Comments (6)
hi @thEpisode
I ran the snippet and could reproduce the issue. However it is not a problem with the function.
The issue came from a falling out of the time window.
In the above snippet, you're:
- Using a
5s
window - generating a token
- waiting
1s
before checking the token
In Authenticator and TOTP which are time based, any tokens generated within a 5s time window is the same. As such, if you generate a token at 12:00:01
and 12:00:04
, it will result in the same token. So checking anywhere within this block will result in true
In the snippet above, when you generate a token and wait for 1s
, you cannot guarantee you're within this same window. So when running the code, there are chances that you're generating a token at 12:00:04
and waiting for 1s
results in checking the token at 12:00:05
which will cause the system token to already fall into the next block.
Try doing this:
// instead of
otplib.authenticator.options = {
step: step
}
// use
otplib.authenticator.options = {
step: step,
window: [1, 0]
}
// instead of
const isValid = otplib.authenticator.check(singleToken, secret)
// use
const isValid = otplib.authenticator.checkDelta(singleToken, secret)
You should see some values being returned as -1
, which means it falls into 1 window behind.
Hope that helps :)
from otplib.
The following is a sample terminal application.
You'll need to npm install ora
const otplib = require('otplib');
const ora = require('ora');
let step = 5;
let currToken = 'Generating...';
otplib.authenticator.options = {
step: step
};
const spinner = ora(currToken).start();
const secret = otplib.authenticator.utils.encodeKey('your own private key');
function generator() {
const epoch = Math.floor(new Date().getTime() / 1000);
const count = epoch % step;
if (count === 0) {
currToken = otplib.authenticator.generate(secret);
}
spinner.text = `[${step - count}s] - ${currToken}`;
}
setInterval(generator, 1000);
from otplib.
With a bit debugging I notice that hotpToken() function calculate systemToken wrong (inside hotpCheck function) and when is called otplibUtils.isSameToken(token, systemToken) obviously is different.
from otplib.
oh yes thanks, I need to read more about this window in this moment is not very clear for me, meanwhile could you guide me to know what is the right way to generate an OTP every 5 seconds?
from otplib.
Woah, wonderful, thanks
from otplib.
hi @thEpisode
I ran the snippet and could reproduce the issue. However it is not a problem with the function. The issue came from a falling out of the time window.
In the above snippet, you're:
- Using a
5s
window- generating a token
- waiting
1s
before checking the tokenIn Authenticator and TOTP which are time based, any tokens generated within a 5s time window is the same. As such, if you generate a token at
12:00:01
and12:00:04
, it will result in the same token. So checking anywhere within this block will result intrue
In the snippet above, when you generate a token and wait for
1s
, you cannot guarantee you're within this same window. So when running the code, there are chances that you're generating a token at12:00:04
and waiting for1s
results in checking the token at12:00:05
which will cause the system token to already fall into the next block.Try doing this:
// instead of otplib.authenticator.options = { step: step } // use otplib.authenticator.options = { step: step, window: [1, 0] } // instead of const isValid = otplib.authenticator.check(singleToken, secret) // use const isValid = otplib.authenticator.checkDelta(singleToken, secret)You should see some values being returned as
-1
, which means it falls into 1 window behind.Hope that helps :)
Hey! Just wanted to ask about what does the window
array mean exactly.
I'm using totp to generate tokens for 5 minutes, and using a combination of step and window
on [1, 0] appears to work. But being honest I don't understand why.
from otplib.
Related Issues (20)
- TOTP check does not work on distributed systems HOT 1
- Can we use Bcript.hash() to generate secret?
- TSC compiles with "target": "es2017", could this be changed to es6 ?
- Default secret length should be changed to 20 bytes from 10 bytes HOT 3
- Cant set algorithm in TypeScript HOT 5
- Otplib before 12.0.0 defaults to 15 bytes of entropy for OTP secret key generation which is too low
- totp timer not reseting upon creating a new token ?
- Version 12.x depends on TypeScript 3+ consumers ?
- [Question]: What is the current state of the project?
- API Documentation is offline HOT 1
- Confused with time HOT 2
- 2fa is not working on live server in nodejs HOT 1
- totp to expire with step config after generation HOT 4
- cannot generate authenticator token every 15secs instead of default 30secs
- Verify and check function are not working in my nest app. HOT 1
- Question: how to generate next otp window? HOT 1
- crypto.createHmac is not a function TypeError: crypto.createHmac is not a function
- Not workign with verifyr HOT 1
- Buffer to parse a hex string preventing Expo usage HOT 1
- This project can now be marked unmaintained HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from otplib.