Incorrect validation with valid about nimble_totp HOT 5 CLOSED

Also, keep in mind that TOTP is periodic. You can generate a TOTP now but it is in its last minute out of 5. So I don’t think it works for what you want. You could use Phoenix.Token instead.

from nimble_totp.

NimbleTOTP.valid?(secret, otp, time: time, period: 300)

what is the time value that you are passing?

Could you try writing a script that reproduces the issue?

from nimble_totp.

time = System.os_time(:second)

from nimble_totp.

@wojtekmach @whatyouhide sorry folks, but something's off here or I'm understanding the options wrong.

I created a test script because I also ran into issues where the code stopped working unexpectedly. The full script is below, but here's what I expected, how I tested it, and what the results where:

1. If I create a code now and verify it every second for 30 seconds, it will be invalid after exactly 30 seconds.

secret = NimbleTOTP.secret()
code = NimbleTOTP.verification_code(secret)
for _sec <- 1..60 do
  NimbleTOTP.valid?(secret, code) |> IO.inspect(label: DateTime.utc_now())
  :timer.sleep(1000)
end

-> The code stopped working at every 0s and 30s mark of the minute. So, if I created a code at 12:00:54, it would stop working at 12:01:00. Same for 12:00:24, which stopped working at 12:00:30.

2. If I validate a code with period: 60, it will be valid for 60 seconds instead of 30s.

secret = NimbleTOTP.secret()
code = NimbleTOTP.verification_code(secret)
for _sec <- 1..90 do
  NimbleTOTP.valid?(secret, code, period: 60) |> IO.inspect(label: DateTime.utc_now())
  :timer.sleep(1000)
end

-> The very first call is false already.

3. If I create a code with period: 60 and validate it with period: 60, it will be valid for 60s.

secret = NimbleTOTP.secret()
code = NimbleTOTP.verification_code(secret, period: 60)
for _sec <- 1..90 do
  NimbleTOTP.valid?(secret, code, period: 60) |> IO.inspect(label: DateTime.utc_now())
  :timer.sleep(1000)
end

-> The code stopped working at "random" times, but mostly on the minute or at the 30s mark. One time it stopped working on the minute after ~15s of running the test and one time it stopped 47s later (started at 12:00:37, stopped at 12:01:24), one time started at 12:00:53, stopped being valid at 12:01:00. It seems like the period-option has no effect?

My Question

My question here is basically: How can I create a code that's valid for longer than 30 seconds and does not become invalid at the 30s and 60s mark?

My use-case is that i'd like to send one-time passwords per email to a user that wants to log in. That code should be valid for 5min starting at the moment the user requests it. I thought this library would allow me to do that, but it seems it's rather focused on 2FA flows, no?

from nimble_totp.

It has been a while but don’t you have to pass the same period option both when generating the code and when validating it? We can probably improvise the docs around this.

from nimble_totp.