Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OTP verification failed when time delta is less than period #89

Open
Circles24 opened this issue Nov 9, 2023 · 1 comment
Open

OTP verification failed when time delta is less than period #89

Circles24 opened this issue Nov 9, 2023 · 1 comment

Comments

@Circles24
Copy link

I'm not able to validate a TOTP even when time delta is less than period specified, lets say the OTP was generated on x timestamp then validating OTP on x+200 timestamp is failing even when period specified is 300.

The issue is not reproducible at go playground, there the validation is working fine, here's the go playground link : https://go.dev/play/p/xv8TM8pKlq6
This is the go version I'm using at my machine

➜  temp git:(main) ✗ go version  
go version go1.21.3 darwin/amd64

library version

github.com/pquerna/otp v1.4.0

logs from my machine

➜  temp git:(main) ✗ go run main.go
2023/11/09 07:48:34 otp generated 633653
2023/11/09 07:48:34 2023-11-09 07:48:34.344927 +0530 IST m=+0.000137523
2023/11/09 07:48:34 2023-11-09 07:51:54.344927 +0530 IST m=+200.000137523
2023/11/09 07:48:34 otp verification failed

logs from go-playground

2009/11/10 23:00:00 otp generated 902988
2009/11/10 23:00:00 2009-11-10 23:00:00 +0000 UTC m=+0.000000001
2009/11/10 23:00:00 2009-11-10 23:03:20 +0000 UTC m=+200.000000001
2009/11/10 23:00:00 otp verified

Program exited.
@Plaenkler
Copy link

I adapted your code a little and ran the experiment. I was also able to detect the error, but not consistently.

package main

import (
	"log"
	"time"

	"github.com/pquerna/otp"
	"github.com/pquerna/otp/totp"
)

func main() {
	secret := "FI25AMFLRMYO7OMLI7A2PJOCWMNM6LIR"
	now := time.Now()
	passcode, err := totp.GenerateCodeCustom(secret, now, totp.ValidateOpts{
		Period: 300,
	})
	if err != nil {
		log.Println("error generating otp", err)
		return
	}
	log.Printf("otp generated: %s", passcode)
	// Validation at the same time as generation
	valid, err := totp.ValidateCustom(passcode, secret, now, totp.ValidateOpts{
		Digits: otp.DigitsSix,
		Period: 300,
	})
	log.Printf("validated otp for generation time: %v", valid)
	// Validation at a later time within the validity period
	validationTime := now.Add(time.Second * 200)
	valid, err = totp.ValidateCustom(passcode, secret, validationTime, totp.ValidateOpts{
		Digits: otp.DigitsSix,
		Period: 300,
	})
	if err != nil {
		log.Println("error validating otp", err)
		return
	}
	log.Printf("validated otp for validation time: %v", valid)
}
PS C:\Users\SLukas.AVANIS\Desktop\TEST TOTP> go run .
2023/11/09 13:04:57 otp generated: 968426
2023/11/09 13:04:57 validated otp for generation time: true
2023/11/09 13:04:57 validated otp for validation time: false
PS C:\Users\SLukas.AVANIS\Desktop\TEST TOTP> go run .
2023/11/09 13:04:58 otp generated: 968426
2023/11/09 13:04:59 validated otp for generation time: true
2023/11/09 13:04:59 validated otp for validation time: false
PS C:\Users\SLukas.AVANIS\Desktop\TEST TOTP> go run .
2023/11/09 13:05:00 otp generated: 813977
2023/11/09 13:05:00 validated otp for generation time: true
2023/11/09 13:05:00 validated otp for validation time: true
PS C:\Users\SLukas.AVANIS\Desktop\TEST TOTP> go run .
2023/11/09 13:05:01 otp generated: 813977
2023/11/09 13:05:01 validated otp for generation time: true
2023/11/09 13:05:01 validated otp for validation time: true

In the ValidateOpts there is a field Skew that takes into account a time offset between “server” and “client”.
If Skew is not set, it corresponds to 0. If I set the field, the result is always valid.

package main

import (
	"log"
	"time"

	"github.com/pquerna/otp"
	"github.com/pquerna/otp/totp"
)

var iterations []bool

func main() {
	for i := 0; i < 100; i++ {
		err, result := test()
		if err != nil {
			log.Printf("error in iteration %d: %v", i, err)
		}
		iterations = append(iterations, result)
	}
	log.Println(iterations)
}

func test() (error, bool) {
	secret := "FI25AMFLRMYO7OMLI7A2PJOCWMNM6LIR"
	now := time.Now()
	passcode, err := totp.GenerateCodeCustom(secret, now, totp.ValidateOpts{
		Period: 300,
	})
	if err != nil {
		log.Println("error generating otp", err)
		return err, false
	}
	// Validation at a later time within the validity period
	validationTime := now.Add(time.Second * 200)
	valid, err := totp.ValidateCustom(passcode, secret, validationTime, totp.ValidateOpts{
		Digits: otp.DigitsSix,
		Period: 300,
		Skew:   1,
	})
	if err != nil {
		log.Println("error validating otp", err)
		return err, false
	}
	return nil, valid
}
PS C:\Users\SLukas.AVANIS\Desktop\TEST TOTP> go run .
2023/11/09 13:27:05 [true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true true]

@Plaenkler Plaenkler mentioned this issue Nov 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[FIX] Default Skew 1
2 participants
@Circles24 @Plaenkler