Why sometimes is invalid my token? about otplib HOT 6 CLOSED

hi @thEpisode

I ran the snippet and could reproduce the issue. However it is not a problem with the function.
The issue came from a falling out of the time window.

In the above snippet, you're:

1. Using a 5s window
2. generating a token
3. waiting 1s before checking the token

In Authenticator and TOTP which are time based, any tokens generated within a 5s time window is the same. As such, if you generate a token at 12:00:01 and 12:00:04, it will result in the same token. So checking anywhere within this block will result in true

In the snippet above, when you generate a token and wait for 1s, you cannot guarantee you're within this same window. So when running the code, there are chances that you're generating a token at 12:00:04 and waiting for 1s results in checking the token at 12:00:05 which will cause the system token to already fall into the next block.

Try doing this:

// instead of
otplib.authenticator.options = {
  step: step
}

// use
otplib.authenticator.options = {
  step: step,
  window: [1, 0]
}


// instead of 
const isValid = otplib.authenticator.check(singleToken, secret)

// use 
const isValid = otplib.authenticator.checkDelta(singleToken, secret)

You should see some values being returned as -1, which means it falls into 1 window behind.

Hope that helps :)

from otplib.

The following is a sample terminal application.
You'll need to npm install ora

const otplib = require('otplib');
const ora = require('ora');

let step = 5;
let currToken = 'Generating...';

otplib.authenticator.options = {
  step: step
};

const spinner = ora(currToken).start();
const secret = otplib.authenticator.utils.encodeKey('your own private key');

function generator() {
  const epoch = Math.floor(new Date().getTime() / 1000);
  const count = epoch % step;

  if (count === 0) {
    currToken = otplib.authenticator.generate(secret);
  }

  spinner.text = `[${step - count}s] - ${currToken}`;
}

setInterval(generator, 1000);

from otplib.

With a bit debugging I notice that hotpToken() function calculate systemToken wrong (inside hotpCheck function) and when is called otplibUtils.isSameToken(token, systemToken) obviously is different.

from otplib.

oh yes thanks, I need to read more about this window in this moment is not very clear for me, meanwhile could you guide me to know what is the right way to generate an OTP every 5 seconds?

from otplib.

Woah, wonderful, thanks

from otplib.

hi @thEpisode

I ran the snippet and could reproduce the issue. However it is not a problem with the function. The issue came from a falling out of the time window.

In the above snippet, you're:

1. Using a 5s window
2. generating a token
3. waiting 1s before checking the token

In Authenticator and TOTP which are time based, any tokens generated within a 5s time window is the same. As such, if you generate a token at 12:00:01 and 12:00:04, it will result in the same token. So checking anywhere within this block will result in true

In the snippet above, when you generate a token and wait for 1s, you cannot guarantee you're within this same window. So when running the code, there are chances that you're generating a token at 12:00:04 and waiting for 1s results in checking the token at 12:00:05 which will cause the system token to already fall into the next block.

Try doing this:

// instead of
otplib.authenticator.options = {
  step: step
}

// use
otplib.authenticator.options = {
  step: step,
  window: [1, 0]
}


// instead of 
const isValid = otplib.authenticator.check(singleToken, secret)

// use 
const isValid = otplib.authenticator.checkDelta(singleToken, secret)

You should see some values being returned as -1, which means it falls into 1 window behind.

Hope that helps :)

Hey! Just wanted to ask about what does the window array mean exactly.
I'm using totp to generate tokens for 5 minutes, and using a combination of step and window on [1, 0] appears to work. But being honest I don't understand why.

from otplib.