simontabor / 2fa Goto Github PK
View Code? Open in Web Editor NEWNode.js TOTP + HOTP library, with nice utilities for handing 2FA
License: MIT License
Node.js TOTP + HOTP library, with nice utilities for handing 2FA
License: MIT License
Can you add a license to the project? Or should I assume it's no-license ?
The generateKey
algorithm generates base36 keys, which cannot be entered manually into the Google Authenticator app. These base36 keys are converted the base32 in the generateGoogleQRCode
function, but there's no means to get a base32 encoded key for manual entry.
Line 66 in f42eef5
The string comparison of the hotp code against the user supplied code needs to be secure against timing attacks. There are various methods to addressing this, including those in this stackoverflow:
Here is a secure implementation with proof code that the timing issue exists.
const crypto = require("crypto");
function constantTimeCompare(a, b) {
if (a.length !== b.length) {
return false;
}
let diff = 0;
for (let i = 0; i < a.length; i++) {
diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
}
return diff === 0;
}
function timeComparison(a, b, comparisonFunction) {
const start = process.hrtime.bigint();
comparisonFunction(a, b);
const end = process.hrtime.bigint();
return end - start;
}
const stringLength = 1000;
const almostSameString1 = "a".repeat(stringLength - 1) + "b";
const almostSameString2 = "a".repeat(stringLength);
const differentString1 = "b" + "a".repeat(stringLength - 1);
const differentString2 = "a".repeat(stringLength);
let constantTimeTotal1 = BigInt(0);
let constantTimeTotal2 = BigInt(0);
let nonConstantTimeTotal1 = BigInt(0);
let nonConstantTimeTotal2 = BigInt(0);
const iterations = 100000;
for (let i = 0; i < iterations; i++) {
constantTimeTotal1 += timeComparison(
almostSameString1,
almostSameString2,
constantTimeCompare
);
constantTimeTotal2 += timeComparison(
differentString1,
differentString2,
constantTimeCompare
);
nonConstantTimeTotal1 += timeComparison(
almostSameString1,
almostSameString2,
(a, b) => a === b
);
nonConstantTimeTotal2 += timeComparison(
differentString1,
differentString2,
(a, b) => a === b
);
}
const constantTimeAverage1 = constantTimeTotal1 / BigInt(iterations);
const constantTimeAverage2 = constantTimeTotal2 / BigInt(iterations);
const nonConstantTimeAverage1 = nonConstantTimeTotal1 / BigInt(iterations);
const nonConstantTimeAverage2 = nonConstantTimeTotal2 / BigInt(iterations);
console.log(
"Average time for constant-time comparison when strings differ at the end:",
constantTimeAverage1.toString()
);
console.log(
"Average time for constant-time comparison when strings differ at the start:",
constantTimeAverage2.toString()
);
console.log(
"Average time for non-constant-time comparison when strings differ at the end:",
nonConstantTimeAverage1.toString()
);
console.log(
"Average time for non-constant-time comparison when strings differ at the start:",
nonConstantTimeAverage2.toString()
);
@simontabor I just found out about your project and I'm very impressed with the work. I'm considering to use your module. But I have one concern: how up to date is your project? Because I see that the last update was 2 years ago. So there are two options, either:
Let me know :)
verifyHOTP generates code in xxxxxx
format
backup codes are in xxxx-xxxx-xxxx
format
No method for verifying them is available.
How to do that?
What is the method to verify backup codes generated at start with key ? verifying with tfa.verifyTOTP()
or HOTP returns false
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.