RubyGems - rotp - Versions diffs - 3.3.1 → 4.0.0 - Mend

rotp 3.3.1 → 4.0.0

Files changed (17) hide show

checksums.yaml +5 -5
data/.travis.yml +0 -1
data/CHANGELOG.md +6 -0
data/README.md +57 -46
data/lib/rotp/base32.rb +1 -1
data/lib/rotp/cli.rb +2 -5
data/lib/rotp/hotp.rb +10 -23
data/lib/rotp/otp.rb +4 -9
data/lib/rotp/totp.rb +44 -46
data/lib/rotp/version.rb +1 -1
data/spec/lib/rotp/arguments_spec.rb +14 -0
data/spec/lib/rotp/base32_spec.rb +2 -2
data/spec/lib/rotp/cli_spec.rb +24 -0
data/spec/lib/rotp/hotp_spec.rb +39 -63
data/spec/lib/rotp/totp_spec.rb +167 -132
data/spec/spec_helper.rb +5 -2
metadata +3 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6597229fd1ace9419ec1212d4cdedaa8392d5e2c
-  data.tar.gz: 7784edcd67e532d6e1c14e229c79e2b1c6c5bb6e
+SHA256:
+  metadata.gz: 681041e122df89a1947016e02fd7c11e3102ffc3eed78c1dcdcb5056af116afd
+  data.tar.gz: 0333b10d91241c31b7fb2b3b5b7bd0d99f0e02b471ce0d10dc5961ae98cb89d7
 SHA512:
-  metadata.gz: cc83e697d928afc3be726fa0a7569f87bb5d69362ae429af512e35bc5f15d6cce947c510ab6204b6cac99601a3870600577360750f3e9af35762e316ce45080b
-  data.tar.gz: 5cdefb29436b550ecd825baa13cc2365c994705f575b474d9a8d02ecad1764ce9982bc04537ea95afbfe24b304c1a1a71e339f4223f496138f7eaeaa76261050
+  metadata.gz: a7454a2072e7f6b4cabd84338b2c9b1d06363102230d2c93bd244f0a486004b6363e9cd50aece371c951ae68798a6cc109798948c11034f679030bfd7106e464
+  data.tar.gz: 18e79a2ca2a61d9b6a2dd902744e344fe1be9b7f4ac2c3d4674d6c83929f69b2395d794c9d9081115678fbfc81599f50a07cf8b287ce1c7f8ed05dcee4322e13

data/.travis.yml CHANGED

@@ -4,6 +4,5 @@ rvm:
   - 2.3.0
   - 2.1.0
   - 2.0.0
-  - 1.9.3
 script:
   - bundle exec rspec

data/CHANGELOG.md CHANGED

@@ -1,9 +1,15 @@
 ### Changelog
+#### 4.0.0
+- Simplify API
+- Remove support for Ruby < 2.0
 #### 3.3.1
 - Add OpenSSL as a requirement for Ruby 2.5. Fixes #70 & #64
 - Allow Base32 with padding. #71
+- Prevent verify with drift being negative #69
 #### 3.3.0

data/README.md CHANGED

@@ -4,16 +4,24 @@
 [![Gem Version](https://badge.fury.io/rb/rotp.svg)](https://rubygems.org/gems/rotp)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/mdp/rotp/blob/master/LICENSE)
-A ruby library for generating one time passwords (HOTP & TOTP) according to [RFC 4226](http://tools.ietf.org/html/rfc4226) and [RFC 6238](http://tools.ietf.org/html/rfc6238).
+A ruby library for generating and validating one time passwords (HOTP & TOTP) according to [RFC 4226](http://tools.ietf.org/html/rfc4226) and [RFC 6238](http://tools.ietf.org/html/rfc6238).
-ROTP is compatible with the [Google Authenticator](https://github.com/google/google-authenticator) available for [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) and [iPhone](https://itunes.apple.com/en/app/google-authenticator/id388497605).
+ROTP is compatible with [Google Authenticator](https://github.com/google/google-authenticator) available for [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) and [iPhone](https://itunes.apple.com/en/app/google-authenticator/id388497605) and any other TOTP based implementations.
-Many websites use this for [multi-factor authentication](https://www.youtube.com/watch?v=17rykTIX_HY), such as GMail, Facebook, Amazon EC2, WordPress, and Salesforce. You can find the whole [list here](https://en.wikipedia.org/wiki/Google_Authenticator#Usage).
+Many websites use this for [multi-factor authentication](https://www.youtube.com/watch?v=17rykTIX_HY), such as GMail, Facebook, Amazon EC2, WordPress, and Salesforce. You can find a more complete [list here](https://en.wikipedia.org/wiki/Google_Authenticator#Usage).
 ## Dependencies
 * OpenSSL
-* Ruby 1.9.3 or higher
+* Ruby 2.0 or higher
+## Breaking changes in >= 4.0
+- Simplified API
+  - `verify` now takes options for `drift` and `after`
+  - `verify` returns a timestamp if true, nil if false
+- Dropping support for Ruby < 2.0
+- Docs for 3.x can be found [here](https://github.com/mdp/rotp/tree/v3.3.0)
 ## Installation
@@ -26,20 +34,17 @@ gem install rotp
 ### Time based OTP's
 ```ruby
-totp = ROTP::TOTP.new("base32secret3232")
+totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
 totp.now # => "492039"
-# OTP verified for current time
-totp.verify("492039") # => true
-sleep 30
-totp.verify("492039") # => false
-```
+# OTP verified for current time - returns timestamp of the current interval
+# period.
+totp.verify("492039") # => 1474590700
-Optionally, you can provide an issuer which will be used as a title in Google Authenticator.
+sleep 30
-```ruby
-totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
-totp.provisioning_uri("alice@google.com")
+# OTP fails to verify - returns nil
+totp.verify("492039") # => nil
 ```
 ### Counter based OTP's
@@ -51,69 +56,76 @@ hotp.at(1) # => "595254"
 hotp.at(1401) # => "259769"
 # OTP verified with a counter
-hotp.verify("259769", 1401) # => true
-hotp.verify("259769", 1402) # => false
-```
-### Verifying a Time based OTP with drift
-Some users devices may be slightly behind or ahead of the actual time. ROTP allows users to verify
-an OTP code with an specific amount of 'drift'
-```ruby
-totp = ROTP::TOTP.new("base32secret3232")
-totp.now # => "492039"
-# OTP verified for current time with 120 seconds allowed drift
-totp.verify_with_drift("492039", 60, Time.now - 30) # => true
-totp.verify_with_drift("492039", 60, Time.now - 90) # => false
+hotp.verify("316439", 1401) # => 1401
+hotp.verify("316439", 1402) # => nil
 ```
 ### Preventing reuse of Time based OTP's
-In order to prevent reuse of time based tokens within the interval window (default 30 seconds)
-it is necessary to store the last time an OTP was used. The following is an example of this in action:
+By keeping track of the last time a user's OTP was verified, we can prevent token reuse during
+the interval window (default 30 seconds)
+The following is an example of this in action:
 ```ruby
 User.find(someUserID)
 totp = ROTP::TOTP.new(user.otp_secret)
 totp.now # => "492039"
-user.last_otp_at # => 1472145530
+user.last_otp_at # => 1432703530
 # Verify the OTP
-verified_at_timestamp = totp.verify_with_drift_and_prior("492039", 0, user.last_otp_at) #=> 1472145760
+last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> 1472145760
+# ROTP returns the timestamp(int) of the current period
 # Store this on the user's account
-user.update(last_otp_at: verified_at_timestamp)
-verified_at_timestamp = totp.verify_with_drift_and_prior("492039", 0, user.last_otp_at) #=> false
+user.update(last_otp_at: last_otp_at)
+# Someone attempts to reused the OTP inside the 30s window
+last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> nil
+# It fails to verify because we are still in the same 30s interval window
+```
+### Verifying a Time based OTP with drift
+Some users may enter a code just after it has expired. By adding 'drift' you can allow
+for a recently expired token to remain valid.
+```ruby
+totp = ROTP::TOTP.new("base32secret3232")
+now = Time.at(1474590600) #2016-09-23 00:30:00 UTC
+totp.at(now) # => "250939"
+# OTP verified for current time along with 15 seconds earlier
+# ie. User enters a code just after it expired
+totp.verify("250939", drift_behind: 15, at: now + 35) # => 1474590600
+# User waits too long. Fails to validate previous OTP
+totp.verify("250939", drift_behind: 15, at: now + 45) # => nil
 ```
 ### Generating a Base32 Secret key
 ```ruby
-ROTP::Base32.random_base32  # returns a 16 character base32 secret. Compatible with Google Authenticator
+ROTP::Base32.random_base32  # returns a 32 character base32 secret. Compatible with Google Authenticator
 ```
 Note: The Base32 format conforms to [RFC 4648 Base32](http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet)
-### Google Authenticator Compatible URI's
+### Generating QR Codes for provisioning mobile apps
-Provisioning URI's generated by ROTP are compatible with the Google Authenticator App
-to be scanned with the in-built QR Code scanner.
+Provisioning URI's generated by ROTP are compatible with most One Time Password applications, including
+Google Authenticator.
 ```ruby
 totp.provisioning_uri("alice@google.com") # => 'otpauth://totp/issuer:alice@google.com?secret=JBSWY3DPEHPK3PXP'
 hotp.provisioning_uri("alice@google.com", 0) # => 'otpauth://hotp/issuer:alice@google.com?secret=JBSWY3DPEHPK3PXP&counter=0'
 ```
-This can then be rendered as a QR Code which can then be scanned and added to the users
-list of OTP credentials.
+This can then be rendered as a QR Code which the user can scan using their mobile phone and the appropriate application.
 #### Working example
 Scan the following barcode with your phone, using Google Authenticator
-![QR Code for OTP](http://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP)
+![QR Code for OTP](https://cloud.githubusercontent.com/assets/2868/18771262/54f109dc-80f2-11e6-863f-d2be62ee587a.png)
 Now run the following and compare the output
@@ -133,8 +145,7 @@ bundle exec rspec
 ## Executable Usage
-Once the rotp rubygem is installed on your system, you should be able to run the `rotp` executable
-(if not, you might find trouble-shooting help [at this stackoverflow question](http://stackoverflow.com/a/909980)).
+The rotp rubygem includes an executable for helping with testing and debugging
 ```bash
 # Try this to get an overview of the commands
@@ -151,7 +162,7 @@ Have a look at the [contributors graph](https://github.com/mdp/rotp/graphs/contr
 ## License
-MIT Copyright (C) 2011 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
+MIT Copyright (C) 2016 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
 ## Other implementations

data/lib/rotp/base32.rb CHANGED

@@ -14,7 +14,7 @@ module ROTP
         output.join
       end
-      def random_base32(length=16)
+      def random_base32(length=32)
         b32 = String.new
         SecureRandom.random_bytes(length).each_byte do |b|
           b32 << CHARS[b % 32]

data/lib/rotp/cli.rb CHANGED

@@ -9,9 +9,11 @@ module ROTP
       @argv = argv
     end
+    # :nocov:
     def run
       puts output
     end
+    # :nocov:
     def errors
       if [:time, :hmac].include?(options.mode)
@@ -20,8 +22,6 @@ module ROTP
         elsif options.secret.to_s.chars.any? { |c| ROTP::Base32::CHARS.index(c.downcase) == nil }
           red 'Secret must be in RFC4648 Base32 format - http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet'
         end
-      elsif options.mode == :hmac && options.counter.to_i < 0
-        red 'You must also specify a --counter. Try --help for help.'
       end
     end
@@ -34,9 +34,6 @@ module ROTP
         ROTP::TOTP.new(options.secret).now
       elsif options.mode == :hmac
         ROTP::HOTP.new(options.secret).at options.counter
-      else
-        fail NotImplementedError
       end
     end

data/lib/rotp/hotp.rb CHANGED

@@ -2,33 +2,20 @@ module ROTP
   class HOTP < OTP
     # Generates the OTP for the given count
     # @param [Integer] count counter
-    # @option [Boolean] padding (false) Issue the number as a 0 padded string
     # @returns [Integer] OTP
-    def at(count, padding=true)
-      generate_otp(count, padding)
+    def at(count)
+      generate_otp(count)
     end
     # Verifies the OTP passed in against the current time OTP
-    # @param [String/Integer] otp the OTP to check against
-    # @param [Integer] counter the counter of the OTP
-    def verify(otp, counter)
-      super(otp, self.at(counter))
-    end
-    # Verifies the OTP passed in against the current time OTP, with a given number of retries.
-    # Returns the counter that was verified successfully
-    # @param [String/Integer] otp the OTP to check against
-    # @param [Integer] initial counter the counter of the OTP
-    # @param [Integer] number of retries
-    def verify_with_retries(otp, initial_count, retries = 1)
-      return false if retries <= 0
-      1.upto(retries) do |counter|
-        current_counter = initial_count + counter
-        return current_counter if verify(otp, current_counter)
-      end
-      false
+    # @param otp [String/Integer] the OTP to check against
+    # @param counter [Integer] the counter of the OTP
+    # @param retries [Integer] number of counters to incrementally retry
+    def verify(otp, counter, retries: 0)
+      counters = (counter..counter+retries).to_a
+      counters.find { |c|
+        super(otp, self.at(c))
+      }
     end
     # Returns the provisioning URI for the OTP

data/lib/rotp/otp.rb CHANGED

@@ -21,7 +21,7 @@ module ROTP
     # @option padded [Boolean] (false) Output the otp as a 0 padded string
     # Usually either the counter, or the computed integer
     # based on the Unix timestamp
-    def generate_otp(input, padded=true)
+    def generate_otp(input)
       hmac = OpenSSL::HMAC.digest(
         OpenSSL::Digest.new(digest),
         byte_secret,
@@ -33,19 +33,14 @@ module ROTP
         (hmac[offset + 1].ord & 0xff) << 16 |
         (hmac[offset + 2].ord & 0xff) << 8 |
         (hmac[offset + 3].ord & 0xff)
-      if padded
-        (code % 10 ** digits).to_s.rjust(digits, '0')
-      else
-        code % 10 ** digits
-      end
+      (code % 10 ** digits).to_s.rjust(digits, '0')
     end
     private
     def verify(input, generated)
-      unless input.is_a?(String) && generated.is_a?(String)
-        raise ArgumentError, "ROTP only verifies strings - See: https://github.com/mdp/rotp/issues/32"
-      end
+      raise ArgumentError, "`otp` should be a String" unless
+          input.is_a?(String)
       time_constant_compare(input, generated)
     end

data/lib/rotp/totp.rb CHANGED

@@ -14,64 +14,46 @@ module ROTP
     # Accepts either a Unix timestamp integer or a Time object.
     # Time objects will be adjusted to UTC automatically
-    # @param [Time/Integer] time the time to generate an OTP for
-    # @option [Boolean] padding (true) Issue the number as a 0 padded string
-    def at(time, padding=true)
-      unless time.class == Time
-        time = Time.at(time.to_i)
-      end
-      generate_otp(timecode(time), padding)
+    # @param time [Time/Integer] the time to generate an OTP for, integer unix timestamp or Time object
+    def at(time)
+      generate_otp(timecode(time))
     end
     # Generate the current time OTP
     # @return [Integer] the OTP as an integer
-    def now(padding=true)
-      generate_otp(timecode(Time.now), padding)
-    end
-    # Verifies the OTP passed in against the current time OTP
-    # @param [String/Integer] otp the OTP to check against
-    def verify(otp, time = Time.now)
-      super(otp, self.at(time))
-    end
-    # Verifies the OTP passed in against the current time OTP
-    # and adjacent intervals up to +drift+.
-    # @param [String] otp the OTP to check against
-    # @param [Integer] drift the number of seconds that the client
-    #     and server are allowed to drift apart
-    def verify_with_drift(otp, drift, time = Time.now)
-      time = time.to_i
-      times = (time-drift..time+drift).step(interval).to_a
-      times << time + drift if times.last < time + drift
-      times.any? { |ti| verify(otp, ti) }
+    def now()
+      generate_otp(timecode(Time.now))
     end
     # Verifies the OTP passed in against the current time OTP
     # and adjacent intervals up to +drift+.  Excludes OTPs
-    # from prior_time and earlier.  Returns time value of
+    # from `after` and earlier.  Returns time value of
     # matching OTP code for use in subsequent call.
-    # @param [String] otp the OTP to check against
-    # @param [Integer] drift the number of seconds that the client
-    #     and server are allowed to drift apart
-    # @param [Integer] time value of previous match
-    def verify_with_drift_and_prior(otp, drift, prior_time = nil, time = Time.now)
-      # calculate normalized bin start times based on drift
-      first_bin = (time - drift).to_i / interval * interval
-      last_bin = (time + drift).to_i / interval * interval
+    # @param otp [String] the one time password to verify
+    # @param drift_behind [Integer] how many seconds to look back
+    # @param drift_ahead [Integer] how many seconds to look ahead
+    # @param after [Integer] prevent token reuse, last login timestamp
+    # @param at [Time] time at which to generate and verify a particular
+    #   otp. default Time.now
+    # @return [Integer, nil] the last successful timestamp
+    #   interval
+    def verify(otp, drift_ahead: 0, drift_behind: 0, after: nil, at: Time.now)
+      timecodes = get_timecodes(at, drift_behind, drift_ahead)
-      # if prior_time was supplied, adjust first bin if necessary to exclude it
-      if prior_time
-        prior_bin = prior_time.to_i / interval * interval
-        first_bin = prior_bin + interval if prior_bin >= first_bin
-        # fail if we've already used the last available OTP code
-        return if first_bin > last_bin
+      if after
+        timecodes = timecodes.select { |t| t > timecode(after) }
       end
-      times = (first_bin..last_bin).step(interval).to_a
-      times.find { |ti| verify(otp, ti) }
+      result = nil
+      timecodes.each { |t|
+        if (super(otp, self.generate_otp(t)))
+          result = t * interval
+        end
+      }
+      return result
     end
     # Returns the provisioning URI for the OTP
     # This can then be encoded in a QR Code and used
     # to provision the Google Authenticator app
@@ -95,8 +77,24 @@ module ROTP
     private
+    # Get back an array of timecodes for a period
+    def get_timecodes(at, drift_behind, drift_ahead)
+      now = timeint(at)
+      timecode_start = timecode(now - drift_behind)
+      timecode_end = timecode(now + drift_ahead)
+      return (timecode_start..timecode_end).step(1).to_a
+    end
+    # Ensure UTC int
+    def timeint(time)
+      unless time.class == Time
+        return time.to_i
+      end
+      return time.utc.to_i
+    end
     def timecode(time)
-      time.utc.to_i / interval
+      return timeint(time) / interval
     end
   end

data/lib/rotp/version.rb CHANGED

@@ -1,3 +1,3 @@
 module ROTP
-  VERSION = "3.3.1"
+  VERSION = "4.0.0"
 end

data/spec/lib/rotp/arguments_spec.rb CHANGED

@@ -71,6 +71,20 @@ RSpec.describe ROTP::Arguments do
     end
   end
+  context 'generating a counter based secret' do
+    let(:argv) { %w(--time --secret s3same) }
+    describe '#options' do
+      it 'is in hmac mode' do
+        expect(options.mode).to eq :time
+      end
+      it 'knows the secret' do
+        expect(options.secret).to eq 's3same'
+      end
+    end
+  end
   context 'generating a time based secret' do
     let(:argv) { %w(--secret s3same) }

data/spec/lib/rotp/base32_spec.rb CHANGED

@@ -6,8 +6,8 @@ RSpec.describe ROTP::Base32 do
     context 'without arguments' do
       let(:base32) { ROTP::Base32.random_base32 }
-      it 'is 16 characters long' do
-        expect(base32.length).to eq 16
+      it 'is 32 characters long' do
+        expect(base32.length).to eq 32
       end
       it 'is hexadecimal' do

data/spec/lib/rotp/cli_spec.rb CHANGED

@@ -18,6 +18,30 @@ RSpec.describe ROTP::CLI do
     end
   end
+  context 'generating a TOTP with no secret' do
+    let(:argv) { %W(--time --secret) }
+    it 'prints the corresponding token' do
+      expect(output).to match 'You must also specify a --secret'
+    end
+  end
+  context 'generating a TOTP with bad base32 secret' do
+    let(:argv) { %W(--time --secret #{'1' * 32}) }
+    it 'prints the corresponding token' do
+      expect(output).to match 'Secret must be in RFC4648 Base32 format'
+    end
+  end
+  context 'trying to generate an unsupport type' do
+    let(:argv) { %W(--notreal --secret #{'a' * 32}) }
+    it 'prints the corresponding token' do
+      expect(output).to match 'invalid option: --notreal'
+    end
+  end
   context 'generating a HOTP' do
     let(:argv) { %W(--hmac --secret #{'a' * 32} --counter 1234) }

data/spec/lib/rotp/hotp_spec.rb CHANGED

@@ -14,14 +14,6 @@ RSpec.describe ROTP::HOTP do
       end
     end
-    context 'without padding' do
-      let(:token) { hotp.at counter, false }
-      it 'generates an integer OTP' do
-        expect(token).to eq 161024
-      end
-    end
     context 'RFC compatibility' do
       let(:hotp) { ROTP::HOTP.new('GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ') }
@@ -69,6 +61,45 @@ RSpec.describe ROTP::HOTP do
         expect(hotp.verify(token, 10)).to be_falsey
       end
     end
+    describe 'with retries' do
+      let(:verification) { hotp.verify token, counter, retries:retries }
+      context 'counter outside than retries' do
+        let(:counter) { 1223 }
+        let(:retries) { 10 }
+        it 'is false' do
+          expect(verification).to be_falsey
+        end
+      end
+      context 'counter exactly in retry range' do
+        let(:counter) { 1224 }
+        let(:retries) { 10 }
+        it 'is true' do
+          expect(verification).to eq 1234
+        end
+      end
+      context 'counter in retry range' do
+        let(:counter) { 1224 }
+        let(:retries) { 11 }
+        it 'is true' do
+          expect(verification).to eq 1234
+        end
+      end
+      context 'counter ahead of token' do
+        let(:counter) { 1235 }
+        let(:retries) { 3 }
+        it 'is false' do
+          expect(verification).to be_falsey
+        end
+      end
+    end
   end
   describe '#provisioning_uri' do
@@ -98,59 +129,4 @@ RSpec.describe ROTP::HOTP do
     end
   end
-  describe '#verify_with_retries' do
-    let(:verification) { hotp.verify_with_retries token, counter, retries }
-    context 'negative retries' do
-      let(:retries) { -1 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-    context 'zero retries' do
-      let(:retries) { 0 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-    context 'counter lower than retries' do
-      let(:counter) { 1223 }
-      let(:retries) { 10 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-    context 'counter exactly in retry range' do
-      let(:counter) { 1224 }
-      let(:retries) { 10 }
-      it 'is true' do
-        expect(verification).to eq 1234
-      end
-    end
-    context 'counter in retry range' do
-      let(:counter) { 1224 }
-      let(:retries) { 11 }
-      it 'is true' do
-        expect(verification).to eq 1234
-      end
-    end
-    context 'counter too high' do
-      let(:counter) { 1235 }
-      let(:retries) { 3 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-  end
 end

data/spec/lib/rotp/totp_spec.rb CHANGED

@@ -1,25 +1,18 @@
 require 'spec_helper'
+TEST_TIME = Time.utc 2016,9,23,9 # 2016-09-23 09:00:00 UTC
+TEST_TOKEN = "082630"
 RSpec.describe ROTP::TOTP do
-  let(:now)   { Time.utc 2012,1,1 }
-  let(:token) { '068212' }
+  let(:now)   { TEST_TIME }
+  let(:token) { TEST_TOKEN }
   let(:totp)  { ROTP::TOTP.new 'JBSWY3DPEHPK3PXP' }
   describe '#at' do
-    context 'with padding' do
-      let(:token) { totp.at now }
-      it 'is a string number' do
-        expect(token).to eq '068212'
-      end
-    end
+    let(:token) { totp.at now }
-    context 'without padding' do
-      let(:token) { totp.at now, false }
-      it 'is an integer' do
-        expect(token).to eq 68212
-      end
+    it 'is a string number' do
+      expect(token).to eq TEST_TOKEN
     end
     context 'RFC compatibility' do
@@ -35,26 +28,26 @@ RSpec.describe ROTP::TOTP do
   end
   describe '#verify' do
-    let(:verification) { totp.verify token, now }
+    let(:verification) { totp.verify token, at: now }
     context 'numeric token' do
-      let(:token) { 68212 }
+      let(:token) { 82630 }
-      it 'raises an error' do
+      it 'raises an error with an integer' do
         expect { verification }.to raise_error(ArgumentError)
       end
     end
     context 'unpadded string token' do
-      let(:token) { '68212' }
+      let(:token) { '82630' }
-      it 'is false' do
+      it 'fails to verify' do
         expect(verification).to be_falsey
       end
     end
     context 'correctly padded string token' do
-      it 'is true' do
+      it 'verifies' do
         expect(verification).to be_truthy
       end
     end
@@ -70,17 +63,168 @@ RSpec.describe ROTP::TOTP do
         let(:token) { '102705' }
         let(:now)   { Time.at 1297553958 }
-        it 'is true' do
+        it 'verifies' do
           expect(totp.verify('102705')).to be_truthy
         end
       end
       context 'wrong time based OTP' do
-        it 'is false' do
+        it 'fails to verify' do
           expect(totp.verify('102705')).to be_falsey
         end
       end
     end
+    context 'invalidating reused tokens' do
+      let(:verification) {
+        totp.verify token,
+        after: after,
+        at: now
+      }
+      let(:after) { nil }
+      context 'passing in the `after` timestamp' do
+        let(:after) {
+          totp.verify TEST_TOKEN, after: nil, at: now
+        }
+        it 'returns a timecode' do
+          expect(after).to be_kind_of(Integer)
+          expect(after).to be_within(30).of(now.to_i)
+        end
+        context 'reusing same token' do
+          it 'is false' do
+            expect(verification).to be_falsy
+          end
+        end
+      end
+    end
+  end
+  def get_timecodes(at, b, a)
+    # Test the private method
+    totp.send('get_timecodes', at, b, a)
+  end
+  describe "drifting timecodes" do
+    it 'should get timecodes behind' do
+      expect(get_timecodes(TEST_TIME+15, 15, 0)).to eq([49154040])
+      expect(get_timecodes(TEST_TIME, 15, 0)).to eq([49154039, 49154040])
+      expect(get_timecodes(TEST_TIME, 40, 0)).to eq([49154038, 49154039, 49154040])
+      expect(get_timecodes(TEST_TIME, 90, 0)).to eq([49154037, 49154038, 49154039, 49154040])
+    end
+    it 'should get timecodes ahead' do
+      expect(get_timecodes(TEST_TIME, 0, 15)).to eq([49154040])
+      expect(get_timecodes(TEST_TIME+15, 0, 15)).to eq([49154040, 49154041])
+      expect(get_timecodes(TEST_TIME, 0, 30)).to eq([49154040, 49154041])
+      expect(get_timecodes(TEST_TIME, 0, 70)).to eq([49154040, 49154041, 49154042])
+      expect(get_timecodes(TEST_TIME, 0, 90)).to eq([49154040, 49154041, 49154042, 49154043])
+    end
+    it 'should get timecodes behind and ahead' do
+      expect(get_timecodes(TEST_TIME, 30, 30)).to eq([49154039, 49154040, 49154041])
+      expect(get_timecodes(TEST_TIME, 60, 60)).to eq([49154038, 49154039, 49154040, 49154041, 49154042])
+    end
+  end
+  describe '#verify with drift' do
+    let(:verification) { totp.verify token, drift_ahead: drift_ahead, drift_behind: drift_behind, at: now }
+    let(:drift_ahead) { 0 }
+    let(:drift_behind) { 0 }
+    context 'with an old OTP' do
+      let(:token) { totp.at TEST_TIME - 30 } # Previous token at 2016-09-23 08:59:30 UTC
+      let(:drift_behind) { 15 }
+      # Tested at 2016-09-23 09:00:00 UTC, and with drift back to 2016-09-23 08:59:45 UTC
+      # This would therefore include 2 intervals
+      it 'inside of drift range' do
+        expect(verification).to be_truthy
+      end
+      # Tested at 2016-09-23 09:00:20 UTC, and with drift back to 2016-09-23 09:00:05 UTC
+      # This only includes 1 interval, therefore only the current token is valid
+      context 'outside of drift range' do
+        let(:now)   { TEST_TIME + 20 }
+        it 'is nil' do
+          expect(verification).to be_nil
+        end
+      end
+    end
+    context 'with a future OTP' do
+      let(:token) { totp.at TEST_TIME + 30 } # The next valid token - 2016-09-23 09:00:30 UTC
+      let(:drift_ahead) { 15 }
+      # Tested at 2016-09-23 09:00:00 UTC, and ahead to 2016-09-23 09:00:15 UTC
+      # This only includes 1 interval, therefore only the current token is valid
+      it 'outside of drift range' do
+        expect(verification).to be_falsey
+      end
+      # Tested at 2016-09-23 09:00:20 UTC, and with drift ahead to 2016-09-23 09:00:35 UTC
+      # This would therefore include 2 intervals
+      context 'inside of drift range' do
+        let(:now)   { TEST_TIME + 20 }
+        it 'is true' do
+          expect(verification).to be_truthy
+        end
+      end
+    end
+  end
+  describe '#verify with drift and prevent token reuse' do
+    let(:verification) { totp.verify token, drift_ahead: drift_ahead, drift_behind: drift_behind, after: after, at: now }
+    let(:drift_ahead) { 0 }
+    let(:drift_behind) { 0 }
+    let(:after) { nil }
+    context 'with the `after` timestamp set' do
+      context 'older token' do
+        let(:token) { totp.at TEST_TIME - 30 }
+        let(:drift_behind) { 15 }
+        it 'is true' do
+          expect(verification).to be_truthy
+          expect(verification).to eq((TEST_TIME - 30).to_i)
+        end
+        context 'after it has been used' do
+          let(:after) {
+            totp.verify token, after: nil, at: now, drift_behind: drift_behind
+          }
+          it 'is false' do
+            expect(verification).to be_falsey
+          end
+        end
+      end
+      context 'newer token' do
+        let(:token) { totp.at TEST_TIME + 30 }
+        let(:drift_ahead) { 15 }
+        let(:now) { TEST_TIME + 15 }
+        it 'is true' do
+          expect(verification).to be_truthy
+          expect(verification).to eq((TEST_TIME + 30).to_i)
+        end
+        context 'after it has been used' do
+          let(:after) {
+            totp.verify token, after: nil, at: now, drift_ahead: drift_ahead
+          }
+          it 'is false' do
+            expect(verification).to be_falsey
+          end
+        end
+      end
+    end
   end
   describe '#provisioning_uri' do
@@ -161,115 +305,6 @@ RSpec.describe ROTP::TOTP do
   end
-  describe 'invalid_verification with nil time as argument' do
-    let(:verification) { totp.verify_with_drift token, drift, nil }
-    context 'positive drift' do
-      let(:token) { totp.at now - 30 }
-      let(:drift) { 60 }
-      it 'raises error' do
-        expect do
-          verification
-        end.to raise_error(ArgumentError)
-      end
-    end
-  end
-  describe '#verify_with_drift' do
-    let(:verification) { totp.verify_with_drift token, drift, now }
-    let(:drift) { 0 }
-    context 'slightly old number' do
-      let(:token) { totp.at now - 30 }
-      let(:drift) { 60 }
-      it 'is true' do
-        expect(verification).to be_truthy
-      end
-    end
-    context 'slightly new number' do
-      let(:token) { totp.at now + 60 }
-      let(:drift) { 60 }
-      it 'is true' do
-        expect(verification).to be_truthy
-      end
-    end
-    context 'outside of drift range' do
-      let(:token) { totp.at now - 60 }
-      let(:drift) { 30 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-    context 'drift is not multiple of TOTP interval' do
-      context 'slightly old number' do
-        let(:token) { totp.at now - 45 }
-        let(:drift) { 45 }
-        it 'is true' do
-          expect(verification).to be_truthy
-        end
-      end
-      context 'slightly new number' do
-        let(:token) { totp.at now + 40 }
-        let(:drift) { 40 }
-        it 'is true' do
-          expect(verification).to be_truthy
-        end
-      end
-    end
-  end
-  describe '#verify_with_drift_and_prior' do
-    let(:verification) { totp.verify_with_drift_and_prior token, drift, prior, now }
-    let(:drift) { 0 }
-    let(:prior) { nil }
-    context 'with a prior verify' do
-      let(:prior) { totp.verify_with_drift_and_prior '068212', 0, nil, now }
-      it 'returns a timecode' do
-        expect(prior).to be_kind_of(Integer)
-        expect(prior).to be_within(30).of(now.to_i)
-      end
-      context 'reusing same token' do
-        it 'is false' do
-          expect(verification).to be_falsy
-        end
-      end
-      context 'newer token' do
-        let(:token) { totp.at now + 40 }
-        let(:drift) { 40 }
-        it 'is true' do
-          expect(verification).to be_kind_of(Integer)
-          expect(verification).to be_within(30).of(now.to_i)
-          expect(verification).to be_truthy
-        end
-      end
-      context 'older token' do
-        let(:token) { totp.at now - 40 }
-        let(:drift) { 40 }
-        it 'is false' do
-          expect(verification).to be_falsy
-        end
-      end
-    end
-  end
   describe '#now' do
     before do
       Timecop.freeze now

data/spec/spec_helper.rb CHANGED

@@ -1,6 +1,10 @@
+require 'simplecov'
+SimpleCov.start do
+  add_filter "/spec/"
+end
 require 'rotp'
 require 'timecop'
-require 'simplecov'
 RSpec.configure do |config|
   config.disable_monkey_patching!
@@ -13,6 +17,5 @@ RSpec.configure do |config|
   end
 end
-SimpleCov.start
 require_relative '../lib/rotp'

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rotp
 version: !ruby/object:Gem::Version
-  version: 3.3.1
+  version: 4.0.0
 platform: ruby
 authors:
 - Mark Percival
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-03-02 00:00:00.000000000 Z
+date: 2018-11-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -140,7 +140,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: rotp
-rubygems_version: 2.2.2
+rubygems_version: 2.7.6
 signing_key:
 specification_version: 4
 summary: A Ruby library for generating and verifying one time passwords
@@ -151,4 +151,3 @@ test_files:
 - spec/lib/rotp/hotp_spec.rb
 - spec/lib/rotp/totp_spec.rb
 - spec/spec_helper.rb
-has_rdoc: