration, click **Save**.
  * Once you have saved the configuration, you can test it by clicking on the **Test Email Settings** button.
  * You can also view the history of all emails that the system has sent with this particular configuration by clicking on the **Show Sent History** button.
  * In the following screenshot you can see the SMS configuration.

<panel type="primary">
{{:radius:login_pages:sms_config.png?nolink|}}
</panel>

  * Most SMS providers have an API that you can use to send SMS.
  * RADIUSdesk allows you to specify two SMS providers. Both can be active, but the system will only use the first active one it finds.
  * As with the email settings, you can also test the SMS settings after configuration.
  * You can also view the history of all SMS that the system has sent with this particular configuration by clicking the **Show Sent History** button.

<alert type="info">
  * These settings can also be set per cloud.
  * Go to **Other** -> **Clouds**.
  * Simply select the cloud for which you want to add more specific settings and edit them.
  * These settings will then take precedence. 
</alert>
===== OTP for user registration =====
<panel type="primary">
{{:radius:login_pages:user_registration.png?nolink|}}
</panel>

  * The screenshot above should be self-explanatory.
  * However, there is one important point that should be mentioned when using email for OTP.
  * We are in a bit of a chicken and egg situation as the person needs internet access to check their email and receive the OTP.
  * So we will provide them with temporary internet access for this action.
  * This is what the **Temp login user** is for.
  * We recommend that you create a separate user with a special profile for this purpose.
  * The profile should be
        * Time limited. e.g. Session-Timeout should be 360 seconds (5minutes)
        * The bandwidth should be limited.
  * So the user who registers can retrieve the OTP from their email, but not much beyond that in terms of internet connection.
  * The email with the OTP also contains a link that the user can click on to confirm the OTP to the system.
  * This makes it easy when the WebView with the Captive Portal login page is closed while the user is retrieving the OTP from their email.

===== OTP For Click To Connect =====
<panel type="primary">
{{:radius:login_pages:otp_click_to_connect.png?nolink|}}
</panel>

  * With OTP for Click To Connect, there is one of two options.
  * If you choose the email option for the OTP, you will need to provide the user with temporary internet access again, as with user registration above.
  * If you choose the SMS option (the user's cell phone number), you do not need to do anything as the OTP will be delivered as an SMS.
  * We have also included a link in the email again for the user to conveniently confirm the OTP by clicking on the link.  

===== Some Technical Items =====
==== Expiry of the OTP ====
  * The current expiry time for an OTP is two minutes.
  * This can be adjusted by editing the files **/var/www/html/cake4/rd_cake/src/Controller/RegisterUsersController.php** and **/var/www/html/cake4/rd_cake/src/Controller/DataCollectortsController.php** files.
  * Search for this line and adjust it accordingly.
<code php>
protected $valid_minutes = 2; //The time that an OTP will be valid (in minutes)
</code>
  * For the verification through the Email link we expire the OTP after** $valid_minutes times two**. (4minutes)

==== Disconnecting Temp Connection ====
  * The URL link in the email leads to a redirection to a special CoovaChilli URL that logs the user out (http://1.0.0.0).
  * For this to happen, the user must be connected to the captive portal so that this URL can log them out.

<code php>
if($otp == $q_r->value){
    $success = true;
    $this->{'PermanentUserOtps'}->patchEntity($q_r, ['status' => 'otp_confirmed']);
    $this->{'PermanentUserOtps'}->save($q_r);
    $user_id = $q_r->permanent_user_id;
    $q_pu = $this->{'PermanentUsers'}->find()->where(['PermanentUsers.id' =>$user_id])->first();
        if($q_pu){
		$this->{'PermanentUsers'}->patchEntity($q_pu, ['active' => 1]);
		$this->{'PermanentUsers'}->save($q_pu);
	} 								
	$this->response = $this->response->withHeader('Location', "http://1.0.0.0");      			
        return $this->response;
											
}else{

</code>

<alert type="warning">
We are still looking for a similar way to disconnect users on a Mikrotik based Hotspot.
</alert>