Commit 701e9590 authored by Pavel Mashliakovskiy's avatar Pavel Mashliakovskiy 🤹🏻

TOTP (Google Authenticator) One Time Password verification fixed to allow +-90 second shift

parent e2320a88
......@@ -14,7 +14,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
### Removed
### Fixed
- TOTP (Google Authenticator) One Time Password verification fixed to allow up to (inclusive) 90 second shift between the server and a caller.
Because of arithmetic mistake previous implementation validate correctly only up to (but not inclusive) +-30 second shift.
## [5.4.23] - 2020-07-26
## [5.4.22] - 2020-07-19
## [5.4.21] - 2020-07-16
......
......@@ -31,14 +31,15 @@ module.exports = {
/**
* Generate TOTP by given secret
* @param {string} secret User secret previously generated by generateTotpSecret
* @param {number} [shift=0] time shift
* @param {number} [shift=0] Time shift in seconds. Can be used to generate +-30(90) second TOTP value to compare
* with result from user - this allows small time un-sync (or slow network) between user device and server
* @return {string} TOTP value (6 digits code)
*/
function getTotp (secret, shift) {
shift = shift || 0
let hkey = base32ToHex(secret)
let epoch = Math.round(Date.now() / 1000.0)
let time = dec2hex(Math.floor(epoch / PERIOD) + shift).padStart(16, '0')
let secondSinceEpoch = Math.round(Date.now() / 1000.0)
let time = dec2hex(Math.floor((secondSinceEpoch + shift) / PERIOD)).padStart(16, '0')
let hmac = nhmac_sha1(Buffer.from(hkey, 'hex'), Buffer.from(time, 'hex'))
let offset = parseInt(hmac.substring(hmac.length - 1), 16)
let otp = (parseInt(hmac.substring(offset * 2, offset * 2 + 8), 16) & 0x7fffffff) + ''
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment