rotp 4.0.2 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72d869e33ff8ede2ef4233ed0398b730a1fc14e2b764295b090492bed133c4fc
-  data.tar.gz: 5ee5f47d3cee494762fcaaabb4dff1dfc247bab7faa0207fc6a3b7ff7b672f05
+  metadata.gz: 36079aaa87791cbc44f0772c429ebc947f88d34b0389411c13e37fc65a3bd1a1
+  data.tar.gz: a71126bd8dc56ca8e5db1bf5bf4fa5296c2319ac06816427400e253d0d835292
 SHA512:
-  metadata.gz: 42c5bb89a97375204c3198dd9d07080f4728162307c9b99eb6f7c46152bfa8aa21d7e02699fc911c9991ef6ae17c9465f2c8e438bf223b2097cbc9b72766912b
-  data.tar.gz: 45dc82dd282328c5e3651a5b660ac327c1d10f07b7ca21025139fbe3edf418b661e1b67648081027e04ea9bce639195ec21d44ada7d6af9ac607984e8fcda47b
+  metadata.gz: 3d90ee7ee49a029e74fe22faa8e14e14130f24a3c6551bc20742f35e7b1b529e807b56229bfb4a64f8621447920996d9a54d5fe98c1a255aae392a8dbc350d79
+  data.tar.gz: 12dd508477209b35bf75337934d9c780f661eebf32dc0a712acceedb7216cc2455af9781168248469c9b98c3eea27deaa961879d31464cffb793367a2aa8f529

data/.travis.yml

@@ -1,8 +1,9 @@
 language: ruby
-before_install: gem install bundler
+before_install: gem install bundler -v '<2'
 rvm:
-  - 2.3.0
-  - 2.1.0
-  - 2.0.0
+  - 2.7
+  - 2.6
+  - 2.5
+  - 2.3
 script:
   - bundle exec rspec

data/CHANGELOG.md

@@ -1,5 +1,36 @@
 ### Changelog
 
+### 6.1.0
+
+- Fixing URI encoding issues again, breaking out into it's own module
+  due to the complexity - closes #100 (@atcruice)
+- Add docker-compose.yml to help with easier testing
+
+### 6.0.0
+
+- Dropping support for Ruby <2.3 (Major version bump)
+- Fix issue when using --enable-frozen-string-literal Ruby option #95 (jeremyevans)
+- URI Encoding fix #94 (ksuh90)
+- Update gems (rake, addressable)
+- Update Travis tests to include Ruby 2.7
+
+### 5.1.0
+
+- Create `random_base32` to perform `random` to avoid breaking changes
+  - Still needed to bump to 5.x due to Base32 cleanup
+
+### 5.0.0
+
+- Clean up base32 implementation to match Google Autheticator
+- BREAKING `Base32.random_base32` renamed to random
+  - The argument is now byte length vs output string length for more precise bit strengths
+
+### 4.1.0
+
+- Add a digest option to the CLI #83
+- Fix provisioning URI is README #82
+- Improvements to docs
+
 ### 4.0.2
 
 - Fix gemspec requirment for Addressable

data/Dockerfile-2.3

@@ -1,16 +1,10 @@
 FROM ruby:2.3
 
-# throw errors if Gemfile has been modified since Gemfile.lock
-RUN bundle config --global frozen 1
-
 RUN mkdir -p /usr/src/app
 WORKDIR /usr/src/app
 
 COPY Gemfile /usr/src/app/
-COPY Gemfile.lock /usr/src/app/
 COPY . /usr/src/app
 RUN bundle install
 
-
-CMD ["bundler", "exec", "rspec"]
-
+CMD ["bundle", "exec", "rspec"]

data/Dockerfile-2.5

@@ -0,0 +1,10 @@
+FROM ruby:2.5
+
+RUN mkdir -p /usr/src/app
+WORKDIR /usr/src/app
+
+COPY Gemfile /usr/src/app/
+COPY . /usr/src/app
+RUN bundle install
+
+CMD ["bundle", "exec", "rspec"]

data/Dockerfile-2.6

@@ -0,0 +1,11 @@
+FROM ruby:2.6
+
+RUN mkdir -p /usr/src/app
+WORKDIR /usr/src/app
+
+COPY Gemfile /usr/src/app/
+COPY . /usr/src/app
+RUN bundle install
+
+CMD ["bundle", "exec", "rspec"]
+

data/Dockerfile-2.7

@@ -0,0 +1,11 @@
+FROM ruby:2.7
+
+RUN mkdir -p /usr/src/app
+WORKDIR /usr/src/app
+
+COPY Gemfile /usr/src/app/
+COPY . /usr/src/app
+RUN bundle install
+
+CMD ["bundle", "exec", "rspec"]
+

data/README.md

@@ -2,6 +2,7 @@
 
 [![Build Status](https://travis-ci.org/mdp/rotp.svg?branch=master)](https://travis-ci.org/mdp/rotp)
 [![Gem Version](https://badge.fury.io/rb/rotp.svg)](https://rubygems.org/gems/rotp)
+[![Documentation](http://img.shields.io/badge/docs-rdoc.info-blue.svg)](https://www.rubydoc.info/github/mdp/rotp/master)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/mdp/rotp/blob/master/LICENSE)
 
 A ruby library for generating and validating one time passwords (HOTP & TOTP) according to [RFC 4226](http://tools.ietf.org/html/rfc4226) and [RFC 6238](http://tools.ietf.org/html/rfc6238).
@@ -15,7 +16,20 @@ Many websites use this for [multi-factor authentication](https://www.youtube.com
 * OpenSSL
 * Ruby 2.0 or higher
 
-## Breaking changes in >= 4.0
+## Breaking changes
+
+### Breaking changes in >= 6.0
+
+- Dropping support for Ruby <2.3
+
+### Breaking changes in >= 5.0
+
+- `ROTP::Base32.random_base32` is now `ROTP::Base32.random` and the argument
+  has changed from secret string length to byte length to allow for more
+  precision. There is an alias to allow for `random_base32` for the time being.
+- Cleaned up the Base32 implementation to match Google Authenticator's version.
+
+### Breaking changes in >= 4.0
 
 - Simplified API
   - `verify` now takes options for `drift` and `after`
@@ -56,8 +70,8 @@ hotp.at(1) # => "595254"
 hotp.at(1401) # => "259769"
 
 # OTP verified with a counter
-hotp.verify("316439", 1401) # => 1401
-hotp.verify("316439", 1402) # => nil
+hotp.verify("259769", 1401) # => 1401
+hotp.verify("259769", 1402) # => nil
 ```
 
 ### Preventing reuse of Time based OTP's
@@ -68,18 +82,21 @@ the interval window (default 30 seconds)
 The following is an example of this in action:
 
 ```ruby
-User.find(someUserID)
+user = User.find(someUserID)
 totp = ROTP::TOTP.new(user.otp_secret)
 totp.now # => "492039"
 
+# Let's take a look at the last time the user authenticated with an OTP
 user.last_otp_at # => 1432703530
 
 # Verify the OTP
 last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> 1472145760
 # ROTP returns the timestamp(int) of the current period
+
 # Store this on the user's account
 user.update(last_otp_at: last_otp_at)
-# Someone attempts to reused the OTP inside the 30s window
+
+# Someone attempts to reuse the OTP inside the 30s window
 last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> nil
 # It fails to verify because we are still in the same 30s interval window
 ```
@@ -104,7 +121,7 @@ totp.verify("250939", drift_behind: 15, at: now + 45) # => nil
 ### Generating a Base32 Secret key
 
 ```ruby
-ROTP::Base32.random_base32  # returns a 32 character base32 secret. Compatible with Google Authenticator
+ROTP::Base32.random  # returns a 160 bit (32 character) base32 secret. Compatible with Google Authenticator
 ```
 
 Note: The Base32 format conforms to [RFC 4648 Base32](http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet)
@@ -115,8 +132,11 @@ Provisioning URI's generated by ROTP are compatible with most One Time Password
 Google Authenticator.
 
 ```ruby
-totp.provisioning_uri("alice@google.com") # => 'otpauth://totp/issuer:alice@google.com?secret=JBSWY3DPEHPK3PXP'
-hotp.provisioning_uri("alice@google.com", 0) # => 'otpauth://hotp/issuer:alice@google.com?secret=JBSWY3DPEHPK3PXP&counter=0'
+totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
+totp.provisioning_uri("alice@google.com") # => 'otpauth://totp/My%20Service:alice%40google.com?secret=base32secret3232&issuer=My%20Service'
+
+hotp = ROTP::HOTP.new("base32secret3232", issuer: "My Service")
+hotp.provisioning_uri("alice@google.com", 0) # => 'otpauth://hotp/alice%40google.com?secret=base32secret3232&counter=0'
 ```
 
 This can then be rendered as a QR Code which the user can scan using their mobile phone and the appropriate application.
@@ -143,9 +163,25 @@ bundle install
 bundle exec rspec
 ```
 
+### Testing with Docker
+
+In order to make it easier to test against different ruby version, ROTP comes
+with a set of Dockerfiles for each version that we test against in Travis
+
+```bash
+docker build -f Dockerfile-2.6 -t rotp_2.6 .
+docker run --rm -v $(pwd):/usr/src/app rotp_2.6
+```
+
+Alternately, you may use docker-compose to run all the tests:
+
+```
+docker-compose up
+```
+
 ## Executable Usage
 
-The rotp rubygem includes an executable for helping with testing and debugging
+The rotp rubygem includes CLI version to help with testing and debugging
 
 ```bash
 # Try this to get an overview of the commands
@@ -162,7 +198,7 @@ Have a look at the [contributors graph](https://github.com/mdp/rotp/graphs/contr
 
 ## License
 
-MIT Copyright (C) 2016 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
+MIT Copyright (C) 2019 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
 
 ## Other implementations
 

data/docker-compose.yml

@@ -0,0 +1,30 @@
+version: "3.8"
+services:
+  ruby_2_3:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.3
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_2_5:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.5
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_2_6:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.6
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_2_7:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.7
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"

data/lib/rotp.rb

@@ -1,9 +1,8 @@
-require 'cgi'
-require 'addressable'
-require 'securerandom'
 require 'openssl'
+require 'erb'
 require 'rotp/base32'
 require 'rotp/otp'
+require 'rotp/otp/uri'
 require 'rotp/hotp'
 require 'rotp/totp'
 

data/lib/rotp/arguments.rb

@@ -68,6 +68,10 @@ module ROTP
         parser.on_tail('-h', '--help', 'Show this message') do
           options!.mode = :help
         end
+
+        parser.on('-d', '--digest [ALGORITHM]', 'Use algorithm for the digest (default sha1)') do |digest|
+          options!.digest = digest
+        end
       end
     end
 

data/lib/rotp/base32.rb

@@ -1,51 +1,75 @@
+require 'securerandom'
+
 module ROTP
   class Base32
     class Base32Error < RuntimeError; end
-    CHARS = 'abcdefghijklmnopqrstuvwxyz234567'.each_char.to_a
+    CHARS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'.each_char.to_a
+    SHIFT = 5
+    MASK = 31
 
     class << self
+
       def decode(str)
-        str = str.tr('=', '')
-        output = []
-        str.scan(/.{1,8}/).each do |block|
-          char_array = decode_block(block).map(&:chr)
-          output << char_array
+        buffer = 0
+        idx = 0
+        bits_left = 0
+        str = str.tr('=', '').upcase
+        result = []
+        str.split('').each do |char|
+          buffer = buffer << SHIFT
+          buffer = buffer | (decode_quint(char) & MASK)
+          bits_left = bits_left + SHIFT
+          if bits_left >= 8
+            result[idx] = (buffer >> (bits_left - 8)) & 255
+            idx = idx + 1
+            bits_left = bits_left - 8
+          end
         end
-        output.join
+        result.pack('c*')
       end
 
-      def random_base32(length = 32)
-        b32 = ''
-        SecureRandom.random_bytes(length).each_byte do |b|
-          b32 << CHARS[b % 32]
+      def encode(b)
+        data = b.unpack('c*')
+        out = String.new
+        buffer = data[0]
+        idx = 1
+        bits_left = 8
+        while bits_left > 0 || idx < data.length
+          if bits_left < SHIFT
+            if idx < data.length
+              buffer = buffer << 8
+              buffer = buffer | (data[idx] & 255)
+              bits_left = bits_left + 8
+              idx = idx + 1
+            else
+              pad = SHIFT - bits_left
+              buffer = buffer << pad
+              bits_left = bits_left + pad
+            end
+          end
+          val = MASK & (buffer >> (bits_left - SHIFT))
+          bits_left = bits_left - SHIFT
+          out.concat(CHARS[val])
         end
-        b32
+        return out
       end
 
-      private
-
-      def decode_block(block)
-        length = block.scan(/[^=]/).length
-        quints = block.each_char.map { |c| decode_quint(c) }
-        bytes = []
-        bytes[0] = (quints[0] << 3) + (quints[1] ? quints[1] >> 2 : 0)
-        return bytes if length < 3
-
-        bytes[1] = ((quints[1] & 3) << 6) + (quints[2] << 1) + (quints[3] ? quints[3] >> 4 : 0)
-        return bytes if length < 4
-
-        bytes[2] = ((quints[3] & 15) << 4) + (quints[4] ? quints[4] >> 1 : 0)
-        return bytes if length < 6
-
-        bytes[3] = ((quints[4] & 1) << 7) + (quints[5] << 2) + (quints[6] ? quints[6] >> 3 : 0)
-        return bytes if length < 7
+      # Defaults to 160 bit long secret (meaning a 32 character long base32 secret)
+      def random(byte_length = 20)
+       rand_bytes = SecureRandom.random_bytes(byte_length)
+       self.encode(rand_bytes)
+      end
 
-        bytes[4] = ((quints[6] & 7) << 5) + (quints[7] || 0)
-        bytes
+      # Prevent breaking changes
+      def random_base32(str_len = 32)
+        byte_length = str_len * 5/8
+        random(byte_length)
       end
 
+      private
+
       def decode_quint(q)
-        CHARS.index(q.downcase) || raise(Base32Error, "Invalid Base32 Character - '#{q}'")
+        CHARS.index(q) || raise(Base32Error, "Invalid Base32 Character - '#{q}'")
       end
     end
   end

data/lib/rotp/cli.rb

@@ -19,7 +19,7 @@ module ROTP
       if %i[time hmac].include?(options.mode)
         if options.secret.to_s == ''
           red 'You must also specify a --secret. Try --help for help.'
-        elsif options.secret.to_s.chars.any? { |c| ROTP::Base32::CHARS.index(c.downcase).nil? }
+        elsif options.secret.to_s.chars.any? { |c| ROTP::Base32::CHARS.index(c.upcase).nil? }
           red 'Secret must be in RFC4648 Base32 format - http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet'
         end
       end
@@ -31,9 +31,9 @@ module ROTP
       return arguments.to_s if options.mode == :help
 
       if options.mode == :time
-        ROTP::TOTP.new(options.secret).now
+        ROTP::TOTP.new(options.secret, options).now
       elsif options.mode == :hmac
-        ROTP::HOTP.new(options.secret).at options.counter
+        ROTP::HOTP.new(options.secret, options).at options.counter
       end
     end
 

data/lib/rotp/hotp.rb

@@ -25,12 +25,7 @@ module ROTP
     # @param [Integer] initial_count starting counter value, defaults to 0
     # @return [String] provisioning uri
     def provisioning_uri(name, initial_count = 0)
-      params = {
-        secret: secret,
-        counter: initial_count,
-        digits: digits == DEFAULT_DIGITS ? nil : digits
-      }
-      encode_params("otpauth://hotp/#{Addressable::URI.escape(name)}", params)
+      OTP::URI.new(self, account_name: name, counter: initial_count).to_s
     end
   end
 end

data/lib/rotp/otp.rb

@@ -5,10 +5,10 @@ module ROTP
 
     # @param [String] secret in the form of base32
     # @option options digits [Integer] (6)
-    #     Number of integers in the OTP
+    #     Number of integers in the OTP.
     #     Google Authenticate only supports 6 currently
     # @option options digest [String] (sha1)
-    #     Digest used in the HMAC
+    #     Digest used in the HMAC.
     #     Google Authenticate only supports 'sha1' currently
     # @returns [OTP] OTP instantiation
     def initialize(s, options = {})
@@ -66,16 +66,6 @@ module ROTP
       result.reverse.join.rjust(padding, 0.chr)
     end
 
-    # A very simple param encoder
-    def encode_params(uri, params)
-      params_str = String.new('?')
-      params.each do |k, v|
-        params_str << "#{k}=#{CGI.escape(v.to_s)}&" if v
-      end
-      params_str.chop!
-      uri + params_str
-    end
-
     # constant-time compare the strings
     def time_constant_compare(a, b)
       return false if a.empty? || b.empty? || a.bytesize != b.bytesize

data/lib/rotp/otp/uri.rb

@@ -0,0 +1,79 @@
+module ROTP
+  class OTP
+    # https://github.com/google/google-authenticator/wiki/Key-Uri-Format
+    class URI
+      def initialize(otp, account_name:, counter: nil)
+        @otp = otp
+        @account_name = account_name
+        @counter = counter
+      end
+
+      def to_s
+        "otpauth://#{type}/#{label}?#{parameters}"
+      end
+
+      private
+
+      def algorithm
+        return unless %w[sha256 sha512].include?(@otp.digest)
+
+        @otp.digest.upcase
+      end
+
+      def counter
+        return if @otp.is_a?(TOTP)
+        fail if @counter.nil?
+
+        @counter
+      end
+
+      def digits
+        return if @otp.digits == DEFAULT_DIGITS
+
+        @otp.digits
+      end
+
+      def issuer
+        return if @otp.is_a?(HOTP)
+
+        @otp.issuer&.strip&.tr(':', '_')
+      end
+
+      def label
+        [issuer, @account_name.rstrip]
+          .compact
+          .map { |s| s.tr(':', '_') }
+          .map { |s| ERB::Util.url_encode(s) }
+          .join(':')
+      end
+
+      def parameters
+        {
+          secret: @otp.secret,
+          issuer: issuer,
+          algorithm: algorithm,
+          digits: digits,
+          period: period,
+          counter: counter,
+        }
+          .reject { |_, v| v.nil? }
+          .map { |k, v| "#{k}=#{ERB::Util.url_encode(v)}" }
+          .join('&')
+      end
+
+      def period
+        return if @otp.is_a?(HOTP)
+        return if @otp.interval == DEFAULT_INTERVAL
+
+        @otp.interval
+      end
+
+      def type
+        case @otp
+        when TOTP then 'totp'
+        when HOTP then 'hotp'
+        end
+      end
+    end
+  end
+end

data/lib/rotp/totp.rb

@@ -54,19 +54,7 @@ module ROTP
     # @param [String] name of the account
     # @return [String] provisioning URI
     def provisioning_uri(name)
-      # The format of this URI is documented at:
-      # https://github.com/google/google-authenticator/wiki/Key-Uri-Format
-      # For compatibility the issuer appears both before that account name and also in the
-      # query string.
-      issuer_string = issuer.nil? ? '' : "#{Addressable::URI.escape(issuer)}:"
-      params = {
-        secret: secret,
-        period: interval == 30 ? nil : interval,
-        issuer: issuer,
-        digits: digits == DEFAULT_DIGITS ? nil : digits,
-        algorithm: digest.casecmp('SHA1').zero? ? nil : digest.upcase
-      }
-      encode_params("otpauth://totp/#{issuer_string}#{Addressable::URI.escape(name)}", params)
+      OTP::URI.new(self, account_name: name).to_s
     end
 
     private

data/lib/rotp/version.rb

@@ -1,3 +1,3 @@
 module ROTP
-  VERSION = '4.0.2'.freeze
+  VERSION = '6.1.0'.freeze
 end

data/rotp.gemspec

@@ -4,6 +4,7 @@ Gem::Specification.new do |s|
   s.name        = 'rotp'
   s.version     = ROTP::VERSION
   s.platform    = Gem::Platform::RUBY
+  s.required_ruby_version = '~> 2.3'
   s.license     = 'MIT'
   s.authors     = ['Mark Percival']
   s.email       = ['mark@markpercival.us']
@@ -11,16 +12,12 @@ Gem::Specification.new do |s|
   s.summary     = 'A Ruby library for generating and verifying one time passwords'
   s.description = 'Works for both HOTP and TOTP, and includes QR Code provisioning'
 
-  s.rubyforge_project = 'rotp'
-
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   s.require_paths = ['lib']
 
-  s.add_runtime_dependency 'addressable', '~> 2.5'
-
-  s.add_development_dependency 'rake', '~> 10.5'
+  s.add_development_dependency "rake", "~> 13.0"
   s.add_development_dependency 'rspec', '~> 3.5'
   s.add_development_dependency 'simplecov', '~> 0.12'
   s.add_development_dependency 'timecop', '~> 0.8'

data/spec/lib/rotp/base32_spec.rb

@@ -1,24 +1,33 @@
 require 'spec_helper'
 
 RSpec.describe ROTP::Base32 do
-  describe '.random_base32' do
+  describe '.random' do
     context 'without arguments' do
-      let(:base32) { ROTP::Base32.random_base32 }
+      let(:base32) { ROTP::Base32.random }
 
-      it 'is 32 characters long' do
+      it 'is 20 bytes (160 bits) long (resulting in a 32 character base32 code)' do
+        expect(ROTP::Base32.decode(base32).length).to eq 20
         expect(base32.length).to eq 32
       end
 
       it 'is base32 charset' do
-        expect(base32).to match(/\A[a-z2-7]+\z/)
+        expect(base32).to match(/\A[A-Z2-7]+\z/)
       end
     end
 
     context 'with arguments' do
-      let(:base32) { ROTP::Base32.random_base32 32 }
+      let(:base32) { ROTP::Base32.random 48 }
 
-      it 'allows a specific length' do
-        expect(base32.length).to eq 32
+      it 'returns the appropriate byte length code' do
+        expect(ROTP::Base32.decode(base32).length).to eq 48
+      end
+    end
+
+    context 'alias to older random_base32' do
+      let(:base32) { ROTP::Base32.random_base32(36) }
+      it 'is base32 charset' do
+        expect(base32.length).to eq 36
+        expect(ROTP::Base32.decode(base32).length).to eq 22
       end
     end
   end
@@ -33,22 +42,40 @@ RSpec.describe ROTP::Base32 do
 
     context 'valid input data' do
       it 'correctly decodes a string' do
-        expect(ROTP::Base32.decode('F').unpack('H*').first).to eq '28'
-        expect(ROTP::Base32.decode('23').unpack('H*').first).to eq 'd6'
-        expect(ROTP::Base32.decode('234').unpack('H*').first).to eq 'd6f8'
-        expect(ROTP::Base32.decode('234A').unpack('H*').first).to eq 'd6f800'
-        expect(ROTP::Base32.decode('234B').unpack('H*').first).to eq 'd6f810'
-        expect(ROTP::Base32.decode('234BCD').unpack('H*').first).to eq 'd6f8110c'
-        expect(ROTP::Base32.decode('234BCDE').unpack('H*').first).to eq 'd6f8110c80'
-        expect(ROTP::Base32.decode('234BCDEFG').unpack('H*').first).to eq 'd6f8110c8530'
-        expect(ROTP::Base32.decode('234BCDEFG234BCDEFG').unpack('H*').first).to eq 'd6f8110c8536b7c0886429'
+        expect(ROTP::Base32.decode('2EB7C66WC5TSO').unpack('H*').first).to eq 'd103f17bd6176727'
+        expect(ROTP::Base32.decode('Y6Y5ZCAC7NABCHSJ').unpack('H*').first).to eq 'c7b1dc8802fb40111e49'
+      end
+
+      it 'correctly decode strings with trailing bits (not a multiple of 8)' do
+        # Dropbox style 26 characters (26*5==130 bits or 16.25 bytes, but chopped to 128)
+        # Matches the behavior of Google Authenticator, drops extra 2 empty bits
+        expect(ROTP::Base32.decode('YVT6Z2XF4BQJNBMTD7M6QBQCEM').unpack('H*').first).to eq 'c567eceae5e0609685931fd9e8060223'
+
+        # For completeness, test all the possibilities allowed by Google Authenticator
+        # Drop the incomplete empty extra 4 bits (28*5==140bits or 17.5 bytes, chopped to 136 bits)
+        expect(ROTP::Base32.decode('5GGZQB3WN6LD7V3L5HPDYTQUANEQ').unpack('H*').first).to eq 'e98d9807766f963fd76be9de3c4e140349'
+
       end
 
       context 'with padding' do
         it 'correctly decodes a string' do
-          expect(ROTP::Base32.decode('F==').unpack('H*').first).to eq '28'
+          expect(ROTP::Base32.decode('234A===').unpack('H*').first).to eq 'd6f8'
         end
       end
+
+    end
+  end
+
+  describe '.encode' do
+    context 'encode input data' do
+      it 'correctly encodes data' do
+        expect(ROTP::Base32.encode(hex_to_bin('3c204da94294ff82103ee34e96f74b48'))).to eq 'HQQE3KKCST7YEEB64NHJN52LJA'
+      end
     end
   end
+
+end
+
+def hex_to_bin(s)
+  s.scan(/../).map { |x| x.hex }.pack('c*')
 end

data/spec/lib/rotp/cli_spec.rb

@@ -18,6 +18,14 @@ RSpec.describe ROTP::CLI do
     end
   end
 
+  context 'generating a TOTP with sha256 digest' do
+    let(:argv) { %w[--secret JBSWY3DPEHPK3PXP --digest sha256] }
+
+    it 'prints the corresponding token' do
+      expect(output).to eq '544902'
+    end
+  end
+
   context 'generating a TOTP with no secret' do
     let(:argv) { %w[--time --secret] }
 
@@ -49,4 +57,12 @@ RSpec.describe ROTP::CLI do
       expect(output).to eq '161024'
     end
   end
+
+  context 'generating a HOTP' do
+    let(:argv) { %W[--hmac --secret #{'a' * 32} --counter 1234 --digest sha256] }
+
+    it 'prints the corresponding token' do
+      expect(output).to eq '325941'
+    end
+  end
 end

data/spec/lib/rotp/hotp_spec.rb

@@ -108,29 +108,14 @@ RSpec.describe ROTP::HOTP do
   end
 
   describe '#provisioning_uri' do
-    let(:uri)    { hotp.provisioning_uri('mark@percival') }
-    let(:params) { CGI.parse URI.parse(uri).query }
-
-    it 'has the correct format' do
-      expect(uri).to match %r{\Aotpauth:\/\/hotp.+}
-    end
-
-    it 'includes the secret as parameter' do
-      expect(params['secret'].first).to eq 'a' * 32
-    end
-
-    context 'with default digits' do
-      it 'does not include digits parameter with default digits' do
-        expect(params['digits'].first).to be_nil
-      end
+    it 'accepts the account name' do
+      expect(hotp.provisioning_uri('mark@percival'))
+        .to eq 'otpauth://hotp/mark%40percival?secret=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&counter=0'
     end
 
-    context 'with non-default digits' do
-      let(:hotp) { ROTP::HOTP.new('a' * 32, digits: 8) }
-
-      it 'includes digits parameter' do
-        expect(params['digits'].first).to eq '8'
-      end
+    it 'also accepts a custom counter value' do
+      expect(hotp.provisioning_uri('mark@percival', 17))
+        .to eq 'otpauth://hotp/mark%40percival?secret=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&counter=17'
     end
   end
 end

data/spec/lib/rotp/otp/uri_spec.rb

@@ -0,0 +1,99 @@
+require 'spec_helper'
+
+RSpec.describe ROTP::OTP::URI do
+  it 'meets basic functionality' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP')
+    uri = described_class.new(otp, account_name: 'alice@google.com')
+    expect(uri.to_s).to eq 'otpauth://totp/alice%40google.com?secret=JBSWY3DPEHPK3PXP'
+  end
+
+  it 'includes issuer' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP', issuer: 'Example')
+    uri = described_class.new(otp, account_name: 'alice@google.com')
+    expect(uri.to_s).to eq 'otpauth://totp/Example:alice%40google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example'
+  end
+
+  it 'encodes the account name' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP', issuer: 'Provider1')
+    uri = described_class.new(otp, account_name: 'Alice Smith')
+    expect(uri.to_s).to eq 'otpauth://totp/Provider1:Alice%20Smith?secret=JBSWY3DPEHPK3PXP&issuer=Provider1'
+  end
+
+  it 'encodes the issuer' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP', issuer: 'Big Corporation')
+    uri = described_class.new(otp, account_name: ' alice@bigco.com')
+    expect(uri.to_s).to eq 'otpauth://totp/Big%20Corporation:%20alice%40bigco.com?secret=JBSWY3DPEHPK3PXP&issuer=Big%20Corporation'
+  end
+
+  it 'includes non-default SHA256 algorithm' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP', digest: 'sha256')
+    uri = described_class.new(otp, account_name: 'alice@google.com')
+    expect(uri.to_s).to eq 'otpauth://totp/alice%40google.com?secret=JBSWY3DPEHPK3PXP&algorithm=SHA256'
+  end
+
+  it 'includes non-default SHA512 algorithm' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP', digest: 'sha512')
+    uri = described_class.new(otp, account_name: 'alice@google.com')
+    expect(uri.to_s).to eq 'otpauth://totp/alice%40google.com?secret=JBSWY3DPEHPK3PXP&algorithm=SHA512'
+  end
+
+  it 'includes non-default 8 digits' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP', digits: 8)
+    uri = described_class.new(otp, account_name: 'alice@google.com')
+    expect(uri.to_s).to eq 'otpauth://totp/alice%40google.com?secret=JBSWY3DPEHPK3PXP&digits=8'
+  end
+
+  it 'includes non-default period for TOTP' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP', interval: 35)
+    uri = described_class.new(otp, account_name: 'alice@google.com')
+    expect(uri.to_s).to eq 'otpauth://totp/alice%40google.com?secret=JBSWY3DPEHPK3PXP&period=35'
+  end
+
+  it 'includes non-default counter for HOTP' do
+    otp = ROTP::HOTP.new('JBSWY3DPEHPK3PXP')
+    uri = described_class.new(otp, account_name: 'alice@google.com', counter: 17)
+    expect(uri.to_s).to eq 'otpauth://hotp/alice%40google.com?secret=JBSWY3DPEHPK3PXP&counter=17'
+  end
+
+  it 'can include all parameters' do
+    otp = ROTP::TOTP.new(
+      'HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ',
+      digest: 'sha512',
+      digits: 8,
+      interval: 60,
+      issuer: 'ACME Co',
+    )
+    uri = described_class.new(otp, account_name: 'john.doe@email.com')
+    expect(uri.to_s).to eq'otpauth://totp/ACME%20Co:john.doe%40email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA512&digits=8&period=60'
+  end
+
+  it 'strips leading and trailing whitespace from the issuer' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP', issuer: '  Big Corporation  ')
+    uri = described_class.new(otp, account_name: ' alice@bigco.com')
+    expect(uri.to_s).to eq 'otpauth://totp/Big%20Corporation:%20alice%40bigco.com?secret=JBSWY3DPEHPK3PXP&issuer=Big%20Corporation'
+  end
+
+  it 'strips trailing whitespace from the account name' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP')
+    uri = described_class.new(otp, account_name: '  alice@google.com  ')
+    expect(uri.to_s).to eq 'otpauth://totp/%20%20alice%40google.com?secret=JBSWY3DPEHPK3PXP'
+  end
+
+  it 'replaces colons in the issuer with underscores' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP', issuer: 'Big:Corporation')
+    uri = described_class.new(otp, account_name: 'alice@bigco.com')
+    expect(uri.to_s).to eq 'otpauth://totp/Big_Corporation:alice%40bigco.com?secret=JBSWY3DPEHPK3PXP&issuer=Big_Corporation'
+  end
+
+  it 'replaces colons in the account name with underscores' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP')
+    uri = described_class.new(otp, account_name: 'Alice:Smith')
+    expect(uri.to_s).to eq 'otpauth://totp/Alice_Smith?secret=JBSWY3DPEHPK3PXP'
+  end
+
+  it 'handles email account names with sub-addressing' do
+    otp = ROTP::TOTP.new('JBSWY3DPEHPK3PXP')
+    uri = described_class.new(otp, account_name: 'alice+1234@google.com')
+    expect(uri.to_s).to eq 'otpauth://totp/alice%2B1234%40google.com?secret=JBSWY3DPEHPK3PXP'
+  end
+end

data/spec/lib/rotp/totp_spec.rb

@@ -221,79 +221,9 @@ RSpec.describe ROTP::TOTP do
   end
 
   describe '#provisioning_uri' do
-    let(:uri)    { totp.provisioning_uri('mark@percival') }
-    let(:params) { CGI.parse URI.parse(uri).query }
-
-    context 'without issuer' do
-      it 'has the correct format' do
-        expect(uri).to match %r{\Aotpauth:\/\/totp.+}
-      end
-
-      it 'includes the secret as parameter' do
-        expect(params['secret'].first).to eq 'JBSWY3DPEHPK3PXP'
-      end
-    end
-
-    context 'with default digits' do
-      it 'does does not include digits parameter' do
-        expect(params['digits'].first).to be_nil
-      end
-    end
-
-    context 'with non-default digits' do
-      let(:totp)  { ROTP::TOTP.new 'JBSWY3DPEHPK3PXP', digits: 8 }
-
-      it 'does does not include digits parameter' do
-        expect(params['digits'].first).to eq '8'
-      end
-    end
-
-    context 'with issuer' do
-      let(:totp)  { ROTP::TOTP.new 'JBSWY3DPEHPK3PXP', issuer: 'FooCo' }
-
-      it 'has the correct format' do
-        expect(uri).to match %r{\Aotpauth:\/\/totp/FooCo:.+}
-      end
-
-      it 'includes the secret as parameter' do
-        expect(params['secret'].first).to eq 'JBSWY3DPEHPK3PXP'
-      end
-
-      it 'includes the issuer as parameter' do
-        expect(params['issuer'].first).to eq 'FooCo'
-      end
-    end
-
-    context 'with custom interval' do
-      let(:totp)  { ROTP::TOTP.new 'JBSWY3DPEHPK3PXP', interval: 60 }
-
-      it 'has the correct format' do
-        expect(uri).to match %r{\Aotpauth:\/\/totp.+}
-      end
-
-      it 'includes the secret as parameter' do
-        expect(params['secret'].first).to eq 'JBSWY3DPEHPK3PXP'
-      end
-
-      it 'includes the interval as period parameter' do
-        expect(params['period'].first).to eq '60'
-      end
-    end
-
-    context 'with custom digest' do
-      let(:totp)  { ROTP::TOTP.new 'JBSWY3DPEHPK3PXP', digest: 'sha256' }
-
-      it 'has the correct format' do
-        expect(uri).to match %r{\Aotpauth:\/\/totp.+}
-      end
-
-      it 'includes the secret as parameter' do
-        expect(params['secret'].first).to eq 'JBSWY3DPEHPK3PXP'
-      end
-
-      it 'includes the digest as algorithm parameter' do
-        expect(params['algorithm'].first).to eq 'SHA256'
-      end
+    it 'accepts the account name' do
+      expect(totp.provisioning_uri('mark@percival'))
+        .to eq 'otpauth://totp/mark%40percival?secret=JBSWY3DPEHPK3PXP'
     end
   end
 

metadata

@@ -1,43 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: rotp
 version: !ruby/object:Gem::Version
-  version: 4.0.2
+  version: 6.1.0
 platform: ruby
 authors:
 - Mark Percival
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-01 00:00:00.000000000 Z
+date: 2020-08-03 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: addressable
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.5'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.5'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.5'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.5'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -92,14 +78,14 @@ files:
 - ".gitignore"
 - ".travis.yml"
 - CHANGELOG.md
-- Dockerfile-1.9
-- Dockerfile-2.1
 - Dockerfile-2.3
+- Dockerfile-2.5
+- Dockerfile-2.6
+- Dockerfile-2.7
 - Gemfile
 - Guardfile
 - LICENSE
 - README.md
-- Rakefile
 - bin/rotp
 - doc/ROTP/HOTP.html
 - doc/ROTP/OTP.html
@@ -119,12 +105,14 @@ files:
 - doc/js/jquery.js
 - doc/method_list.html
 - doc/top-level-namespace.html
+- docker-compose.yml
 - lib/rotp.rb
 - lib/rotp/arguments.rb
 - lib/rotp/base32.rb
 - lib/rotp/cli.rb
 - lib/rotp/hotp.rb
 - lib/rotp/otp.rb
+- lib/rotp/otp/uri.rb
 - lib/rotp/totp.rb
 - lib/rotp/version.rb
 - rotp.gemspec
@@ -132,6 +120,7 @@ files:
 - spec/lib/rotp/base32_spec.rb
 - spec/lib/rotp/cli_spec.rb
 - spec/lib/rotp/hotp_spec.rb
+- spec/lib/rotp/otp/uri_spec.rb
 - spec/lib/rotp/totp_spec.rb
 - spec/spec_helper.rb
 homepage: http://github.com/mdp/rotp
@@ -144,24 +133,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - "~>"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: rotp
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: A Ruby library for generating and verifying one time passwords
-test_files:
-- spec/lib/rotp/arguments_spec.rb
-- spec/lib/rotp/base32_spec.rb
-- spec/lib/rotp/cli_spec.rb
-- spec/lib/rotp/hotp_spec.rb
-- spec/lib/rotp/totp_spec.rb
-- spec/spec_helper.rb
+test_files: []

data/Dockerfile-1.9

@@ -1,15 +0,0 @@
-FROM ruby:1.9
-
-# throw errors if Gemfile has been modified since Gemfile.lock
-RUN bundle config --global frozen 1
-
-RUN mkdir -p /usr/src/app
-WORKDIR /usr/src/app
-
-COPY Gemfile /usr/src/app/
-COPY Gemfile.lock /usr/src/app/
-COPY . /usr/src/app
-RUN bundle install
-
-CMD ["bundler", "exec", "rspec"]
-

data/Dockerfile-2.1

@@ -1,16 +0,0 @@
-FROM ruby:2.1
-
-# throw errors if Gemfile has been modified since Gemfile.lock
-RUN bundle config --global frozen 1
-
-RUN mkdir -p /usr/src/app
-WORKDIR /usr/src/app
-
-COPY Gemfile /usr/src/app/
-COPY Gemfile.lock /usr/src/app/
-COPY . /usr/src/app
-RUN bundle install
-
-
-CMD ["bundler", "exec", "rspec"]
-

data/Rakefile

@@ -1,9 +0,0 @@
-require 'bundler'
-Bundler::GemHelper.install_tasks
-require 'rspec/core/rake_task'
-
-RSpec::Core::RakeTask.new(:rspec) do |spec|
-  spec.pattern = 'spec/**/*_spec.rb'
-end
-
-task default: :rspec