tadeck / onetimepass Goto Github PK

Hello!

I notice that there is a incongruence about the license:

setup.py:23: 'License :: OSI Approved :: MIT License',
onetimepass/__init__.py:9: @license: MIT
onetimepass/__init__.py:41: __license__ = 'GNU Lesser General Public License (LGPL)'

I guess that this is just a cut and paste error, but non the less... :-)

Hi,Recently been working on how to get the token from google authenticator with window or chrome extension, But now it is not working, the website is restrict need google authenticator or microsoft authenticator.
Left console is the python output, but is invalid tokenRight is android emulator token code wichi is working fine.

I was reviewing stackoverflow for how people dealt with leftmost zeroes and I stumbled on this library

There's some issues stemming from the integer conversion where tokens with zeroes are treated as octal, and hence the implementation checks against the wrong token https://stackoverflow.com/questions/39695700/python-flask-app-leading-zeros-in-totp-error-python-2-7

But the subtle issue is that the library doesn't enforce the token length. By casting a string/int to an integer, you discard the leftmost zeroes and hence could allow 1 if the token was actually 000001.
https://github.com/tadeck/onetimepass/blob/master/onetimepass/__init__.py#L216

I suggest adhering to string semantics to avoid accepting potentially invalid input, and adopting a length constant time equality check when testing input against a candidate token here to eliminate timing side channels: https://github.com/tadeck/onetimepass/blob/master/onetimepass/__init__.py#L268

Hi, the get_totp() function is working great but i notice that if the result starts with 0 (e.g: 028526), it just prints 28526. Is there any way to fix this?

Maybe I am doing something wrong, but when a secret has a digit in the first position generating a OTP fails. Is this by design or am I doing something wrong?

my_secret = 'aaaaaaaaaaaaaaaa'
my_token = otp.get_totp(my_secret)

my_secret = '1aaaaaaaaaaaaaaa'
my_token = otp.get_totp(my_secret)
Traceback (most recent call last):
File "", line 1, in
File "/var/www/project/lib/python2.7/site-packages/onetimepass/init.py", line 162, in get_totp
token_length=token_length,
File "/var/www/project/lib/python2.7/site-packages/onetimepass/init.py", line 113, in get_hotp
raise TypeError('Incorrect secret')
TypeError: Incorrect secret

Thanks for the help

Add in two features that exists in the oath library. Specifically the ability to specify a specific clock time other than the current for generate and for validate. And the ability to specify a window of time intervals on each side of the clock that will be considered to be successful in valid_totp.

Hello,

I was just testing the OTP generation using get_totp method and
otp.get_totp(my_secret,interval_length = timeout,token_length=length)
had given 6 as the desired length, I tested it for 100 odd iterations and to my surprise, it returned OTPs for length less than 6 sometimes, like 3 out of 100 were of length 4 or 5.

mysecret = base64.b32encode(str(chat_id[0:9])) timeout = 160 length=6

Please tell me how to fix this,

uploading the test results for reference

out.log

The download_url in setup.py does not contain the module name. pip install -vvv onetimepass includes the following message (manually wrapped):

Skipping link https://github.com/tadeck/onetimepass/archive/v0.1.2.tar.gz
(from https://github.com/tadeck/onetimepass); wrong project name (not onetimepass)

and fails with the the following errors:

Could not find any downloads that satisfy the requirement onetimepass
No distributions at all found for onetimepass

The following installation method does work:

pip install https://github.com/tadeck/onetimepass/archive/v0.1.2.tar.gz

onetimepass__init__.py", line 100, in get_hotp

Incorrect secret

my_secret = 'Q413I60L68T7A9QF'
my_token = otp.get_totp(my_secret)

cef34ff/CONTRIBUTING.rst says to use doctest. But how?

Doing python -m unittest from the repo root seems to work.

There was one report of some service returning lowercase secret, so when provided to the library, there was an issue (base64.b32decode accepts only uppercase letters).

This can be solved by setting casefold argument of base64.b32decode to True.

How we can create a new secret code with the plugin?

Hello,

I am attempting to convert your module so that it can be used as a substitute for Authy. They've told me via Twitter that they use the same algorithm as GAuth except with a 7-digit response, 256-bit keys/seed and a 10 second interval.

I think I've made the right changes in this branch, but there's been zero testing because doing so essentially requires one of the two things I'm trying to avoid: giving Authy my mobile phone number. The other thing I'm trying to avoid is handing over authentication details to a third party.

Anyway, you might still find it useful, so feel free to poke at it. If I can find a way to test it against what Authy is selling to various places (including CloudFlare) then I'll update later.

Regards,
Ben

Here's an example:

Example key: IKXZU5VUX5WWYOIF

Output from my phone => 599234
Output from get_totp => 953955

All secrets generated by fastmail see to make the library crash. I can't find any common pattern for them:

>>> import onetimepass
>>> onetimepass.get_totp('7uzthj2u3te6dopflwqbwa5n6u', as_string=True, token_length=6)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.6/site-packages/onetimepass/__init__.py", line 169, in get_totp
    token_length=token_length,
  File "/usr/lib/python3.6/site-packages/onetimepass/__init__.py", line 113, in get_hotp
    key = base64.b32decode(secret, casefold=casefold)
  File "/usr/lib/python3.6/base64.py", line 205, in b32decode
    raise binascii.Error('Incorrect padding')
binascii.Error: Incorrect padding

The one included in the above example is safe to share since I never added confirmed adding that one to my account. :)

Hi.
I have seen tokens shorter than others and I think it happens because you use 'int', hence when the first digit is a zero it is stripped.
For instance, an attempt with a random secret, on that precise moment, gave me this result:

>>> my_secret='5keaubwr6am3xmoogkjqxt56t4puuu52'
>>> otp.get_totp(my_secret)
79770

p.s.: I didn't try to add a leading zero and login, as the secret was random, and I couldn't use this OTP in a real scenario.

The readme documentation seems to be incomplete - it doesn't list all parameters. If you are expecting people to read the source as documentation, please link to the source code for each method (but I'd recommend you have reference documentation in a single canonical place).

The default token_length is 6, but sometime get_totp returns tokens with lengths of 5. You can see from the last value in the screenshot attached.