Add "get_provisioning_uri" utility for HOTP/TOTP. #1990
Conversation
|
I personally do not think that this is something we should have in the library since it's a Google Authenticator specific thing (although it's probably pretty widely used at this point) and not actually part of the HOTP / TOTP standard. |
|
Jenkins, ok to test |
|
I'm not sure where I stand on if we should implement this, but if so, a few notes on this patch right off the bat:
|
tonyseek
changed the title
|
@Ayrx @alex Thank you for your review. I modified it into an utility function instead of mixin class. And the broken tests have been fixed. I know that the provisioning URI is not a part of the RFC4226/RFC6238. But it is a way to let end users be able to configure two-factor authentication with their mobile devices. Personally I hope it could be included in cryptography or exists as a third-party library, not implemented many times in different applications. ;-) |
|
jenkins, retest this please |
|
@tonyseek do you happen to know of other places where this is used outside of Google Authenticator? I'm not opposed to adding this if it has become a de facto standard. |
|
@reaperhulk Following mobile apps have support for provisioning with QR code which included this form of URI:
And many sites with 2-factor authentication are providing this kind of QR code, such as Google, Dropbox, GitHub, Zoho and Slack. |
tonyseek
changed the title
There was a problem hiding this comment.
Assuming we decide to pull this in we put documentation separately in restructured text. You'll need to add this to the docs there.
|
I don't feel strongly about not having this so I'm fine with this going in. I'll do a code review when I get to a computer unless someone gets to it
|
There was a problem hiding this comment.
If I'm reading this right you are attempting to determine if the otp object is an instance of HOTP and not TOTP? If so this should be rewritten as isinstance(otp, HOTP) instead.
|
Overall API design feedback: I don't like that the public API is a standalone function. In particular it leads to this very ugly bit of code: if hotp is otp:
if counter is None:
raise RuntimeError('"counter" is required for HOTP')
parameters.append(('counter', int(counter)))due to HOTP and TOTP having different requirements for a provisioning URL. Is there anything particularly bad about each class (HOTP and TOTP), having a |
|
Hi @Ayrx @reaperhulk @alex , I turned the The description part has been moved into the |
There was a problem hiding this comment.
For files we have a licensing preamble and a specific __future__ import we want: https://cryptography.io/en/latest/development/submitting-patches/#code
|
We're getting close now, thanks for your work so far :) |
|
@reaperhulk Updated :-) |
|
@tonyseek Still missing the standard license header. |
docs/hazmat/primitives/twofactor.rst
Outdated
There was a problem hiding this comment.
"widely supported", "which are using".
|
Other than the standard license header and the small grammar fixes this LGTM. 👍 |
|
@Ayrx Fixed~ |
docs/hazmat/primitives/twofactor.rst
Outdated
There was a problem hiding this comment.
Our typical model for external links is to put them at the bottom of the page like:
.. _`spec of Google Authenticator`: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
Additionally we strongly prefer not to use shortener links where possible so the canonical URL is preferred.
|
Other than that final nit this LGTM. |
|
@reaperhulk The URL have been unshorten and moved to the page bottom. |
Add "get_provisioning_uri" utility for HOTP/TOTP.
|
Thank you @tonyseek! You're welcome to submit a PR to add yourself to the AUTHORS.rst file if you'd like. If you get a chance it'd also be great if you could submit a separate PR to add an entry to the CHANGELOG.rst for this new feature. |
|
@reaperhulk I will submit PR soon. Thank you! |
Related Issue: pyca#1990
5 participants
Please review it. Thanks.