search

4cc3ssX / react-native-totp-utils

A full-featured Time-Based One-Time Password (TOTP) library for React Native witten in C++
MIT License
21 stars 2 forks source link

Codes generated with default options differ from those generated by otpauth #2

Open Thanaen opened 1 year ago

Thanaen commented 1 year ago

Hello,

I'm very interested in the performance aspect, and I wanted to migrate from the otpauth library (https://github.com/hectorm/otpauth) to this one.

But when I generate an OTP password with the otpauth library, then one with this one using the same key, I get two different passwords!

Yet your default options seem to be the same (6 digits, time step of 30).

So I'm wondering: what could be causing this difference?

(Here's how otpauth does it, if it helps: https://github.com/hectorm/otpauth/blob/5cdefb679e4fdf4e41c49b54a1e2c62de28313c8/src/hotp.js#L100C12-L100C12)

Note: I haven't yet made a repository to reproduce the problem, but I'll try to set one up!

Thanaen commented 1 year ago

Note: I realize that I didn't check whether the two devices that generated OTP codes were set perfectly to the same time. I'm closing the issue until I reproduce the bug under better conditions.

4cc3ssX commented 1 year ago

You're using HOTP, which HMAC-based One-Time Password that will renew an OTP every time you create or it's been used. And the one I implemented is TOTP which will renew after a specific time frame otherwise it remain the same. Read more here: What's TOTP?

Thanaen commented 1 year ago

@4cc3ssX In fact, I do generate TOTPs. The otpauth library handles both HOTP and TOTP, but the class that handles TOTP simply extends the class that handles HOTP. Consequently, the piece of code responsible for generating OTPs is the same 😄.

My issue is currently invalid, as I haven't checked that the devices generating the codes I was comparing were set to the same time.

On the other hand, I encountered another problem, with XCode, which couldn't find an .h file. I'll open another issue as soon as I have a repro project!

4cc3ssX commented 1 year ago

I'm also facing .h not found error in XCode but the example works fine.

pandaninjas commented 1 year ago

I'm also experiencing a bug where the codes generated by the module differ from ones generated online. I have confirmed that the devices are synchronized with respect to time. I have a suspicion that the problem is because TOTP secrets in base32 need to be decoded to a byte array before they can be used.

See: https://github.com/pandaninjas/react-native-totp-utils/blob/main/cpp/react-native-totp-utils.cpp#L21-L31

4cc3ssX commented 1 year ago

I got it. I'll dive into it but also PR is welcome too. Need contributors to be a perfect one!