speakeasyjs / speakeasy

**NOT MAINTAINED** Two-factor authentication for Node.js. One-time passcode generator (HOTP/TOTP) with support for Google Authenticator.
MIT License
2.71k stars 229 forks source link

Master branch and v2.0.0 tag produce different totp tokens #98

Open conorgil opened 7 years ago

conorgil commented 7 years ago

I have been banging my head on this for a while and need someone to either tell me what silly thing I'm doing wrong, or help me figure out why the master branch is broken:

package.json

{
  "dependencies": {
    "speakeasy_v200": "https://github.com/speakeasyjs/speakeasy#4e0aa91dee166306e07ea11e371d5a5df95f4391",
    "speakeasy_master": "https://github.com/speakeasyjs/speakeasy#cb58351b7eb829719dbee2df2ede53d97721e"
  }
}

main.js

let speakeasy_v200 = require('speakeasy_v200');
let speakeasy_master = require('speakeasy_master');

let secret = 'xhwb2ilzt5gqyxrz';

// The v2.0.0 branch produces a code which
// DOES match that produced by
// Google Authenticator, FreeOTP, etc
let token_v200 = speakeasy_v200.totp({
  secret: secret,
  encoding: 'base32'
});
console.log('v2.0.0 = %s', token_v200);

// The master branch produces a code which
// DOES NOT match anything...
let token_master = speakeasy_master.totp({
  secret: secret,
  encoding: 'base32'
});
console.log('master = %s', token_master);

if(token_v200 !== token_master) {
  console.log('WAT?!?!?!?!');
}

Now, install and run:

$> yarn install
...
$> node main.js
v2.0.0 = 922665
master = 616379
WAT?!?!?!?!

Any thoughts, comments, hints, suggestions, second set of eyes, etc, etc are seriously appreciated. Thanks!

conorgil commented 7 years ago

Any thoughts/comments from the maintainers?

SimonSchick commented 7 years ago

There are a LOT of changes between master and 2.0.0 and there hasn't been a release in a while, the API probably changed.

tommilligan commented 3 years ago

The base32 secret shown in your example is not a multiple of 8 in length - therefore this bug may be cased by #135