TOTP: Verification Should Remove Spaces

WordPress / two-factor

Two-Factor Authentication for WordPress.

https://wordpress.org/plugins/two-factor/

GNU General Public License v2.0

727 stars 153 forks source link

TOTP: Verification Should Remove Spaces #317

Open alexclst opened 4 years ago

alexclst commented 4 years ago

When you are entering the TOTP code when verifying setup on the User Profile verification fails if there is a space anywhere in the entered text. This can happen if someone copies the code out of an app (say, Authy) where what is copied has a space between the two sets of 3 numbers of the TOTP code. The string that is entered should be stripped of all spaces before verifying it to avoid ending up with an invalid verification, when indeed the numbers were all accurate.

kasparsd commented 4 years ago

This is a great suggestion and usability improvement, thank you @alexclst!

kasparsd commented 4 years ago

Reopening since this has been overwritten in one of the recent commits.

kasparsd commented 4 years ago

We probably need to add trim() around the input:

https://github.com/WordPress/two-factor/blob/736473edf5ff6d2fed18ba2406c772f30950343c/providers/class-two-factor-totp.php#L294