rotp 3.2.0 → 3.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e81c60dc4a476ab617e914fe50d3739290e9a110
-  data.tar.gz: 3f99b3ec451c23b615ff7a58acbcf5a105f5f5c3
+  metadata.gz: 6966922a92bffb8bf74497e36d3f2e42e63f47a5
+  data.tar.gz: 0dbef9d1ed476e382b243d232240458d396b3593
 SHA512:
-  metadata.gz: 0f2ad34ca1702d72edb5e16dd715d58f6980c4412577cc40cd5337f6f3cb21958345883e4e67573eaf540364fecf4d9e73a720c4a79042327c2ac6d7e8f6bbbd
-  data.tar.gz: ad3ddffe067a7716d6cfaadcc7c9e8ac256831efc7d6214d7422269d4805eed427161af4f0c1de773ebe386d93355d495551aba03498a61e9277d3377ac1cdc1
+  metadata.gz: 3af99a2dcadd3591d235ecb8f1d0752ceadaa0b8649c1851163a7d0ce7e88bf5a564d1d32b6f3a2e2a3b290e36fd378b39e1d0a3a5225ba7ead905e3c207806f
+  data.tar.gz: c9504564ca0ec36d3efac011b9079d33d5038bf917ff4f5d6700556a71956fab49710304551e2d2d0a23f6c6a91dcdb7a296dd26468f6a78de8dc0584a0c35da

data/.gitignore

@@ -2,3 +2,4 @@
 .bundle
 .yardoc
 pkg/*
+coverage

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 ### Changelog
 
+#### 3.3.0
+
+- Add digest algorithm parameter for non SHA1 digests - #62 from @btalbot
+
 #### 3.2.0
 
 - Add 'verify_with_drift_and_prior' to prevent prior token use - #58 from @jlfaber

data/Gemfile.lock

@@ -1,75 +1,41 @@
 PATH
   remote: .
   specs:
-    rotp (2.1.2)
+    rotp (3.2.0)
 
 GEM
   remote: http://rubygems.org/
   specs:
-    celluloid (0.16.0)
-      timers (~> 4.0.0)
-    coderay (1.1.0)
     diff-lcs (1.2.5)
-    ffi (1.9.6)
-    formatador (0.2.5)
-    guard (2.11.1)
-      formatador (>= 0.2.4)
-      listen (~> 2.7)
-      lumberjack (~> 1.0)
-      nenv (~> 0.1)
-      notiffany (~> 0.0)
-      pry (>= 0.9.12)
-      shellany (~> 0.0)
-      thor (>= 0.18.1)
-    guard-compat (1.2.0)
-    guard-rspec (4.5.0)
-      guard (~> 2.1)
-      guard-compat (~> 1.1)
-      rspec (>= 2.99.0, < 4.0)
-    hitimes (1.2.2)
-    listen (2.8.5)
-      celluloid (>= 0.15.2)
-      rb-fsevent (>= 0.9.3)
-      rb-inotify (>= 0.9)
-    lumberjack (1.0.9)
-    method_source (0.8.2)
-    nenv (0.1.1)
-    notiffany (0.0.3)
-      nenv (~> 0.1)
-      shellany (~> 0.0)
-    pry (0.10.1)
-      coderay (~> 1.1.0)
-      method_source (~> 0.8.1)
-      slop (~> 3.4)
-    rake (10.4.2)
-    rb-fsevent (0.9.4)
-    rb-inotify (0.9.5)
-      ffi (>= 0.5.0)
-    rspec (3.1.0)
-      rspec-core (~> 3.1.0)
-      rspec-expectations (~> 3.1.0)
-      rspec-mocks (~> 3.1.0)
-    rspec-core (3.1.7)
-      rspec-support (~> 3.1.0)
-    rspec-expectations (3.1.2)
+    docile (1.1.5)
+    json (1.8.3)
+    rake (10.5.0)
+    rspec (3.5.0)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+    rspec-core (3.5.2)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.1.0)
-    rspec-mocks (3.1.3)
-      rspec-support (~> 3.1.0)
-    rspec-support (3.1.2)
-    shellany (0.0.1)
-    slop (3.6.0)
-    thor (0.19.1)
-    timecop (0.7.1)
-    timers (4.0.1)
-      hitimes
+      rspec-support (~> 3.5.0)
+    rspec-mocks (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    simplecov (0.12.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
+    timecop (0.8.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  guard-rspec (~> 4.5)
-  rake (~> 10.4)
+  rake (~> 10.5)
   rotp!
-  rspec (~> 3.1)
-  timecop (~> 0.7)
+  rspec (~> 3.5)
+  simplecov (~> 0.12)
+  timecop (~> 0.8)

data/README.md

@@ -55,6 +55,39 @@ hotp.verify("316439", 1401) # => true
 hotp.verify("316439", 1402) # => false
 ```
 
+### Verifying a Time based OTP with drift
+
+Some users devices may be slightly behind or ahead of the actual time. ROTP allows users to verify
+an OTP code with an specific amount of 'drift'
+
+```ruby
+totp = ROTP::TOTP.new("base32secret3232")
+totp.now # => "492039"
+
+# OTP verified for current time with 120 seconds allowed drift
+totp.verify_with_drift("492039", 60, Time.now - 30) # => true
+totp.verify_with_drift("492039", 60, Time.now - 90) # => false
+```
+
+### Preventing reuse of Time based OTP's
+
+In order to prevent reuse of time based tokens within the interval window (default 30 seconds)
+it is necessary to store the last time an OTP was used. The following is an example of this in action:
+
+```ruby
+User.find(someUserID)
+totp = ROTP::TOTP.new(user.otp_secret)
+totp.now # => "492039"
+
+user.last_otp_at # => 1472145530
+
+# Verify the OTP
+verified_at_timestamp = totp.verify_with_drift_and_prior("492039", 0, user.last_otp_at) #=> 1472145760
+# Store this on the user's account
+user.update(last_otp_at: verified_at_timestamp)
+verified_at_timestamp = totp.verify_with_drift_and_prior("492039", 0, user.last_otp_at) #=> false
+```
+
 ### Generating a Base32 Secret key
 
 ```ruby

data/lib/rotp/totp.rb

@@ -87,6 +87,7 @@ module ROTP
         period: interval == 30 ? nil : interval,
         issuer: issuer,
         digits: digits == DEFAULT_DIGITS ? nil : digits,
+        algorithm: digest.upcase == 'SHA1' ? nil : digest.upcase,
       }
       encode_params("otpauth://totp/#{issuer_string}#{URI.encode(name)}", params)
     end

data/lib/rotp/version.rb

@@ -1,3 +1,3 @@
 module ROTP
-  VERSION = "3.2.0"
+  VERSION = "3.3.0"
 end

data/rotp.gemspec

@@ -19,8 +19,8 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
 
-  s.add_development_dependency 'guard-rspec', '~> 4.5'
-  s.add_development_dependency 'rake', '~> 10.4'
-  s.add_development_dependency 'rspec', '~> 3.1'
-  s.add_development_dependency 'timecop', '~> 0.7'
+  s.add_development_dependency 'rake', '~> 10.5'
+  s.add_development_dependency 'rspec', '~> 3.5'
+  s.add_development_dependency 'timecop', '~> 0.8'
+  s.add_development_dependency 'simplecov', '~> 0.12'
 end

data/spec/lib/rotp/hotp_spec.rb

@@ -50,7 +50,7 @@ RSpec.describe ROTP::HOTP do
       let(:token) { 161024 }
 
       it 'raises an error' do
-        expect { verification }.to raise_error
+        expect { verification }.to raise_error(ArgumentError)
       end
     end
 

data/spec/lib/rotp/totp_spec.rb

@@ -41,7 +41,7 @@ RSpec.describe ROTP::TOTP do
       let(:token) { 68212 }
 
       it 'raises an error' do
-        expect { verification }.to raise_error
+        expect { verification }.to raise_error(ArgumentError)
       end
     end
 
@@ -142,37 +142,29 @@ RSpec.describe ROTP::TOTP do
         expect(params['period'].first).to eq '60'
       end
     end
-  end
 
-  describe '#verify_with_drift' do
-    let(:verification) { totp.verify_with_drift token, drift, now }
-    let(:drift) { 0 }
-
-    context 'numeric token' do
-      let(:token) { 68212 }
+    context 'with custom digest' do
+      let(:totp)  { ROTP::TOTP.new 'JBSWY3DPEHPK3PXP', digest: 'sha256' }
 
-      it 'raises an error' do
-        # In the "old" specs this was not tested due to a typo. What is the expected behavior here?
-        expect { verification }.to raise_error
+      it 'has the correct format' do
+        expect(uri).to match %r{\Aotpauth:\/\/totp.+}
       end
-    end
 
-    context 'unpadded string token' do
-      let(:token) { '68212' }
+      it 'includes the secret as parameter' do
+        expect(params['secret'].first).to eq 'JBSWY3DPEHPK3PXP'
+      end
 
-      it 'is false' do
-        # Not sure whether this should be tested. It didn't exist in the "old" specs
-        expect(verification).to be_falsey
+      it 'includes the digest as algorithm parameter' do
+        expect(params['algorithm'].first).to eq 'SHA256'
       end
     end
 
-    context 'correctly padded string token' do
-      let(:token) { '068212' }
+  end
+
+  describe '#verify_with_drift' do
+    let(:verification) { totp.verify_with_drift token, drift, now }
+    let(:drift) { 0 }
 
-      it 'is true' do
-        expect(verification).to be_truthy
-      end
-    end
 
     context 'slightly old number' do
       let(:token) { totp.at now - 30 }
@@ -227,88 +219,15 @@ RSpec.describe ROTP::TOTP do
     let(:drift) { 0 }
     let(:prior) { nil }
 
-    context 'numeric token' do
-      let(:token) { 68212 }
-
-      it 'raises an error' do
-        # In the "old" specs this was not tested due to a typo. What is the expected behavior here?
-        expect { verification }.to raise_error
-      end
-    end
-
-    context 'unpadded string token' do
-      let(:token) { '68212' }
-
-      it 'is false' do
-        # Not sure whether this should be tested. It didn't exist in the "old" specs
-        expect(verification).to be_falsey
-      end
-    end
-
-    context 'correctly padded string token' do
-      let(:token) { '068212' }
-
-      it 'is true' do
-        expect(verification).to be_truthy
-      end
-    end
-
-    context 'slightly old number' do
-      let(:token) { totp.at now - 30 }
-      let(:drift) { 60 }
-
-      it 'is true' do
-        expect(verification).to be_truthy
-      end
-    end
-
-    context 'slightly new number' do
-      let(:token) { totp.at now + 60 }
-      let(:drift) { 60 }
-
-      it 'is true' do
-        expect(verification).to be_truthy
-      end
-    end
-
-    context 'outside of drift range' do
-      let(:token) { totp.at now - 60 }
-      let(:drift) { 30 }
-
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-
-    context 'drift is not multiple of TOTP interval' do
-      context 'slightly old number' do
-        let(:token) { totp.at now - 45 }
-        let(:drift) { 45 }
-
-        it 'is true' do
-          expect(verification).to be_truthy
-        end
-      end
-
-      context 'slightly new number' do
-        let(:token) { totp.at now + 40 }
-        let(:drift) { 40 }
-
-        it 'is true' do
-          expect(verification).to be_truthy
-        end
-      end
-    end
-
     context 'with a prior verify' do
       let(:prior) { totp.verify_with_drift_and_prior '068212', 0, nil, now }
 
       it 'returns a timecode' do
+        expect(prior).to be_kind_of(Integer)
         expect(prior).to be_within(30).of(now.to_i)
       end
 
       context 'reusing same token' do
-
         it 'is false' do
           expect(verification).to be_falsy
         end
@@ -319,6 +238,8 @@ RSpec.describe ROTP::TOTP do
         let(:drift) { 40 }
 
         it 'is true' do
+          expect(verification).to be_kind_of(Integer)
+          expect(verification).to be_within(30).of(now.to_i)
           expect(verification).to be_truthy
         end
       end

data/spec/spec_helper.rb

@@ -1,5 +1,6 @@
 require 'rotp'
 require 'timecop'
+require 'simplecov'
 
 RSpec.configure do |config|
   config.disable_monkey_patching!
@@ -11,3 +12,7 @@ RSpec.configure do |config|
     Timecop.return
   end
 end
+
+SimpleCov.start
+
+require_relative '../lib/rotp'

metadata

@@ -1,71 +1,71 @@
 --- !ruby/object:Gem::Specification
 name: rotp
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.3.0
 platform: ruby
 authors:
 - Mark Percival
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-08-25 00:00:00.000000000 Z
+date: 2016-09-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: guard-rspec
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.5'
+        version: '10.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.5'
+        version: '10.5'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.4'
+        version: '3.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.4'
+        version: '3.5'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '0.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '0.8'
 - !ruby/object:Gem::Dependency
-  name: timecop
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.7'
+        version: '0.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.7'
+        version: '0.12'
 description: Works for both HOTP and TOTP, and includes QR Code provisioning
 email:
 - mark@markpercival.us