search

pyauth / pyotp

Python One-Time Password Library
https://pyauth.github.io/pyotp/
Other
2.91k stars 319 forks source link

Confusion about positive integer #166

Closed edent closed 3 weeks ago

edent commented 3 weeks ago

Running totp.at(-29) produces a TOTP code. Running totp.at(-30) correctly raises "ValueError("input must be positive integer")" as per: https://github.com/pyauth/pyotp/blob/249674bf2814e1fcc3152c618514159cd44b4610/src/pyotp/otp.py#L28-L34

I'm just curious as to why some negative numbers work.

peterthomassen commented 3 weeks ago

This is because the interval division is subject to a rounding error for inputs smaller than the interval: https://github.com/pyauth/pyotp/blob/249674bf2814e1fcc3152c618514159cd44b4610/src/pyotp/totp.py#L113-L116

So it seems that values in the range [1-interval, -1] "work". (For the default interval of 30, this is from -29 up to -1).