The library is not accepting the code generated by the authenticator app.

[MarcusWebDev]

I suspect because the phone uses a 32bit integer and the library is now using BigInt. Would it be possible to keep the old algorithm as a separate function so people who want to use the library with a phone can use it or come up with a solution that allows the generateTOTPand verifyTOTP functions to work in both cases?

[kentcdodds]

I think we’ll revert and limit you to 6 characters unless we can figure out another solution. I did test this before releasing so I’m not sure what’s caused the issue.

[szabolcsnagy]

I opened a PR that addresses this issue.

[jannomeister]

Hi @kentcdodds, this issue still persist. I just follow the basic example in the docs:

const { secret, period, digits, algorithm } = await generateTOTP()
const otpUri = getTOTPAuthUri({
      period,
      digits,
      algorithm,
      secret,
      accountName: user.email,
      issuer: appName,
    });

// save `secret` to db as `totpSecret`
// return `otpUri` to user


// in the verification flow

// code from authenticator app (I use google auth)
const code = getCodeFromAuthApp()

// I just use the same defaults except the secret
const { period, digits, algorithm } = await generateTOTP();
const isValid = await verifyTOTP({
      otp: code,
      secret: totpSecret, // this is coming from the db
      period,
      digits,
      algorithm,
    });

// returns null
console.log(isValid)

Is there something wrong with how I use it? Also, I’m not sure if it's relevant, but the generated OTP URI algorithm doesn't include a hyphen (SHA1)

[jannomeister]

Hi @kentcdodds, this issue still persist. I just follow the basic example in the docs:

const { secret, period, digits, algorithm } = await generateTOTP()
const otpUri = getTOTPAuthUri({
period,
digits,
algorithm,
secret,
accountName: user.email,
issuer: appName,
});

// save secret to db as totpSecret
// return otpUri to user

// in the verification flow

// code from authenticator app (I use google auth)
const code = getCodeFromAuthApp()

// I just use the same defaults except the secret
const { period, digits, algorithm } = await generateTOTP();
const isValid = await verifyTOTP({
otp: code,
secret: totpSecret, // this is coming from the db
period,
digits,
algorithm,
});

// returns null
console.log(isValid)
Is there something wrong with how I use it? Also, I’m not sure if it's relevant, but the generated OTP URI algorithm doesn't include a hyphen (SHA1)

Apologies. It works when I upgraded to v4.0.1 (from v4.0.0)