dashbitco / nimble_totp Goto Github PK

View Code? Open in Web Editor NEW

385.0 7.0 17.0 42 KB

A tiny Elixir library for time-based one time passwords (TOTP)

Elixir 100.00%

elixir 2fa totp

nimble_totp's People

Contributors

Stargazers

Watchers

Forkers

jbraungardt jared-mackey ryanwinchester-forks jpcweb sanderhahn gaybro8777 jeroenvisser101 adz kuon nyx1197 kianmeng satchinjoshi minton thanhxeon2470 jnsaff whatyouhide preveil

nimble_totp's Issues

Grace period for valid?

Is it possible to add a grace_period to the validate? function.
That would allow to specify how many :period before the current are still valid.
This avoids having the code roll-over as you are entering it.

totpex supports this, but I would love to use this library.

Spec for valid? seems wrong

This spec for valid?/3 seems to be missing one argument

@spec valid?(binary(), [option() | validate_option()]) :: boolean()

nimble_totp/lib/nimble_totp.ex

Line 233 in e90f09e

@spec valid?(binary(), [option() | validate_option()]) :: boolean()

Encoding of space in Issuer

Spaces in the querystring are encoded with a +. Google Authenticator interprets this as a literal +.

I checked out two examples, and they both use %20: https://github.com/mdp/rotp#generating-qr-codes-for-provisioning-mobile-apps and https://stefansundin.github.io/2fa-qr/

Incorrect validation with valid

Context

I'm generating OTP for sms validation (not for 2FA apps) and storing the secret in our DB as binary (without encoding), and I've set the OTP valid period to 300 (5 mins).
But sometimes when I'm trying to call NimbleTOTP.valid?(secret, otp, time: time, period: 300) it throws false even when I try to validate within a minute.

This is how I generate code

    secret = NimbleTOTP.secret(20)
    time = System.os_time(:second)
    otp_code = NimbleTOTP.verification_code(secret, time: time, period: 300)

It does not reproduce every time, happens randomly like 2 out of 10.

My tests fail randomly

OS: Mac 12.3.1
Erlang: OTP 24
Elixir: 1.13.4

Hi! first of all thanks for this library, very clean and little!

I am getting a weird behaviour on my tests, not always but is random. The problem is validating an otp with the secret.

If I execute a test like this it fails frequently:

  test "probably will fail" do
      for _ <- 0..10000 do
        secret = Base.encode64(NimbleTOTP.secret())
        otp = NimbleTOTP.verification_code(secret)
        Process.sleep 5
        assert NimbleTOTP.valid?(secret, otp)
      end
    end

thanks!

Version tag missing for #18 ?

I still encountered the @SPEC error that was fixed by @adz in #18 even after a mix dept.get. I suspect that it comes from the absence of more recent version tag.

Looks like the resulting code does not match google authenticator result

Hi,

Thank you for this implementation of TOTP.

It seems that the resulting code differs from those we can have with Google authenticator and other libraries (I tested a node implementation). As an example, I took the website https://totp.danhersam.com/, the result providing the secret as

iex(10)> secret = "JBSWY3DPEHPK3PXP"         
"JBSWY3DPEHPK3PXP"
iex(11)> NimbleTOTP.verification_code(secret)
...

does not give the same result.

Any clues?

Not issue: Help using, I am Using Nimble to send Code store the string value and validate with user entered code

Hello am still new to elixir and phoenix i want to use nimnle to generate and send it to user while registering

  defp generate_otp(user) do
    secret = NimbleTOTP.secret()
    otp_code = NimbleTOTP.verification_code(secret)

    case Auth.create_opt(%{"user_id" => user.id, "otp_code" => otp_code}) do
      {:ok, _created_opt} ->
        IO.puts("OTP generated and saved successfully #{otp_code}")

      {:error, reason} ->
        IO.puts("Error generating OTP: #{reason}")
    end
  end

then call to store it in the database

  def create_opt(attrs) do
    Otp.changeset(%Otp{}, attrs)
    |> Repo.insert()
  end

then I want to verify as follows

  case Auth.get_user_recent_otp(user.id) do
      nil ->
        {:noreply,
         socket
         |> put_flash(:error, "Something went wrong")}

      otp_data when otp_data.otp_status ->
        {:noreply,
         socket
         |> put_flash(:error, "OTP already used or invalid")}

      otp_data ->
        IO.inspect(otp_data)
        IO.inspect(otp_code)

        if NimbleTOTP.valid?(otp_data, otp_code) do
          Accounts.update_phone_confirmed(user)

          {
            :noreply,
            socket
            |> assign(user_id: user.id)
            |> put_flash(:info, "successfully verified phone number")
            |> push_navigate(to: ~p"/register/account-manager?user_id=#{user.id}")
          }
        else
          {:noreply,
           socket
           |> put_flash(:error, "Invalid OTP")}
        end
    end

howver in the docs i see that NimbleTOTP.valid? checks with the secret and not the code sent

How will i convert the string code from my db back to binary which matches the

Kindly assist

(UndefinedFunctionError) function :crypto.hmac/3 is undefined or private, use crypto:mac/4 instead

Hi I have an issue

Erlang/OTP 25 [erts-13.2.2.3] [source] [64-bit] [smp:3:3] [ds:3:3:10] [async-threads:1] [jit:ns]

Interactive Elixir (1.15.6) - press Ctrl+C to exit (type h() ENTER for help)

iex(noname@83970d7a61ec)2> secret = NimbleTOTP.secret()
<<29, 17, 124, 1, 126, 10, 200, 252, 122, 12>>
iex(noname@83970d7a61ec)3> NimbleTOTP.otpauth_uri("Acme:alice", secret, issuer: "Acme")
"otpauth://totp/Acme:alice?secret=DUIXYAL6BLEPY6QM&issuer=Acme"

iex(noname@83970d7a61ec)4> NimbleTOTP.verification_code(secret)
** (UndefinedFunctionError) function :crypto.hmac/3 is undefined or private, use crypto:mac/4 instead
    (crypto 5.1.4.1) :crypto.hmac(:sha, <<29, 17, 124, 1, 126, 10, 200, 252, 122, 12>>, <<0, 0, 0, 0, 3, 96, 14, 114>>)
    (nimble_totp 0.1.0) lib/nimble_totp.ex:139: NimbleTOTP.verification_code/2
    iex:4: (file)

iex(noname@83970d7a61ec)4> NimbleTOTP.valid?(secret, "569777")
** (UndefinedFunctionError) function :crypto.hmac/3 is undefined or private, use crypto:mac/4 instead
    (crypto 5.1.4.1) :crypto.hmac(:sha, <<29, 17, 124, 1, 126, 10, 200, 252, 122, 12>>, <<0, 0, 0, 0, 3, 96, 14, 116>>)
    (nimble_totp 0.1.0) lib/nimble_totp.ex:139: NimbleTOTP.verification_code/2
    (nimble_totp 0.1.0) lib/nimble_totp.ex:166: NimbleTOTP.valid?/3
    iex:4: (file)

iex(noname@83970d7a61ec)5>  :crypto.mac(:hmac, :sha, secret, "data")
<<11, 65, 97, 113, 34, 252, 189, 42, 253, 233, 225, 2, 247, 176, 138, 212, 207,
  227, 185, 99>>
iex(spill@83970d7a61ec)6> :crypto.hmac(:sha, key, "data")
** (CompileError) cannot compile code (errors have been logged)

iex(noname@83970d7a61ec)6> function_exported?(:crypto, :mac, 4)
true

iex(noname@83970d7a61ec)7> Code.ensure_loaded?(:crypto)
true

nimble_totp/lib/nimble_totp.ex

Line 186 in b50480d

if Code.ensure_loaded?(:crypto) and function_exported?(:crypto, :mac, 4) do

Here it's very clear Code.ensure_loaded?(:crypto) and function_exported?(:crypto, :mac, 4) are true so it should never use :crypto.hmac/3 but somehow it happens.

{:nimble_totp, "~> 0.1"},

Default shared secret byte length

Hi, thanks for the great library!

I'm reviewing the source code for this and it looks like it's using a default of 10 bytes (80bits) for the shared secret. The RFC for HOTP says a minimum of 128bits but recommends to use 160bits. Should this library propagate the recommendation from the RFC and set a default of 20 bytes?

Curious on your thoughts. Thanks.

Patch Release?

It looks like we still get the deprecation warnings for the usage of ^^^ instead of bxor, but this has been fixed in master. Is there any way we can get a patch release that includes those changes?