dashbitco / nimble_totp Goto Github PK
View Code? Open in Web Editor NEWA tiny Elixir library for time-based one time passwords (TOTP)
A tiny Elixir library for time-based one time passwords (TOTP)
Is it possible to add a grace_period
to the validate?
function.
That would allow to specify how many :period
before the current are still valid.
This avoids having the code roll-over as you are entering it.
totpex
supports this, but I would love to use this library.
This spec for valid?/3
seems to be missing one argument
@spec valid?(binary(), [option() | validate_option()]) :: boolean()
nimble_totp/lib/nimble_totp.ex
Line 233 in e90f09e
Spaces in the querystring are encoded with a +
. Google Authenticator interprets this as a literal +
.
I checked out two examples, and they both use %20: https://github.com/mdp/rotp#generating-qr-codes-for-provisioning-mobile-apps and https://stefansundin.github.io/2fa-qr/
I'm generating OTP for sms validation (not for 2FA apps) and storing the secret in our DB as binary (without encoding), and I've set the OTP valid period to 300 (5 mins).
But sometimes when I'm trying to call NimbleTOTP.valid?(secret, otp, time: time, period: 300)
it throws false
even when I try to validate within a minute.
This is how I generate code
secret = NimbleTOTP.secret(20)
time = System.os_time(:second)
otp_code = NimbleTOTP.verification_code(secret, time: time, period: 300)
It does not reproduce every time, happens randomly like 2 out of 10.
OS: Mac 12.3.1
Erlang: OTP 24
Elixir: 1.13.4
Hi! first of all thanks for this library, very clean and little!
I am getting a weird behaviour on my tests, not always but is random. The problem is validating an otp with the secret.
If I execute a test like this it fails frequently:
test "probably will fail" do
for _ <- 0..10000 do
secret = Base.encode64(NimbleTOTP.secret())
otp = NimbleTOTP.verification_code(secret)
Process.sleep 5
assert NimbleTOTP.valid?(secret, otp)
end
end
thanks!
Hi,
Thank you for this implementation of TOTP.
It seems that the resulting code differs from those we can have with Google authenticator and other libraries (I tested a node implementation). As an example, I took the website https://totp.danhersam.com/, the result providing the secret as
iex(10)> secret = "JBSWY3DPEHPK3PXP"
"JBSWY3DPEHPK3PXP"
iex(11)> NimbleTOTP.verification_code(secret)
...
does not give the same result.
Any clues?
Hello am still new to elixir and phoenix i want to use nimnle to generate and send it to user while registering
defp generate_otp(user) do
secret = NimbleTOTP.secret()
otp_code = NimbleTOTP.verification_code(secret)
case Auth.create_opt(%{"user_id" => user.id, "otp_code" => otp_code}) do
{:ok, _created_opt} ->
IO.puts("OTP generated and saved successfully #{otp_code}")
{:error, reason} ->
IO.puts("Error generating OTP: #{reason}")
end
end
then call to store it in the database
def create_opt(attrs) do
Otp.changeset(%Otp{}, attrs)
|> Repo.insert()
end
then I want to verify as follows
case Auth.get_user_recent_otp(user.id) do
nil ->
{:noreply,
socket
|> put_flash(:error, "Something went wrong")}
otp_data when otp_data.otp_status ->
{:noreply,
socket
|> put_flash(:error, "OTP already used or invalid")}
otp_data ->
IO.inspect(otp_data)
IO.inspect(otp_code)
if NimbleTOTP.valid?(otp_data, otp_code) do
Accounts.update_phone_confirmed(user)
{
:noreply,
socket
|> assign(user_id: user.id)
|> put_flash(:info, "successfully verified phone number")
|> push_navigate(to: ~p"/register/account-manager?user_id=#{user.id}")
}
else
{:noreply,
socket
|> put_flash(:error, "Invalid OTP")}
end
end
howver in the docs i see that NimbleTOTP.valid? checks with the secret and not the code sent
How will i convert the string code from my db back to binary which matches the
Kindly assist
Hi I have an issue
Erlang/OTP 25 [erts-13.2.2.3] [source] [64-bit] [smp:3:3] [ds:3:3:10] [async-threads:1] [jit:ns]
Interactive Elixir (1.15.6) - press Ctrl+C to exit (type h() ENTER for help)
iex(noname@83970d7a61ec)2> secret = NimbleTOTP.secret()
<<29, 17, 124, 1, 126, 10, 200, 252, 122, 12>>
iex(noname@83970d7a61ec)3> NimbleTOTP.otpauth_uri("Acme:alice", secret, issuer: "Acme")
"otpauth://totp/Acme:alice?secret=DUIXYAL6BLEPY6QM&issuer=Acme"
iex(noname@83970d7a61ec)4> NimbleTOTP.verification_code(secret)
** (UndefinedFunctionError) function :crypto.hmac/3 is undefined or private, use crypto:mac/4 instead
(crypto 5.1.4.1) :crypto.hmac(:sha, <<29, 17, 124, 1, 126, 10, 200, 252, 122, 12>>, <<0, 0, 0, 0, 3, 96, 14, 114>>)
(nimble_totp 0.1.0) lib/nimble_totp.ex:139: NimbleTOTP.verification_code/2
iex:4: (file)
iex(noname@83970d7a61ec)4> NimbleTOTP.valid?(secret, "569777")
** (UndefinedFunctionError) function :crypto.hmac/3 is undefined or private, use crypto:mac/4 instead
(crypto 5.1.4.1) :crypto.hmac(:sha, <<29, 17, 124, 1, 126, 10, 200, 252, 122, 12>>, <<0, 0, 0, 0, 3, 96, 14, 116>>)
(nimble_totp 0.1.0) lib/nimble_totp.ex:139: NimbleTOTP.verification_code/2
(nimble_totp 0.1.0) lib/nimble_totp.ex:166: NimbleTOTP.valid?/3
iex:4: (file)
iex(noname@83970d7a61ec)5> :crypto.mac(:hmac, :sha, secret, "data")
<<11, 65, 97, 113, 34, 252, 189, 42, 253, 233, 225, 2, 247, 176, 138, 212, 207,
227, 185, 99>>
iex(spill@83970d7a61ec)6> :crypto.hmac(:sha, key, "data")
** (CompileError) cannot compile code (errors have been logged)
iex(noname@83970d7a61ec)6> function_exported?(:crypto, :mac, 4)
true
iex(noname@83970d7a61ec)7> Code.ensure_loaded?(:crypto)
true
nimble_totp/lib/nimble_totp.ex
Line 186 in b50480d
Code.ensure_loaded?(:crypto)
and function_exported?(:crypto, :mac, 4)
are true so it should never use :crypto.hmac/3 but somehow it happens.
{:nimble_totp, "~> 0.1"},
Hi, thanks for the great library!
I'm reviewing the source code for this and it looks like it's using a default of 10 bytes (80bits) for the shared secret. The RFC for HOTP says a minimum of 128bits but recommends to use 160bits. Should this library propagate the recommendation from the RFC and set a default of 20 bytes?
Curious on your thoughts. Thanks.
It looks like we still get the deprecation warnings for the usage of ^^^
instead of bxor, but this has been fixed in master. Is there any way we can get a patch release that includes those changes?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.