Invalid token if it start with 0 - HOTP

[Yxoti]

If the generate token start with 0 and you want verify with the command hotp.verify(TOKEN, COUNTER) an error occurs :

SyntaxError: invalid token

How to reproduce this :

seed = S53FURSFO47OKDE4 # generate first with pyotp.random_base32()
hotp = pyotp.HOTP(seed)
hotp.at(0) # => 055028
hotp.verify(055028, 0) # => SyntaxError: invalid token

If you try with hotp.at(1) (with the same seed) and verify next, it's work.

Have you any idea why ? Is it possible to prevent tokens generate with 0 on start ?

Best regards, Yxoti

[kislyuk]

You are trying to pass an OTP token as an integer literal, which you should avoid doing. Always use strings to represent OTP tokens. This library already handles this correctly internally, returning only string values.

I checked the package documentation and it had erroneous examples that appeared to suggest using integer literals. I updated the documentation to eliminate that problem.

It is not possible to prevent the generation of tokens that start with 0.

[tilkinsc]

https://stackoverflow.com/questions/11620151/what-do-numbers-starting-with-0-mean-in-python

The leading 0 integer literal means it is an octal number. You can do a to-string conversion, just leave the 0 off the number.

[kislyuk]

That's needlessly confusing. Do not do a conversion, do not deal in octal numbers. Always treat OTP codes as strings.

[tilkinsc]

It's not needlessly confusing. You can have it in integer format and can change it to a string. That is a typical situation. That number is problemsome though because it is in octal notation which gets in the way - its specifying a mis-formatting of a number. In python not 2.7 though that is deprecated and doesn't work - the format is 0o%d.