-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A consumed otp becomes valid again within the drift period #106
Comments
A consumed otp becomes valid again once per otp.interval until it expires due to the drift period (otp_allowed_drift) fixes: devise-two-factor#106
A consumed otp becomes valid again once per otp.interval until it expires due to the drift period (otp_allowed_drift) fixes: devise-two-factor#106
Can we close this issue because of the merged PR? |
not fixed in master |
Hi, any plans to merge / fix the master branch? |
Hello! I really appreciate this great gem! Is there any chance that this critical fix will get merged into the master branch soon? |
Hi, any updates on this? |
1 similar comment
Hi, any updates on this? |
The issue can be mitigated by disallowing OTP drift. To do so, add I'm hoping this issue will be patched soon. |
Thank you, this is fixed now in the published version 4.0.2. |
Hi, Thanks. |
If an otp is consumed, it becomes invalid during the
otp.interval
of the instantiatedROTP::TOTP
object in TwoFactorAuthenticatable.otp.interval
is currently always 30 seconds, since that is the default: https://github.com/mdp/rotp/blob/v3.3.0/lib/rotp/totp.rb#L10However, during the drift period specified by
otp_allowed_drift
, the otp again becomes valid.I believe this is unexpected behavior, and the intention is for an otp to not be reusable within the drift period after it has been consumed.
Here are some specs dropped in here which currently fail:
The text was updated successfully, but these errors were encountered: