-
-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate 'secret' when instantiating TOTP #94
Comments
Hi, As indicated in the OTP Customization page, the secret must be encoded in Base32. If you have a secret with mixed characters (e.g. use ParagonIE\ConstantTime\Base32;
$mySecret = Base32::encodeUpper('Th1s i5 a nic3 code!'); //You can remove the '=' padding if any
$otp = TOTP::create($mySecret); It should work as expected. |
Any specific reason why you are trimming "=" in the example from the Customization page? |
The
If you configure your OTP application by clicking the provisioning Uri (e.g. using a mobile device), you may have troubles. Note: I missed the |
Isn't it the opportunity to improve this exception message? Maybe something like: |
@fefas This exception is not thrown by this library but a dependency (see https://github.com/paragonie/constant_time_encoding/blob/master/src/Base32.php#L332). Another way could be to check if the secret is correctly encoded. But that is not so easy e.g. is |
You should wrap an exception and rethrow one of your own. This is an internal dependency of the library and any calling code should not be aware of internal dependencies, because they can be switched in the future (like you did in v9.0.2 as you state in the README). Also, I believe you should provide an encoder implementation that belongs to this library so you can swap the encoder provider without braking the code that consumes the library. But this should probably be discussed in another issue. |
OK that makes sense. I will update the library within the next days and throw a dedicated exception. |
Done. Tagged as v9.0.3. |
fix wrong phpdoc in Google\TwoFactorInterface
Hello, i might be very late, but i thing this could be answer here. In fact, im facing the same issue while using the nugget TwoStepsAuthenticator v1.4.1. Any help on this is welcome please ? ERROR: NOTES:
CODE snippet: Executed when validating the user TOTP read from the Autheticator-APP
|
Is this the acceptable chars for Base32? If yes, it looks wrong. By changing the |
I tried passing in the secret with mixed characters (alnum and special characters), the object was constructed, the QR code was valid, but the verify method was failing with:
I believe that this should fail when instantiating an instance of TOTP.
I also tried testing the library using 'SECRET' for the secret. The rendered QR code and Google Authenticator did not produce valid codes until I took one of the secrets generated by the lib (without passing in the 'secret' parameter) and then setting this manually. I don't know if it has something to do with the length of the secret or something else.
The text was updated successfully, but these errors were encountered: