Add support for various chart URL generators, now that the Google one is gone

google / google-authenticator-libpam

Apache License 2.0

1.77k stars 281 forks source link

Add support for various chart URL generators, now that the Google one is gone #126

Open ylin0811 opened 5 years ago

ylin0811 commented 5 years ago

chart url generated by the api is no longer valid (https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth). the api needs to be updated.

ThomasHabets commented 5 years ago

Isn't it? It works for me.

(and please never use US-only date formats)

akerl commented 5 years ago

https://groups.google.com/forum/m/#!topic/google-chart-api/rZtHTyYgyXI

ThomasHabets commented 5 years ago

Thanks!

Sigh… and Google Charts doesn't support QR codes, that thread says. I'm reluctant to change to another provider, since this is access tokens. Clearly libqrencode is the best way, as it doesn't tell any server anything. A pure client-side JS implementation would be fine too.

I think best would be to:

Remove references to Google Image Chart API URLs
Find some JS client-side-only API that can do this.
Add to this repo HTML that uses that API, tied to a specific version using subresource integrity to prevent compromised server compromising QR codes.

(1) is not urgent (fails safe). (2)&(3) I'd welcome outside work for, but don't see myself having time for in the short term.

Also always open to other suggestions.

selarom0429 commented 5 months ago

I think you can set the Makefile to use a different encoder URL. Something similar to the following worked for my testing (I removed the real name, issuer, secret and set the background color and size at the end of the URL.

https://qrcode.tec-it.com/API/QRCode?data=otpauth://totp/newuser@domain.tld%3Fsecret%3DHIG8REOU3MUPTNJDDWWCPUKAB3%26issuer%3DDomainTLD%2520MFA&backcolor=%23ffffff&size=small

URL starts with https://qrcode.tec-it.com/API/QRCode?data= Then add the OTP information as previously done. And add the background color and size of the QR code at the end, &backcolor=%23ffffff&size=small Small seems to be best for all browsers. Medium and Large are too big for most users.

Maybe that could help you with the fact that Google has shut down their Chart APIs for creating the URLs.

ThomasHabets commented 5 months ago

For now I've removed the URL printing code.

I think better than a compile time URL would be if various QR code providers could be chosen on the command line. With "none" as default, because I don't want to encourage handing secrets to anyone. Really, it should never have been encouraging users to use Google by default, either.

I'll change the title of this issue with the way forward.

ThomasHabets commented 5 months ago

We have at least two. qrcode.tec-it.com (see above), and quickchart.io per this PR.