rotp 3.1.0 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c450bbb03ba621504bffd4d10d86beb9aa0df214
-  data.tar.gz: 13a046cf63204bea4517283ae0a2473becc67ceb
+  metadata.gz: e81c60dc4a476ab617e914fe50d3739290e9a110
+  data.tar.gz: 3f99b3ec451c23b615ff7a58acbcf5a105f5f5c3
 SHA512:
-  metadata.gz: d76a02cc91e2de40619a99a925c3452546c31914fc0172918c40a68f405975b6ee293f437d91d49004b1e4074607f9f7abf8b266345ced389e9e313d6f0ab030
-  data.tar.gz: 08e82ddf0a585ee225a9d98b04cf0a22c7a386504f8f3db3936c07dc6231ecafa3f8f920fd9048b4606cb14080a194f7a4c333311735696d9016a88975d0c5b1
+  metadata.gz: 0f2ad34ca1702d72edb5e16dd715d58f6980c4412577cc40cd5337f6f3cb21958345883e4e67573eaf540364fecf4d9e73a720c4a79042327c2ac6d7e8f6bbbd
+  data.tar.gz: ad3ddffe067a7716d6cfaadcc7c9e8ac256831efc7d6214d7422269d4805eed427161af4f0c1de773ebe386d93355d495551aba03498a61e9277d3377ac1cdc1

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ### Changelog
 
+#### 3.2.0
+
+- Add 'verify_with_drift_and_prior' to prevent prior token use - #58 from @jlfaber
+
 #### 3.1.0
 
 - Add Add digits paramater to provisioning URI. #54 from @sbc100

data/lib/rotp/totp.rb

@@ -47,6 +47,30 @@ module ROTP
       times.any? { |ti| verify(otp, ti) }
     end
 
+    # Verifies the OTP passed in against the current time OTP
+    # and adjacent intervals up to +drift+.  Excludes OTPs
+    # from prior_time and earlier.  Returns time value of
+    # matching OTP code for use in subsequent call.
+    # @param [String] otp the OTP to check against
+    # @param [Integer] drift the number of seconds that the client
+    #     and server are allowed to drift apart
+    # @param [Integer] time value of previous match
+    def verify_with_drift_and_prior(otp, drift, prior_time = nil, time = Time.now)
+      # calculate normalized bin start times based on drift
+      first_bin = (time - drift).to_i / interval * interval
+      last_bin = (time + drift).to_i / interval * interval
+
+      # if prior_time was supplied, adjust first bin if necessary to exclude it
+      if prior_time
+        prior_bin = prior_time.to_i / interval * interval
+        first_bin = prior_bin + interval if prior_bin >= first_bin
+        # fail if we've already used the last available OTP code
+        return if first_bin > last_bin
+      end
+      times = (first_bin..last_bin).step(interval).to_a
+      times.find { |ti| verify(otp, ti) }
+    end
+
     # Returns the provisioning URI for the OTP
     # This can then be encoded in a QR Code and used
     # to provision the Google Authenticator app

data/lib/rotp/version.rb

@@ -1,3 +1,3 @@
 module ROTP
-  VERSION = "3.1.0"
+  VERSION = "3.2.0"
 end

data/spec/lib/rotp/totp_spec.rb

@@ -222,6 +222,118 @@ RSpec.describe ROTP::TOTP do
     end
   end
 
+  describe '#verify_with_drift_and_prior' do
+    let(:verification) { totp.verify_with_drift_and_prior token, drift, prior, now }
+    let(:drift) { 0 }
+    let(:prior) { nil }
+
+    context 'numeric token' do
+      let(:token) { 68212 }
+
+      it 'raises an error' do
+        # In the "old" specs this was not tested due to a typo. What is the expected behavior here?
+        expect { verification }.to raise_error
+      end
+    end
+
+    context 'unpadded string token' do
+      let(:token) { '68212' }
+
+      it 'is false' do
+        # Not sure whether this should be tested. It didn't exist in the "old" specs
+        expect(verification).to be_falsey
+      end
+    end
+
+    context 'correctly padded string token' do
+      let(:token) { '068212' }
+
+      it 'is true' do
+        expect(verification).to be_truthy
+      end
+    end
+
+    context 'slightly old number' do
+      let(:token) { totp.at now - 30 }
+      let(:drift) { 60 }
+
+      it 'is true' do
+        expect(verification).to be_truthy
+      end
+    end
+
+    context 'slightly new number' do
+      let(:token) { totp.at now + 60 }
+      let(:drift) { 60 }
+
+      it 'is true' do
+        expect(verification).to be_truthy
+      end
+    end
+
+    context 'outside of drift range' do
+      let(:token) { totp.at now - 60 }
+      let(:drift) { 30 }
+
+      it 'is false' do
+        expect(verification).to be_falsey
+      end
+    end
+
+    context 'drift is not multiple of TOTP interval' do
+      context 'slightly old number' do
+        let(:token) { totp.at now - 45 }
+        let(:drift) { 45 }
+
+        it 'is true' do
+          expect(verification).to be_truthy
+        end
+      end
+
+      context 'slightly new number' do
+        let(:token) { totp.at now + 40 }
+        let(:drift) { 40 }
+
+        it 'is true' do
+          expect(verification).to be_truthy
+        end
+      end
+    end
+
+    context 'with a prior verify' do
+      let(:prior) { totp.verify_with_drift_and_prior '068212', 0, nil, now }
+
+      it 'returns a timecode' do
+        expect(prior).to be_within(30).of(now.to_i)
+      end
+
+      context 'reusing same token' do
+
+        it 'is false' do
+          expect(verification).to be_falsy
+        end
+      end
+
+      context 'newer token' do
+        let(:token) { totp.at now + 40 }
+        let(:drift) { 40 }
+
+        it 'is true' do
+          expect(verification).to be_truthy
+        end
+      end
+
+      context 'older token' do
+        let(:token) { totp.at now - 40 }
+        let(:drift) { 40 }
+
+        it 'is false' do
+          expect(verification).to be_falsy
+        end
+      end
+    end
+  end
+
   describe '#now' do
     before do
       Timecop.freeze now

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rotp
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.2.0
 platform: ruby
 authors:
 - Mark Percival
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-06-14 00:00:00.000000000 Z
+date: 2016-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: guard-rspec