search

akanass / rx-otp

HMAC-based (HOTP) and Time-based (TOTP) One-Time Password manager. Works with Google Authenticator for Two-Factor Authentication.
MIT License
76 stars 9 forks source link

After verifying one valid code with GA, all other subsequent verifications also return true for the same secret. #1

Closed brunophilipe closed 9 years ago

brunophilipe commented 9 years ago 
var check = OTP.googleAuthenticator.verify('123456', '0123456789ABCD', 2); // wrong code, returns null
var check = OTP.googleAuthenticator.verify('654321', '0123456789ABCD', 2); // right code, returns delta=0
// call after 10 seconds
var check = OTP.googleAuthenticator.verify('654321', '0123456789ABCD', 2); // right code, returns delta=0
// call after 30 seconds
var check = OTP.googleAuthenticator.verify('654321', '0123456789ABCD', 2); // right code, returns delta=0
// call after 5 minutes
var check = OTP.googleAuthenticator.verify('654321', '0123456789ABCD', 2); // right code, returns delta=0
// etc...

I found that manually setting the timestamp on GoogleAuthnticator.js line 248 fixes the problem, like so:

// before:
return TOTP.verify(_token, {string:self.decode(_secret)}, {window:_window});
// after:
return TOTP.verify(_token, {string:self.decode(_secret)}, {window:_window, timestamp: new Date().getTime()});

I believe it is being caused by joi caching the value of timestamp.

akanass commented 9 years ago

Hello Bruno,

Thank you for your reporting and you have right. The joi schema is a singleton and when it was loaded, timestamp doesn't change.

Sorry for this mistake and I will fix it this afternoon to publish it ASAP.

Best regards.

brunophilipe commented 9 years ago

Hi. It is no problem!

I have made a hotfix in my fork of your project https://github.com/brunophilipe/otp.js/commit/10724ca7d07e1a600ee779aab703f87304b308f7

However, since I have no familiarity with joi, I am not sure if this is the best way to fix this problem.

akanass commented 9 years ago

Hello,

I've just fixed the issue and I think my solution is better than yours because the solution must be implemented in TOTP.js and not only in GoogleAuthenticator.js.

Can you checkout the new version 1.0.4 and test if it's OK for you.

My unit tests are OK but I prefer check with real-time tests.

If it's OK for you, I will closed this issue.

Thank you for your collaboration.

Best regards.