authelia/internal/totp/totp.go

package totp

import (
	"encoding/base32"
	"fmt"
	"time"

	"github.com/pquerna/otp"
	"github.com/pquerna/otp/totp"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/model"
)

// NewTimeBasedProvider creates a new totp.TimeBased which implements the totp.Provider.
func NewTimeBasedProvider(config schema.TOTPConfiguration) (provider *TimeBased) {
	provider = &TimeBased{
		config: &config,
	}

	if config.Skew != nil {
		provider.skew = *config.Skew
	} else {
		provider.skew = 1
	}

	return provider
}

// TimeBased totp.Provider for production use.
type TimeBased struct {
	config *schema.TOTPConfiguration
	skew   uint
}

// GenerateCustom generates a TOTP with custom options.
func (p TimeBased) GenerateCustom(username, algorithm, secret string, digits, period, secretSize uint) (config *model.TOTPConfiguration, err error) {
	var key *otp.Key

	var secretData []byte

	if secret != "" {
		if secretData, err = base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(secret); err != nil {
			return nil, fmt.Errorf("totp generate failed: error decoding base32 string: %w", err)
		}
	}

	opts := totp.GenerateOpts{
		Issuer:      p.config.Issuer,
		AccountName: username,
		Period:      period,
		Secret:      secretData,
		SecretSize:  secretSize,
		Digits:      otp.Digits(digits),
		Algorithm:   otpStringToAlgo(algorithm),
	}

	if key, err = totp.Generate(opts); err != nil {
		return nil, err
	}

	config = &model.TOTPConfiguration{
		CreatedAt: time.Now(),
		Username:  username,
		Issuer:    p.config.Issuer,
		Algorithm: algorithm,
		Digits:    digits,
		Secret:    []byte(key.Secret()),
		Period:    period,
	}

	return config, nil
}

// Generate generates a TOTP with default options.
func (p TimeBased) Generate(username string) (config *model.TOTPConfiguration, err error) {
	return p.GenerateCustom(username, p.config.Algorithm, "", p.config.Digits, p.config.Period, p.config.SecretSize)
}

// Validate the token against the given configuration.
func (p TimeBased) Validate(token string, config *model.TOTPConfiguration) (valid bool, err error) {
	opts := totp.ValidateOpts{
		Period:    config.Period,
		Skew:      p.skew,
		Digits:    otp.Digits(config.Digits),
		Algorithm: otpStringToAlgo(config.Algorithm),
	}

	return totp.ValidateCustom(token, string(config.Secret), time.Now().UTC(), opts)
}
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`package totp`

			`import (`
feat(totp): secret customization (#2681) Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets. 2022-04-07 23:01:01 +00:00			`"encoding/base32"`
			`"fmt"`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`"time"`

			`"github.com/pquerna/otp"`
			`"github.com/pquerna/otp/totp"`

			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`"github.com/authelia/authelia/v4/internal/model"`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`)`

			`// NewTimeBasedProvider creates a new totp.TimeBased which implements the totp.Provider.`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`func NewTimeBasedProvider(config schema.TOTPConfiguration) (provider *TimeBased) {`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`provider = &TimeBased{`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`config: &config,`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`}`

			`if config.Skew != nil {`
			`provider.skew = *config.Skew`
			`} else {`
			`provider.skew = 1`
			`}`

			`return provider`
			`}`

			`// TimeBased totp.Provider for production use.`
			`type TimeBased struct {`
			`config *schema.TOTPConfiguration`
			`skew uint`
			`}`

			`// GenerateCustom generates a TOTP with custom options.`
feat(totp): secret customization (#2681) Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets. 2022-04-07 23:01:01 +00:00			`func (p TimeBased) GenerateCustom(username, algorithm, secret string, digits, period, secretSize uint) (config *model.TOTPConfiguration, err error) {`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`var key *otp.Key`

feat(totp): secret customization (#2681) Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets. 2022-04-07 23:01:01 +00:00			`var secretData []byte`

			`if secret != "" {`
			`if secretData, err = base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(secret); err != nil {`
			`return nil, fmt.Errorf("totp generate failed: error decoding base32 string: %w", err)`
			`}`
			`}`

feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`opts := totp.GenerateOpts{`
			`Issuer: p.config.Issuer,`
			`AccountName: username,`
			`Period: period,`
feat(totp): secret customization (#2681) Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets. 2022-04-07 23:01:01 +00:00			`Secret: secretData,`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`SecretSize: secretSize,`
			`Digits: otp.Digits(digits),`
			`Algorithm: otpStringToAlgo(algorithm),`
			`}`

			`if key, err = totp.Generate(opts); err != nil {`
			`return nil, err`
			`}`

refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`config = &model.TOTPConfiguration{`
feat: webauthn (#2707) This implements Webauthn. Old devices can be used to authenticate via the appid compatibility layer which should be automatic. New devices will be registered via Webauthn, and devices which do not support FIDO2 will no longer be able to be registered. At this time it does not fully support multiple devices (backend does, frontend doesn't allow registration of additional devices). Does not support passwordless. 2022-03-03 11:20:43 +00:00			`CreatedAt: time.Now(),`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`Username: username,`
			`Issuer: p.config.Issuer,`
			`Algorithm: algorithm,`
			`Digits: digits,`
			`Secret: []byte(key.Secret()),`
			`Period: period,`
			`}`

			`return config, nil`
			`}`

			`// Generate generates a TOTP with default options.`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`func (p TimeBased) Generate(username string) (config *model.TOTPConfiguration, err error) {`
feat(totp): secret customization (#2681) Allow customizing the shared secrets size specifically for apps which don't support 256bit shared secrets. 2022-04-07 23:01:01 +00:00			`return p.GenerateCustom(username, p.config.Algorithm, "", p.config.Digits, p.config.Period, p.config.SecretSize)`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`}`

			`// Validate the token against the given configuration.`
refactor(model): rename from models (#2968) 2022-03-06 05:47:40 +00:00			`func (p TimeBased) Validate(token string, config *model.TOTPConfiguration) (valid bool, err error) {`
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`opts := totp.ValidateOpts{`
			`Period: config.Period,`
			`Skew: p.skew,`
			`Digits: otp.Digits(config.Digits),`
			`Algorithm: otpStringToAlgo(config.Algorithm),`
			`}`

			`return totp.ValidateCustom(token, string(config.Secret), time.Now().UTC(), opts)`
			`}`