search

pyauth / pyotp

Python One-Time Password Library
https://pyauth.github.io/pyotp/
Other
2.95k stars 321 forks source link

random_base32 now returns 32 instead of promised 16 characters in version 2.6.0 #116

Closed RamonvdW closed 3 years ago

RamonvdW commented 3 years ago

Hello,

I found a change in behavior of pyotp.random_base32() According to your helptext it must generate a 16 character secret: "A helper function is provided to generate a 16 character base32 secret, compatible with Google Authenticator and other OTP apps: pyotp.random_base32()"

But when I run it with v2.6.0:

$ python -c "import pyotp; print(len(pyotp.random_base32()))" 32 $

My TOTP secrets need to be 16 characters. When I pass it length=16 it raises a ValueError exception. I consider this change of API behavior a bug.

kislyuk commented 3 years ago

Thanks for your interest in PyOTP. The old behavior that produced 16-character secrets was not compliant with the HOTP and TOTP RFCs. While old copies of the published documentation may contain a reference to 16 characters, that has now been updated to say 32 characters. This behavior is not a bug and the API change is intentional.

RamonvdW commented 3 years ago

Thanks for the quick response. Your users will appreciate it if you could document this API change as "backwards incompatible change" in the release notes.

Ramon