every time failstotp.verify()

[saikatharryc]

[HELP WANTED]
Hi, I want to generate a token that will last for a certain time, say for 7200 second, that is two hour.
what is want to do is, it will give me false when I'm ging to verify a token two hour after generation. that is will be valid till two hour of generation.

Do I need to use verifyDelta? its every time giving me false when I'm setting time.

and my code is below to generate the token:

 var secret = speakeasy.generateSecret();
        var token = speakeasy.totp({
            secret: secret.base32,
            encoding: 'base32',
           time : 7200
              });

and here is the verify:

var verified = speakeasy.totp.verify({
          secret: secret_str,
          encoding: 'base32',
          token: req.body.unique_code,
         window: 240   //as window value 1 for each 30 secoends..
      });

[mikepb]

The time step needs to be provided to both totp() and totp.verify(). See https://github.com/speakeasyjs/speakeasy/blob/master/index.js#L286

…

On Feb 25, 2017, at 9:08 PM, Saikat Chakrabortty ***@***.***> wrote: Hi, I want to generate a token that will last for a certain time, say for 7200 second, and my code is below to generate the token: var secret = speakeasy.generateSecret(); var token = speakeasy.totp({ secret: secret.base32, encoding: 'base32', window: 240 //as window value 1 for each 30 secoends.. }); and here is the verify: var verified = speakeasy.totp.verify({ secret: secret_str, encoding: 'base32', token: req.body.unique_code, //time: 200, //time specified in secoends window: 2, step : 60 }); — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#81>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAm4b3N-jInKeWLh88vNaqjB2JTeAK6Zks5rgQjqgaJpZM4MMPtB>.

[saikatharryc]

yeah, i have done the same as you said, but still its failing..says false

[mikepb]

You have different values for window in the two functions. Please review the documentation carefully; let us know if we can make it clearer how to use the library.

…

On Feb 26, 2017, at 11:07 PM, Saikat Chakrabortty ***@***.***> wrote: yeah, i have done the same as you said, but still its failing..says false — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#81 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAm4b5r_vPBG3TI_--I2LRaPJlQrwl7Dks5rgnZGgaJpZM4MMPtB>.

[krenor]

Even thought its kinda late, but maybe it'll still be of use to you @saikatharryc
This is my test case to validate that the token is truly invalid at the very next step mark:

  const secret = "foo"
  const step = 75
  const timestamp = Math.floor(Date.now() / 1000)
  const response = await request
    .post(url)
    .send({ secret, step })
    .expect(201)

  expect(response.body).toHaveProperty("token")
  expect(response.body.token).toHaveLength(6)

  const encoding = "base32" // Default by the route but not by the verify function
  const time = timestamp + (step - (timestamp % step)) // Move timestamp to the very first mark of the next step
  const token = response.body.token

  expect(totp.verify({
    encoding,
    secret,
    step,
    token,
  })).toBe(true)

  expect(totp.verify({
    encoding,
    secret,
    step,
    time,
    token,
  })).toBe(false)