matteo-convertino / otpmanager-nextcloud

Nextcloud app that allows you to manage your OTP (TOTP/HOTP) codes easily
GNU Affero General Public License v3.0
26 stars 5 forks source link

Desktop Client for OTP Manager #51

Open niclasheinz opened 3 months ago

niclasheinz commented 3 months ago

Hi @matteo-convertino

I'm currently working on a desktop client for the OTP manager. The only problem at the moment is that I can't generate the OTP codes via the secret from the API interface (${url}/apps/otpmanager/accounts). Could you please help me with the solution. How did you encrypt the secret? Do I need to pay special attention to anything? I'm the desktop application with Electron. I use Javascript as programming language.

Greedings, Niclas H.

matteo-convertino commented 3 months ago

Hi, I'm really happy that you are working to develop a desktop client for OTP Manager (there was also an issue opened some time ago that talked about this https://github.com/matteo-convertino/otpmanager-nextcloud/issues/33).

As for the generation of codes, I can tell you that everything you need can be found here:

However, I will explain where you can get passwordHash and iv:

Not knowing exactly what problems you were having I gave you some general instructions, I hope this has helped you with the generation of OTP codes.

niclasheinz commented 3 months ago

Hi

Thank you very much for your quick reply and your code snippets. What is the iv? Is that the encryption password I need to see the OTP codes over the web? I am really confused🫣.

3 Aug 2024 11:20:02 Matteo Convertino @.***>:

Hi, I'm really happy that you are working to develop a desktop client for OTP Manager (there was also an issue opened some time ago that talked about this #33[https://github.com/matteo-convertino/otpmanager-nextcloud/issues/33]).

As for the generation of codes, I can tell you that everything you need can be found here[https://github.com/matteo-convertino/otpmanager-nextcloud/blob/github/src/js/utils/generateCodes.js#L17-L19]:

However, I will explain where you can get passwordHash and iv:

Not knowing exactly what problems you were having I gave you some general instructions, I hope this has helped you with the generation of OTP codes.

— Reply to this email directly, view it on GitHub[https://github.com/matteo-convertino/otpmanager-nextcloud/issues/51#issuecomment-2266650996], or unsubscribe[https://github.com/notifications/unsubscribe-auth/BGLFC6MDG4KUWHFQJLBSSA3ZPSOEDAVCNFSM6AAAAABL5FCQACVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRWGY2TAOJZGY]. You are receiving this because you authored the thread. [Tracking image][https://github.com/notifications/beacon/BGLFC6JQJ3JU5FZ4ABI33FTZPSOEDA5CNFSM6AAAAABL5FCQACWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUHDJMXI.gif]

matteo-convertino commented 2 months ago

Taken from here:

An initialization vector (IV) is an arbitrary number that can be used with a secret key for data encryption to foil cyber attacks. CBC uses an IV to prevent having the same plaintext result in the same (guessable) ciphertext. image

OTP Manager uses aes-256-cbc as the encryption algorithm and an account secret key is encrypted using 2 things: the hashed user password (with SHA256) and a unique IV for each user.

So to decrypt a secret key client-side, you will need those two things: the user's iv and hashed password (review the previous comment on how to get them).