search

Spomky-Labs / otphp

:closed_lock_with_key: A PHP library for generating one time passwords according to RFC 4226 (HOTP) and the RFC 6238 (TOTP)
MIT License
1.31k stars 150 forks source link

Error: Label must not contain a colon #225

Open simonsolutions opened 4 months ago

simonsolutions commented 4 months ago

Version(s) affected

11.3

Description

When setting a Label like this "Provider%3Ausername%40domain.com" it throws the error "Label must not contain a colon."

How to reproduce

Setting a Label like this "Provider%3Ausername%40domain.com"

Possible Solution

Allowing URL Encoded colons.

Other implementations allow it URL encoded. (Microsoft and Google provide them e.g.)

Additional Context

The issuer prefix and account name should be separated by a literal or url-encoded colon, and optional spaces may precede the account name. Neither issuer nor account name may themselves contain a colon. Represented in ABNF according to RFC 5234:

label = accountname / issuer (“:” / “%3A”) *”%20” accountname Valid values might include Example:alice@gmail.com, Provider1:Alice%20Smith or Big%20Corporation%3A%20alice%40bigco.com.

Spomky commented 4 months ago

Hi,

Many thanks for this report. Have you considered this: https://github.com/Spomky-Labs/otphp/blob/11.4.x/doc/Customize.md#issuer

simonsolutions commented 4 months ago

Hi, I've seen the property. When adding for example a Microsoft365 account, the label is complete including issuer separated by a url encoded colon. So the idea would be when setting the label splitting it to label and issuer if the colon is present? That would prevent splitting the strings outside the library, maybe with a separate property "isIssuerIncludedInLabel".