Giters

yeojz / otplib

:key: One Time Password (OTP) / 2FA for Node.js and Browser - Supports HOTP, TOTP and Google Authenticator

Home Page:https://otplib.yeojz.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

New totp every time?

digitalml opened this issue · comments

commented

I'm trying to create a time based one time password in node that is new every single time generate is called... (secret is the same every time from env file)... I need the verify window to be 5 mins...

The problem i am having is that I get duplicates. I assume this is because step = 30 by default and only a new totp will be generated every 30 seconds? I tried to set it to 0, that didn't work. I tried 1 and i do get a new key everyone one second but if I call it more times than once a second i get duplicates. I thought epoch(Date.now()) would solve this issue but it does not.

Can you please tell me on how to get a new totp every single generate but still have it valid for 5 mins on verify?

commented

I think what you are trying to achieve is against time based one time password's rules. Secret should be UNIQUE for every USER. So same secret will generate same password everytime during its step(time in seconds). You can get 5 minutes by multiplying 60seconds by 5, so have step: 300, this means that generated password will be valid for 5 minutes and during that 5 minutes its secret will generate the same password.

commented

@digitalml Did you ever find a solution for this? I am trying this package in my E2E tests and if I require login in my tests, some of my tests fail because same token is being re-used which gives error "token expired"

commented

I think @suruaku made a good point here.
I tried to use it as suggested and works fine
thanks

commented

I think what you are trying to achieve is against time based one time password's rules. Secret should be UNIQUE for every USER. So same secret will generate same password everytime during its step(time in seconds). You can get 5 minutes by multiplying 60seconds by 5, so have step: 300, this means that generated password will be valid for 5 minutes and during that 5 minutes its secret will generate the same password.

@suruaku
This may be a very basic question, but how are tokens unique per user? How can otplib decide who is a unique user that's making the request vs who's the same user making requests on repeat?

commented

@juanGoesElectric If by token you mean secret, then it's up to you. One way is for example to use some kind of unique option depending on your database (MongoDB example). The same way you ensure unique email for every user.