authelia/internal/totp/totp.go

package totp

import (
	"encoding/base32"
	"fmt"
	"time"

	"github.com/pquerna/otp"
	"github.com/pquerna/otp/totp"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/model"
)

// NewTimeBasedProvider creates a new totp.TimeBased which implements the totp.Provider.
func NewTimeBasedProvider(config schema.TOTPConfiguration) (provider *TimeBased) {
	provider = &TimeBased{
		opts: &model.TOTPOptions{
			Algorithm:  config.DefaultAlgorithm,
			Algorithms: config.AllowedAlgorithms,
			Period:     config.DefaultPeriod,
			Periods:    config.AllowedPeriods,
			Length:     config.DefaultDigits,
			Lengths:    config.AllowedDigits,
		},
		issuer:    config.Issuer,
		algorithm: config.DefaultAlgorithm,
		digits:    uint(config.DefaultDigits),
		period:    uint(config.DefaultPeriod),
		size:      uint(config.SecretSize),
	}

	if config.Skew != nil {
		provider.skew = uint(*config.Skew)
	} else {
		provider.skew = 1
	}

	return provider
}

// TimeBased totp.Provider for production use.
type TimeBased struct {
	opts *model.TOTPOptions

	issuer    string
	algorithm string
	digits    uint
	period    uint
	skew      uint
	size      uint
}

// GenerateCustom generates a TOTP with custom options.
func (p TimeBased) GenerateCustom(username, algorithm, secret string, digits, period, secretSize uint) (config *model.TOTPConfiguration, err error) {
	var key *otp.Key

	var secretData []byte

	if secret != "" {
		if secretData, err = base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(secret); err != nil {
			return nil, fmt.Errorf("totp generate failed: error decoding base32 string: %w", err)
		}
	}

	if secretSize == 0 {
		secretSize = p.size
	}

	opts := totp.GenerateOpts{
		Issuer:      p.issuer,
		AccountName: username,
		Period:      period,
		Secret:      secretData,
		SecretSize:  secretSize,
		Digits:      otp.Digits(digits),
		Algorithm:   otpStringToAlgo(algorithm),
	}

	fmt.Println("secret before", opts.Secret)

	if key, err = totp.Generate(opts); err != nil {
		return nil, err
	}

	fmt.Println("secret key", key)

	config = &model.TOTPConfiguration{
		CreatedAt: time.Now(),
		Username:  username,
		Issuer:    p.issuer,
		Algorithm: algorithm,
		Digits:    digits,
		Secret:    []byte(key.Secret()),
		Period:    period,
	}

	fmt.Println("secret after", config.Secret)

	return config, nil
}

// Generate generates a TOTP with default options.
func (p TimeBased) Generate(username string) (config *model.TOTPConfiguration, err error) {
	return p.GenerateCustom(username, p.algorithm, "", p.digits, p.period, p.size)
}

// Validate the token against the given configuration.
func (p TimeBased) Validate(token string, config *model.TOTPConfiguration) (valid bool, err error) {
	opts := totp.ValidateOpts{
		Period:    config.Period,
		Skew:      p.skew,
		Digits:    otp.Digits(config.Digits),
		Algorithm: otpStringToAlgo(config.Algorithm),
	}

	fmt.Println("period", opts.Period)
	fmt.Println("skew", opts.Skew)
	fmt.Println("digits", opts.Digits)
	fmt.Println("algorithm", opts.Algorithm)
	fmt.Println("token", token)
	fmt.Println("secret", config.Secret)

	return totp.ValidateCustom(token, string(config.Secret), time.Now().UTC(), opts)
}

// Options returns the configured options for this provider.
func (p TimeBased) Options() model.TOTPOptions {
	return *p.opts
}
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`package totp`

			`import (`
feat(totp): secret customization (#2681) Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets. 2022-04-07 23:01:01 +00:00			`"encoding/base32"`
			`"fmt"`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`"time"`

			`"github.com/pquerna/otp"`
			`"github.com/pquerna/otp/totp"`

			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`"github.com/authelia/authelia/v4/internal/model"`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`)`

			`// NewTimeBasedProvider creates a new totp.TimeBased which implements the totp.Provider.`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`func NewTimeBasedProvider(config schema.TOTPConfiguration) (provider *TimeBased) {`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`provider = &TimeBased{`
refactor: totp 2023-02-13 20:39:46 +00:00			`opts: &model.TOTPOptions{`
			`Algorithm: config.DefaultAlgorithm,`
			`Algorithms: config.AllowedAlgorithms,`
			`Period: config.DefaultPeriod,`
			`Periods: config.AllowedPeriods,`
			`Length: config.DefaultDigits,`
			`Lengths: config.AllowedDigits,`
			`},`
			`issuer: config.Issuer,`
			`algorithm: config.DefaultAlgorithm,`
			`digits: uint(config.DefaultDigits),`
			`period: uint(config.DefaultPeriod),`
			`size: uint(config.SecretSize),`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`}`

			`if config.Skew != nil {`
refactor: totp 2023-02-13 20:39:46 +00:00			`provider.skew = uint(*config.Skew)`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`} else {`
			`provider.skew = 1`
			`}`

			`return provider`
			`}`

			`// TimeBased totp.Provider for production use.`
			`type TimeBased struct {`
refactor: totp 2023-02-13 20:39:46 +00:00			`opts *model.TOTPOptions`

			`issuer string`
			`algorithm string`
			`digits uint`
			`period uint`
			`skew uint`
			`size uint`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`}`

			`// GenerateCustom generates a TOTP with custom options.`
feat(totp): secret customization (#2681) Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets. 2022-04-07 23:01:01 +00:00			`func (p TimeBased) GenerateCustom(username, algorithm, secret string, digits, period, secretSize uint) (config *model.TOTPConfiguration, err error) {`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`var key *otp.Key`

feat(totp): secret customization (#2681) Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets. 2022-04-07 23:01:01 +00:00			`var secretData []byte`

			`if secret != "" {`
			`if secretData, err = base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(secret); err != nil {`
			`return nil, fmt.Errorf("totp generate failed: error decoding base32 string: %w", err)`
			`}`
			`}`

refactor: totp 2023-02-13 20:39:46 +00:00			`if secretSize == 0 {`
			`secretSize = p.size`
			`}`

feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`opts := totp.GenerateOpts{`
refactor: totp 2023-02-13 20:39:46 +00:00			`Issuer: p.issuer,`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`AccountName: username,`
			`Period: period,`
feat(totp): secret customization (#2681) Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets. 2022-04-07 23:01:01 +00:00			`Secret: secretData,`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`SecretSize: secretSize,`
			`Digits: otp.Digits(digits),`
			`Algorithm: otpStringToAlgo(algorithm),`
			`}`

refactor: totp 2023-02-13 20:39:46 +00:00			`fmt.Println("secret before", opts.Secret)`

feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`if key, err = totp.Generate(opts); err != nil {`
			`return nil, err`
			`}`

refactor: totp 2023-02-13 20:39:46 +00:00			`fmt.Println("secret key", key)`

refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`config = &model.TOTPConfiguration{`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`CreatedAt: time.Now(),`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`Username: username,`
refactor: totp 2023-02-13 20:39:46 +00:00			`Issuer: p.issuer,`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`Algorithm: algorithm,`
			`Digits: digits,`
			`Secret: []byte(key.Secret()),`
			`Period: period,`
			`}`

refactor: totp 2023-02-13 20:39:46 +00:00			`fmt.Println("secret after", config.Secret)`

feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`return config, nil`
			`}`

			`// Generate generates a TOTP with default options.`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`func (p TimeBased) Generate(username string) (config *model.TOTPConfiguration, err error) {`
refactor: totp 2023-02-13 20:39:46 +00:00			`return p.GenerateCustom(username, p.algorithm, "", p.digits, p.period, p.size)`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`}`

			`// Validate the token against the given configuration.`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`func (p TimeBased) Validate(token string, config *model.TOTPConfiguration) (valid bool, err error) {`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`opts := totp.ValidateOpts{`
			`Period: config.Period,`
			`Skew: p.skew,`
			`Digits: otp.Digits(config.Digits),`
			`Algorithm: otpStringToAlgo(config.Algorithm),`
			`}`

refactor: totp 2023-02-13 20:39:46 +00:00			`fmt.Println("period", opts.Period)`
			`fmt.Println("skew", opts.Skew)`
			`fmt.Println("digits", opts.Digits)`
			`fmt.Println("algorithm", opts.Algorithm)`
			`fmt.Println("token", token)`
			`fmt.Println("secret", config.Secret)`

feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`return totp.ValidateCustom(token, string(config.Secret), time.Now().UTC(), opts)`
			`}`
refactor: totp 2023-02-13 20:39:46 +00:00
			`// Options returns the configured options for this provider.`
			`func (p TimeBased) Options() model.TOTPOptions {`
			`return *p.opts`
			`}`