Desktop Client for OTP Manager

[niclasheinz]

Hi @matteo-convertino

I'm currently working on a desktop client for the OTP manager. The only problem at the moment is that I can't generate the OTP codes via the secret from the API interface (${url}/apps/otpmanager/accounts). Could you please help me with the solution. How did you encrypt the secret? Do I need to pay special attention to anything? I'm the desktop application with Electron. I use Javascript as programming language.

Greedings, Niclas H.

[matteo-convertino]

Hi, I'm really happy that you are working to develop a desktop client for OTP Manager (there was also an issue opened some time ago that talked about this https://github.com/matteo-convertino/otpmanager-nextcloud/issues/33).

As for the generation of codes, I can tell you that everything you need can be found here:

However, I will explain where you can get passwordHash and iv:

• iv: after you have checked that the password is correct with /password/check, the backend will return the iv.
• passwordHash: after you have checked that the password is correct, take the password that the user entered and hash it with the SHA256 algorithm (like here)

Not knowing exactly what problems you were having I gave you some general instructions, I hope this has helped you with the generation of OTP codes.

[niclasheinz]

Hi

Thank you very much for your quick reply and your code snippets. What is the iv? Is that the encryption password I need to see the OTP codes over the web? I am really confused🫣.

3 Aug 2024 11:20:02 Matteo Convertino @.***>:

Hi, I'm really happy that you are working to develop a desktop client for OTP Manager (there was also an issue opened some time ago that talked about this #33[https://github.com/matteo-convertino/otpmanager-nextcloud/issues/33]).

As for the generation of codes, I can tell you that everything you need can be found here[https://github.com/matteo-convertino/otpmanager-nextcloud/blob/github/src/js/utils/generateCodes.js#L17-L19]:

However, I will explain where you can get passwordHash and iv:

• iv: after you have checked that the password is correct with /password/check, the backend will return the iv.
• passwordHash: after you have checked that the password is correct, take the password that the user entered and hash it with the SHA256 algorithm (like here[https://github.com/matteo-convertino/otpmanager-nextcloud/blob/github/src/js/utils/Password.js#L60])

Not knowing exactly what problems you were having I gave you some general instructions, I hope this has helped you with the generation of OTP codes.

— Reply to this email directly, view it on GitHub[https://github.com/matteo-convertino/otpmanager-nextcloud/issues/51#issuecomment-2266650996], or unsubscribe[https://github.com/notifications/unsubscribe-auth/BGLFC6MDG4KUWHFQJLBSSA3ZPSOEDAVCNFSM6AAAAABL5FCQACVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENRWGY2TAOJZGY]. You are receiving this because you authored the thread. [Tracking image][https://github.com/notifications/beacon/BGLFC6JQJ3JU5FZ4ABI33FTZPSOEDA5CNFSM6AAAAABL5FCQACWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUHDJMXI.gif]

[matteo-convertino]

Taken from here:

An initialization vector (IV) is an arbitrary number that can be used with a secret key for data encryption to foil cyber attacks. CBC uses an IV to prevent having the same plaintext result in the same (guessable) ciphertext.

OTP Manager uses aes-256-cbc as the encryption algorithm and an account secret key is encrypted using 2 things: the hashed user password (with SHA256) and a unique IV for each user.

So to decrypt a secret key client-side, you will need those two things: the user's iv and hashed password (review the previous comment on how to get them).