Hello,
it's more a question than an issue. How the system should handle the fact that we use twice a token? (To avoid Man In the Middle attack). Should the library handle it or our implementation?

Thank you in advance.

(I'm implementing this now so I like the question, even though it's a bit old.)

In general, the library's purpose is to do the basic security calculations, but it does not save state. Our implementations save state. (i.e. What is the users' secret? What is the last used token?)

Benefit: If the token is time based, then there is a very small time window for an attacker to exploit. So any attack would have to be done in real-time, so I'm not sure how important this additional validation would be. But better is better.

Implementation: In our implementations, if I (or you) persist the last used token(s) together with the secret for each user, then it won't increase the data retrieval and validation time, since we must retrieve the user's secret anyway to do a token validation. Then we update the last used token for the user (I'm already updating the last login date in the same place.)

Also, I would recommend only saving valid/successful tokens. This will eliminate the possibility of an attacker submitting a bogus token (to reset the last used value), then immediately sending the valid token.

(I would love to hear any improvements to my thoughts on this)