authelia/internal/totp/totp.go

package totp

import (
	"time"

	"github.com/pquerna/otp"
	"github.com/pquerna/otp/totp"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/models"
)

// NewTimeBasedProvider creates a new totp.TimeBased which implements the totp.Provider.
func NewTimeBasedProvider(config *schema.TOTPConfiguration) (provider *TimeBased) {
	provider = &TimeBased{
		config: config,
	}

	if config.Skew != nil {
		provider.skew = *config.Skew
	} else {
		provider.skew = 1
	}

	return provider
}

// TimeBased totp.Provider for production use.
type TimeBased struct {
	config *schema.TOTPConfiguration
	skew   uint
}

// GenerateCustom generates a TOTP with custom options.
func (p TimeBased) GenerateCustom(username, algorithm string, digits, period, secretSize uint) (config *models.TOTPConfiguration, err error) {
	var key *otp.Key

	opts := totp.GenerateOpts{
		Issuer:      p.config.Issuer,
		AccountName: username,
		Period:      period,
		SecretSize:  secretSize,
		Digits:      otp.Digits(digits),
		Algorithm:   otpStringToAlgo(algorithm),
	}

	if key, err = totp.Generate(opts); err != nil {
		return nil, err
	}

	config = &models.TOTPConfiguration{
		Username:  username,
		Issuer:    p.config.Issuer,
		Algorithm: algorithm,
		Digits:    digits,
		Secret:    []byte(key.Secret()),
		Period:    period,
	}

	return config, nil
}

// Generate generates a TOTP with default options.
func (p TimeBased) Generate(username string) (config *models.TOTPConfiguration, err error) {
	return p.GenerateCustom(username, p.config.Algorithm, p.config.Digits, p.config.Period, 32)
}

// Validate the token against the given configuration.
func (p TimeBased) Validate(token string, config *models.TOTPConfiguration) (valid bool, err error) {
	opts := totp.ValidateOpts{
		Period:    config.Period,
		Skew:      p.skew,
		Digits:    otp.Digits(config.Digits),
		Algorithm: otpStringToAlgo(config.Algorithm),
	}

	return totp.ValidateCustom(token, string(config.Secret), time.Now().UTC(), opts)
}
feat(totp): algorithm and digits config (#2634) Allow users to configure the TOTP Algorithm and Digits. This should be used with caution as many TOTP applications do not support it. Some will also fail to notify the user that there is an issue. i.e. if the algorithm in the QR code is sha512, they continue to generate one time passwords with sha1. In addition this drastically refactors TOTP in general to be more user friendly by not forcing them to register a new device if the administrator changes the period (or algorithm). Fixes #1226. 2021-12-01 12:11:29 +00:00			`package totp`

			`import (`
			`"time"`

			`"github.com/pquerna/otp"`
			`"github.com/pquerna/otp/totp"`

			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
			`"github.com/authelia/authelia/v4/internal/models"`
			`)`

			`// NewTimeBasedProvider creates a new totp.TimeBased which implements the totp.Provider.`
			`func NewTimeBasedProvider(config schema.TOTPConfiguration) (provider TimeBased) {`
			`provider = &TimeBased{`
			`config: config,`
			`}`

			`if config.Skew != nil {`
			`provider.skew = *config.Skew`
			`} else {`
			`provider.skew = 1`
			`}`

			`return provider`
			`}`

			`// TimeBased totp.Provider for production use.`
			`type TimeBased struct {`
			`config *schema.TOTPConfiguration`
			`skew uint`
			`}`

			`// GenerateCustom generates a TOTP with custom options.`
			`func (p TimeBased) GenerateCustom(username, algorithm string, digits, period, secretSize uint) (config *models.TOTPConfiguration, err error) {`
			`var key *otp.Key`

			`opts := totp.GenerateOpts{`
			`Issuer: p.config.Issuer,`
			`AccountName: username,`
			`Period: period,`
			`SecretSize: secretSize,`
			`Digits: otp.Digits(digits),`
			`Algorithm: otpStringToAlgo(algorithm),`
			`}`

			`if key, err = totp.Generate(opts); err != nil {`
			`return nil, err`
			`}`

			`config = &models.TOTPConfiguration{`
			`Username: username,`
			`Issuer: p.config.Issuer,`
			`Algorithm: algorithm,`
			`Digits: digits,`
			`Secret: []byte(key.Secret()),`
			`Period: period,`
			`}`

			`return config, nil`
			`}`

			`// Generate generates a TOTP with default options.`
			`func (p TimeBased) Generate(username string) (config *models.TOTPConfiguration, err error) {`
			`return p.GenerateCustom(username, p.config.Algorithm, p.config.Digits, p.config.Period, 32)`
			`}`

			`// Validate the token against the given configuration.`
			`func (p TimeBased) Validate(token string, config *models.TOTPConfiguration) (valid bool, err error) {`
			`opts := totp.ValidateOpts{`
			`Period: config.Period,`
			`Skew: p.skew,`
			`Digits: otp.Digits(config.Digits),`
			`Algorithm: otpStringToAlgo(config.Algorithm),`
			`}`

			`return totp.ValidateCustom(token, string(config.Secret), time.Now().UTC(), opts)`
			`}`