dotp's Introduction

dotp

dotp is a dart package to generate and verify one-time passwords that were used to implement 2FA and MFA authentication method in web applications and other login-required systems.

The package was implement based on RFC4226 (HOTP: An HMAC-Based One-Time Password Algorithm) and RFC6238 (TOTP: Time-Based One-Time Password Algorithm).

Feature

Generate a otpauth url with the b32 encoded string
Create a HOTP object with verification
Verify a HOTP token
Create a TOTP object with verification
Verify a TOTP token

Installation

Pubspec

Add dotp as a dependency in your pubspec.yaml file.

dependencies:
  dotp: ^1.0.2

Example

Time-based OTPs

import 'package:dotp/dotp.dart';

void main() {
  TOTP totp = TOTP("J22U6B3WIWRRBTAV");
  totp.now(); /// => 432143
  
  /// verify for the current time
  totp.verify(432143); /// => true
  
  /// verify after 30s
  totp.verify(432143); /// => false
}

Counter-based OTPs

import 'package:dotp/dotp.dart';

void main() {
  HOTP hotp = HOTP("J22U6B3WIWRRBTAV");
  hotp.at(0); /// => 432143
  hotp.at(1); /// => 231434
  hotp.at(2132); /// => 242432
  
  /// verify with a counter
  hotp.verify(242432, 2132); /// => true
  hotp.verify(242432, 2133); /// => false
}

Api

• TOTP(String secret)

param: secret
type: String
return: TOTP
desc: generate TOTP instance.

• TOTP.now()

return: String
desc: get the one-time password with current time.

• TOTP.verify(String otp, [Datetime time])

param: otp
type: String
param: time
type: Datetime
return: Boolean
desc: verify the totp code.

• TOTP.urlGen(String issuer)

param: issuer
type: String
return: String
desc: generate url with TOTP instance

• HOTP(String secret)

param: secret
type: String
return: HOTP
desc: generate HOTP instance.

• HOTP.at(int counter)

param: counter
type: int
return: String
desc: generate one-time password with counter.

• HOTP.verify(String otp, int counter)

param: otp
type: String
param: counter
type: int
return: Boolean
desc: verify the hotp code.

• HOTP.urlGen(String issuer)

param: issuer
type: String
return: String
desc: generate url with HOTP instance

Release notes

See CHANGELOG.md.

dotp's People

Contributors

Stargazers

Watchers

dotp's Issues

Vulnerabilities

Though the standard allows for the use of SHA-1, it shouldn't be used to generate an OTP due to the discovered collission. Google Authenticator uses SHA-256 which is secure.

Also the function for verification isn't constant time so an attacker could perform a timing-attack.

I would be happy in assisting to close those vulnerabilities.

Add getter for TOTP tokens

Sometimes we have the need, in my case due to layout customisation issues, to know how big the interval is in our TOTP tokens have.

I propose (don't have permissions to open a PR) to add the following getter in totp.dart

  int get interval => _interval;

Recommend Projects

lancegin / dotp Goto Github PK