pipobscure / otp Goto Github PK
View Code? Open in Web Editor NEWA simple OneTimePassword library compatible with GoogleAuthenticator
License: MIT License
otp's People
Contributors
Stargazers
Watchers
Forkers
federicobond sajithss olsio jcloudyu diluke1600 bvanheu d4nicoder ntbosscher ghazaleh-mn etozzato multiotp shcyiza kejawrk laughixdayotp's Issues
[Solution included] OTP breaking change after version 1.1.1 (Deployed Jan 5, 2024)
After my project automatically upgraded from [email protected] to [email protected], my project stopped working.
Apparently, some change on hoow node internal packages are served broke the main function of the codebase: generateKey().
Issue happens on this line: https://github.com/pipobscure/otp/blob/0bc5a3818a5ab80198c7cb5e3933397369967b24/lib/otp.ts#L93C6-L93C6
globalThis.crypto.getRandomValues(bytes);
apparently globalThis.crypto is not defined. checking other changes on the app, I found that we should actually be using:
import { getRandomValues } from 'node:crypto';
For those who want a quick work around, just put the fixed version 1.1.0 in package.json and clear the installation.
I have a PR ready to fix this if the maintainers want the help
totpURL doesn't work for Google Authenticator on iOS
When I try to create barcode from totpURL and parse it in Google Authenticator, I get The barcode 'otpauth://totp/... is not a valid authentication token barcode.
I have to remove trailing = from a secret and then this is scanned fine. My solution is to create URL manually like this:
const login = process.argv[2];
const name = encodeURIComponent(`Portal (${login})`);
const secret = otp.secret.slice(0, -1); // remove trailing =
const totpURL = `otpauth://totp/${name}?secret=${secret}`;Still Maintained?
Is this still maintained?
Use browser's SHA1 implementation
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
At least make an option. I would drop support for browsers that do not support crypto extension.
Throws error if buffer is passed in secret
Passing buffer in secret doesn't work
var crypto = require('crypto');
var otp = require('otp')({
secret: crypto.randomBytes(256);
});
console.log(otp.hotp());
throws the following error
/Users/detj/tmp/plivo-try/node_modules/otp/node_modules/thirty-two/lib/thirty-two/thirty-two.js:121
throw new Error('Invalid input - it is not base32 encoded string');
^
Error: Invalid input - it is not base32 encoded string
at Object.exports.decode (plivo-try/node_modules/otp/node_modules/thirty-two/lib/thirty-two/thirty-two.js:121:16)
at OTP.hotp (plivo-try/node_modules/otp/otp.js:65:58)
at Object.<anonymous> (/Users/detj/tmp/plivo-try/otp.js:20:17)
at Module._compile (module.js:460:26)
at Object.Module._extensions..js (module.js:478:10)
at Module.load (module.js:355:32)
at Function.Module._load (module.js:310:12)
at Function.Module.runMain (module.js:501:10)
at startup (node.js:129:16)
at node.js:814:3
Tried with node 0.12.2 and node 0.10.38
unnecessary console.error output
Hello,
I noticed that the library prints to standard error, is this necessary? I think a user can easily display Date.now() or options if there is any need for debugging.
https://github.com/pipobscure/otp/blob/master/lib/otp.ts#L87
Kind regards,
Krzysztof
insecure random
https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey
should be used instead of Math.random()
Consider using createHmac
Currently, this lib use the crypto module
The problem is that causes gigantic bundles when the code is bundled with Webpack (I assume the same for browserify).
Would you be open to a PR that switch to createHmac?
Thanks a lot.
secret with padding string cannot be parsed correctly
Problem
If the secret string has padding characters, it would not be parsed correctly.
Padding characters seems be dropped before decodeChar() function.
How to reproduce
Code
const OTP = require('otp');
const samples = [
// "suck" x16 + "s" (length: 65) - okay
"ON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23T",
// "suck" x16 (length: 64) - exception
"ON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG2Y="
];
samples.forEach((secret) => {
try {
const otp = new OTP({ secret });
console.log(otp.totp());
console.log("{SECRET} parsed!".replace("{SECRET}", secret));
} catch(ex) {
console.log("{SECRET} cannot be parsed!".replace("{SECRET}", secret));
console.log(ex);
}
console.log("");
});Output
1601972249095 { secret:
'ON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23T',
name: 'OTPAuthentication',
keySize: 64,
codeLength: 6,
epoch: 0,
timeSlice: 30 }
277683
ON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23T parsed!
1601972249099 { secret:
'ON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG2Y=',
name: 'OTPAuthentication',
keySize: 64,
codeLength: 6,
epoch: 0,
timeSlice: 30 }
ON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG23TOVRWW43VMNVXG5LDNNZXKY3LON2WG2Y= cannot be parsed!
Error: invalid character: undefined
at decodeChar (....\node_modules\otp\otp.js:41:15)
at decodeChunk (....\node_modules\otp\otp.js:54:16)
at decode (....\node_modules\otp\otp.js:95:9)
at hotp (....\node_modules\otp\otp.js:441:46)
at totp (....\node_modules\otp\otp.js:449:12)
at samples.forEach (....\app.js:46:29)
at Array.forEach (<anonymous>)
at Server.app.listen (....\app.js:43:13)
at Object.onceWrapper (events.js:286:20)
at Server.emit (events.js:198:13)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.