Publish artifact to Maven

[davidepedranz]

I tried to look for this library in Maven, but I cannot find it. It would be super handy to quickly include the library into Maven or Gradle based projects. Any plan to publish it to any Maven repository?

[jchambers]

I'm actually pretty hesitant to publish to Maven Central because this is a security-sensitive kind of thing and I haven't really done the diligence to make sure it lives up to that role. I intended this to be more of a "hey, everybody, here's how TOTP works" kind of project rather than something that actually goes into production.

That said, I'm somewhat alarmed to discover that Google thinks this is the top search result for "java totp" and "java one time password," so maybe we've already crossed that line by accident. Let me think it over. I'm open to arguments either way in the meantime.

[davidepedranz]

Thanks for the reply. Actually I would like to use your library because the APIs are really well designed and simple. The most popular library able to generate TOTP codes I could find (https://github.com/wstrange/GoogleAuth) tries to solve the entire authentication procedure (persistence, generation of recovery codes, etc) and provides much more complicated APIs in comparison to your library. My use case is just to generate TOTP codes compliant with the standard to use them in more complex authentication schemes that go over a simple login with username, password and TOTP code.

[davidepedranz]

Hi again! I spent some time to read the RFCs for both TOTP and HOTP, read the reference code, compare it to your library, checkout and run the test cases. Everything works perfectly, every single line of code is covered by the test cases (except the one checked exception that cannot be thrown). The test cases are the "official" ones given in the standard, so we are sure that the library is compliant with it.

As I said in the previous comment, I find your code simple and clean, much better than the reference code in the TOTP RFC. The library does one thing and does it well, as declared in the README. Thanks for your work!

That said, have you decided if you want to publish the library to Maven?

[heruan]

I'm actually pretty hesitant to publish to Maven Central because this is a security-sensitive kind of thing and I haven't really done the diligence to make sure it lives up to that role.

Don't be hesitant, Maven Central is a repository with many broken and outdated artifacts so nobody can say it's on Maven Central, then it's production ready.

This is a good and stable library that should be present on Maven Central.

[jchambers]

Maven Central is a repository with many broken and outdated artifacts so nobody can say it's on Maven Central, then it's production ready.

This is hardly a ringing endorsement ;)

I do sincerely appreciate the words of encouragement, but when it comes to security stuff, "the tests pass" isn't necessarily the only concern. That said:

1. I think the Key handling here is minimal and about as safe as we can make it.
2. I don't think we're making any outrageous claims in the docs or code about that this is, what it does, or what responsibilities still fall to users.

I guess I'll publish it, but jumping through those hoops might have to wait a little longer until I have enough consecutive hours free to go through the process, which is non-trivial.

[Ditti4]

Hey there. Just so you know, Jitpack would be an easy way to make use of this library: https://jitpack.io/#jchambers/java-otp

This might serve as a workaround until you actually get around to publishing it to Maven Central.

Thanks for the awesome library!

[jchambers]

I've published java-otp to Maven Central. It should be available within a few hours.