RubyGems - rotp - Versions diffs - 3.3.1 → 4.0.0 - Mend

rotp 3.3.1 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +5 -5
data/.travis.yml +0 -1
data/CHANGELOG.md +6 -0
data/README.md +57 -46
data/lib/rotp/base32.rb +1 -1
data/lib/rotp/cli.rb +2 -5
data/lib/rotp/hotp.rb +10 -23
data/lib/rotp/otp.rb +4 -9
data/lib/rotp/totp.rb +44 -46
data/lib/rotp/version.rb +1 -1
data/spec/lib/rotp/arguments_spec.rb +14 -0
data/spec/lib/rotp/base32_spec.rb +2 -2
data/spec/lib/rotp/cli_spec.rb +24 -0
data/spec/lib/rotp/hotp_spec.rb +39 -63
data/spec/lib/rotp/totp_spec.rb +167 -132
data/spec/spec_helper.rb +5 -2
metadata +3 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6597229fd1ace9419ec1212d4cdedaa8392d5e2c
-  data.tar.gz: 7784edcd67e532d6e1c14e229c79e2b1c6c5bb6e
+SHA256:
+  metadata.gz: 681041e122df89a1947016e02fd7c11e3102ffc3eed78c1dcdcb5056af116afd
+  data.tar.gz: 0333b10d91241c31b7fb2b3b5b7bd0d99f0e02b471ce0d10dc5961ae98cb89d7
 SHA512:
-  metadata.gz: cc83e697d928afc3be726fa0a7569f87bb5d69362ae429af512e35bc5f15d6cce947c510ab6204b6cac99601a3870600577360750f3e9af35762e316ce45080b
-  data.tar.gz: 5cdefb29436b550ecd825baa13cc2365c994705f575b474d9a8d02ecad1764ce9982bc04537ea95afbfe24b304c1a1a71e339f4223f496138f7eaeaa76261050
+  metadata.gz: a7454a2072e7f6b4cabd84338b2c9b1d06363102230d2c93bd244f0a486004b6363e9cd50aece371c951ae68798a6cc109798948c11034f679030bfd7106e464
+  data.tar.gz: 18e79a2ca2a61d9b6a2dd902744e344fe1be9b7f4ac2c3d4674d6c83929f69b2395d794c9d9081115678fbfc81599f50a07cf8b287ce1c7f8ed05dcee4322e13

data/.travis.yml CHANGED

@@ -4,6 +4,5 @@ rvm:
   - 2.3.0
   - 2.1.0
   - 2.0.0
-  - 1.9.3
 script:
   - bundle exec rspec

data/CHANGELOG.md CHANGED

@@ -1,9 +1,15 @@
 ### Changelog
+#### 4.0.0
+- Simplify API
+- Remove support for Ruby < 2.0
 #### 3.3.1
 - Add OpenSSL as a requirement for Ruby 2.5. Fixes #70 & #64
 - Allow Base32 with padding. #71
+- Prevent verify with drift being negative #69
 #### 3.3.0

data/README.md CHANGED

@@ -4,16 +4,24 @@
 [![Gem Version](https://badge.fury.io/rb/rotp.svg)](https://rubygems.org/gems/rotp)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/mdp/rotp/blob/master/LICENSE)
-A ruby library for generating one time passwords (HOTP & TOTP) according to [RFC 4226](http://tools.ietf.org/html/rfc4226) and [RFC 6238](http://tools.ietf.org/html/rfc6238).
+A ruby library for generating and validating one time passwords (HOTP & TOTP) according to [RFC 4226](http://tools.ietf.org/html/rfc4226) and [RFC 6238](http://tools.ietf.org/html/rfc6238).
-ROTP is compatible with the [Google Authenticator](https://github.com/google/google-authenticator) available for [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) and [iPhone](https://itunes.apple.com/en/app/google-authenticator/id388497605).
+ROTP is compatible with [Google Authenticator](https://github.com/google/google-authenticator) available for [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) and [iPhone](https://itunes.apple.com/en/app/google-authenticator/id388497605) and any other TOTP based implementations.
-Many websites use this for [multi-factor authentication](https://www.youtube.com/watch?v=17rykTIX_HY), such as GMail, Facebook, Amazon EC2, WordPress, and Salesforce. You can find the whole [list here](https://en.wikipedia.org/wiki/Google_Authenticator#Usage).
+Many websites use this for [multi-factor authentication](https://www.youtube.com/watch?v=17rykTIX_HY), such as GMail, Facebook, Amazon EC2, WordPress, and Salesforce. You can find a more complete [list here](https://en.wikipedia.org/wiki/Google_Authenticator#Usage).
 ## Dependencies
 * OpenSSL
-* Ruby 1.9.3 or higher
+* Ruby 2.0 or higher
+## Breaking changes in >= 4.0
+- Simplified API
+  - `verify` now takes options for `drift` and `after`
+  - `verify` returns a timestamp if true, nil if false
+- Dropping support for Ruby < 2.0
+- Docs for 3.x can be found [here](https://github.com/mdp/rotp/tree/v3.3.0)
 ## Installation
@@ -26,20 +34,17 @@ gem install rotp
 ### Time based OTP's
 ```ruby
-totp = ROTP::TOTP.new("base32secret3232")
+totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
 totp.now # => "492039"
-# OTP verified for current time
-totp.verify("492039") # => true
-sleep 30
-totp.verify("492039") # => false
-```
+# OTP verified for current time - returns timestamp of the current interval
+# period.
+totp.verify("492039") # => 1474590700
-Optionally, you can provide an issuer which will be used as a title in Google Authenticator.
+sleep 30
-```ruby
-totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
-totp.provisioning_uri("alice@google.com")
+# OTP fails to verify - returns nil
+totp.verify("492039") # => nil
 ```
 ### Counter based OTP's
@@ -51,69 +56,76 @@ hotp.at(1) # => "595254"
 hotp.at(1401) # => "259769"
 # OTP verified with a counter
-hotp.verify("259769", 1401) # => true
-hotp.verify("259769", 1402) # => false
-```
-### Verifying a Time based OTP with drift
-Some users devices may be slightly behind or ahead of the actual time. ROTP allows users to verify
-an OTP code with an specific amount of 'drift'
-```ruby
-totp = ROTP::TOTP.new("base32secret3232")
-totp.now # => "492039"
-# OTP verified for current time with 120 seconds allowed drift
-totp.verify_with_drift("492039", 60, Time.now - 30) # => true
-totp.verify_with_drift("492039", 60, Time.now - 90) # => false
+hotp.verify("316439", 1401) # => 1401
+hotp.verify("316439", 1402) # => nil
 ```
 ### Preventing reuse of Time based OTP's
-In order to prevent reuse of time based tokens within the interval window (default 30 seconds)
-it is necessary to store the last time an OTP was used. The following is an example of this in action:
+By keeping track of the last time a user's OTP was verified, we can prevent token reuse during
+the interval window (default 30 seconds)
+The following is an example of this in action:
 ```ruby
 User.find(someUserID)
 totp = ROTP::TOTP.new(user.otp_secret)
 totp.now # => "492039"
-user.last_otp_at # => 1472145530
+user.last_otp_at # => 1432703530
 # Verify the OTP
-verified_at_timestamp = totp.verify_with_drift_and_prior("492039", 0, user.last_otp_at) #=> 1472145760
+last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> 1472145760
+# ROTP returns the timestamp(int) of the current period
 # Store this on the user's account
-user.update(last_otp_at: verified_at_timestamp)
-verified_at_timestamp = totp.verify_with_drift_and_prior("492039", 0, user.last_otp_at) #=> false
+user.update(last_otp_at: last_otp_at)
+# Someone attempts to reused the OTP inside the 30s window
+last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> nil
+# It fails to verify because we are still in the same 30s interval window
+```
+### Verifying a Time based OTP with drift
+Some users may enter a code just after it has expired. By adding 'drift' you can allow
+for a recently expired token to remain valid.
+```ruby
+totp = ROTP::TOTP.new("base32secret3232")
+now = Time.at(1474590600) #2016-09-23 00:30:00 UTC
+totp.at(now) # => "250939"
+# OTP verified for current time along with 15 seconds earlier
+# ie. User enters a code just after it expired
+totp.verify("250939", drift_behind: 15, at: now + 35) # => 1474590600
+# User waits too long. Fails to validate previous OTP
+totp.verify("250939", drift_behind: 15, at: now + 45) # => nil
 ```
 ### Generating a Base32 Secret key
 ```ruby
-ROTP::Base32.random_base32  # returns a 16 character base32 secret. Compatible with Google Authenticator
+ROTP::Base32.random_base32  # returns a 32 character base32 secret. Compatible with Google Authenticator
 ```
 Note: The Base32 format conforms to [RFC 4648 Base32](http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet)
-### Google Authenticator Compatible URI's
+### Generating QR Codes for provisioning mobile apps
-Provisioning URI's generated by ROTP are compatible with the Google Authenticator App
-to be scanned with the in-built QR Code scanner.
+Provisioning URI's generated by ROTP are compatible with most One Time Password applications, including
+Google Authenticator.
 ```ruby
 totp.provisioning_uri("alice@google.com") # => 'otpauth://totp/issuer:alice@google.com?secret=JBSWY3DPEHPK3PXP'
 hotp.provisioning_uri("alice@google.com", 0) # => 'otpauth://hotp/issuer:alice@google.com?secret=JBSWY3DPEHPK3PXP&counter=0'
 ```
-This can then be rendered as a QR Code which can then be scanned and added to the users
-list of OTP credentials.
+This can then be rendered as a QR Code which the user can scan using their mobile phone and the appropriate application.
 #### Working example
 Scan the following barcode with your phone, using Google Authenticator
-![QR Code for OTP](http://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP)
+![QR Code for OTP](https://cloud.githubusercontent.com/assets/2868/18771262/54f109dc-80f2-11e6-863f-d2be62ee587a.png)
 Now run the following and compare the output
@@ -133,8 +145,7 @@ bundle exec rspec
 ## Executable Usage
-Once the rotp rubygem is installed on your system, you should be able to run the `rotp` executable
-(if not, you might find trouble-shooting help [at this stackoverflow question](http://stackoverflow.com/a/909980)).
+The rotp rubygem includes an executable for helping with testing and debugging
 ```bash
 # Try this to get an overview of the commands
@@ -151,7 +162,7 @@ Have a look at the [contributors graph](https://github.com/mdp/rotp/graphs/contr
 ## License
-MIT Copyright (C) 2011 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
+MIT Copyright (C) 2016 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
 ## Other implementations

data/lib/rotp/base32.rb CHANGED

@@ -14,7 +14,7 @@ module ROTP
         output.join
       end
-      def random_base32(length=16)
+      def random_base32(length=32)
         b32 = String.new
         SecureRandom.random_bytes(length).each_byte do |b|
           b32 << CHARS[b % 32]

data/lib/rotp/cli.rb CHANGED

@@ -9,9 +9,11 @@ module ROTP
       @argv = argv
     end
+    # :nocov:
     def run
       puts output
     end
+    # :nocov:
     def errors
       if [:time, :hmac].include?(options.mode)
@@ -20,8 +22,6 @@ module ROTP
         elsif options.secret.to_s.chars.any? { |c| ROTP::Base32::CHARS.index(c.downcase) == nil }
           red 'Secret must be in RFC4648 Base32 format - http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet'
         end
-      elsif options.mode == :hmac && options.counter.to_i < 0
-        red 'You must also specify a --counter. Try --help for help.'
       end
     end
@@ -34,9 +34,6 @@ module ROTP
         ROTP::TOTP.new(options.secret).now
       elsif options.mode == :hmac
         ROTP::HOTP.new(options.secret).at options.counter
-      else
-        fail NotImplementedError
       end
     end

data/lib/rotp/hotp.rb CHANGED

@@ -2,33 +2,20 @@ module ROTP
   class HOTP < OTP
     # Generates the OTP for the given count
     # @param [Integer] count counter
-    # @option [Boolean] padding (false) Issue the number as a 0 padded string
     # @returns [Integer] OTP
-    def at(count, padding=true)
-      generate_otp(count, padding)
+    def at(count)
+      generate_otp(count)
     end
     # Verifies the OTP passed in against the current time OTP
-    # @param [String/Integer] otp the OTP to check against
-    # @param [Integer] counter the counter of the OTP
-    def verify(otp, counter)
-      super(otp, self.at(counter))
-    end
-    # Verifies the OTP passed in against the current time OTP, with a given number of retries.
-    # Returns the counter that was verified successfully
-    # @param [String/Integer] otp the OTP to check against
-    # @param [Integer] initial counter the counter of the OTP
-    # @param [Integer] number of retries
-    def verify_with_retries(otp, initial_count, retries = 1)
-      return false if retries <= 0
-      1.upto(retries) do |counter|
-        current_counter = initial_count + counter
-        return current_counter if verify(otp, current_counter)
-      end
-      false
+    # @param otp [String/Integer] the OTP to check against
+    # @param counter [Integer] the counter of the OTP
+    # @param retries [Integer] number of counters to incrementally retry
+    def verify(otp, counter, retries: 0)
+      counters = (counter..counter+retries).to_a
+      counters.find { |c|
+        super(otp, self.at(c))
+      }
     end
     # Returns the provisioning URI for the OTP

data/lib/rotp/otp.rb CHANGED

@@ -21,7 +21,7 @@ module ROTP
     # @option padded [Boolean] (false) Output the otp as a 0 padded string
     # Usually either the counter, or the computed integer
     # based on the Unix timestamp
-    def generate_otp(input, padded=true)
+    def generate_otp(input)
       hmac = OpenSSL::HMAC.digest(
         OpenSSL::Digest.new(digest),
         byte_secret,
@@ -33,19 +33,14 @@ module ROTP
         (hmac[offset + 1].ord & 0xff) << 16 |
         (hmac[offset + 2].ord & 0xff) << 8 |
         (hmac[offset + 3].ord & 0xff)
-      if padded
-        (code % 10 ** digits).to_s.rjust(digits, '0')
-      else
-        code % 10 ** digits
-      end
+      (code % 10 ** digits).to_s.rjust(digits, '0')
     end
     private
     def verify(input, generated)
-      unless input.is_a?(String) && generated.is_a?(String)
-        raise ArgumentError, "ROTP only verifies strings - See: https://github.com/mdp/rotp/issues/32"
-      end
+      raise ArgumentError, "`otp` should be a String" unless
+          input.is_a?(String)
       time_constant_compare(input, generated)
     end

data/lib/rotp/totp.rb CHANGED

@@ -14,64 +14,46 @@ module ROTP
     # Accepts either a Unix timestamp integer or a Time object.
     # Time objects will be adjusted to UTC automatically
-    # @param [Time/Integer] time the time to generate an OTP for
-    # @option [Boolean] padding (true) Issue the number as a 0 padded string
-    def at(time, padding=true)
-      unless time.class == Time
-        time = Time.at(time.to_i)
-      end
-      generate_otp(timecode(time), padding)
+    # @param time [Time/Integer] the time to generate an OTP for, integer unix timestamp or Time object
+    def at(time)
+      generate_otp(timecode(time))
     end
     # Generate the current time OTP
     # @return [Integer] the OTP as an integer
-    def now(padding=true)
-      generate_otp(timecode(Time.now), padding)
-    end
-    # Verifies the OTP passed in against the current time OTP
-    # @param [String/Integer] otp the OTP to check against
-    def verify(otp, time = Time.now)
-      super(otp, self.at(time))
-    end
-    # Verifies the OTP passed in against the current time OTP
-    # and adjacent intervals up to +drift+.
-    # @param [String] otp the OTP to check against
-    # @param [Integer] drift the number of seconds that the client
-    #     and server are allowed to drift apart
-    def verify_with_drift(otp, drift, time = Time.now)
-      time = time.to_i
-      times = (time-drift..time+drift).step(interval).to_a
-      times << time + drift if times.last < time + drift
-      times.any? { |ti| verify(otp, ti) }
+    def now()
+      generate_otp(timecode(Time.now))
     end
     # Verifies the OTP passed in against the current time OTP
     # and adjacent intervals up to +drift+.  Excludes OTPs
-    # from prior_time and earlier.  Returns time value of
+    # from `after` and earlier.  Returns time value of
     # matching OTP code for use in subsequent call.
-    # @param [String] otp the OTP to check against
-    # @param [Integer] drift the number of seconds that the client
-    #     and server are allowed to drift apart
-    # @param [Integer] time value of previous match
-    def verify_with_drift_and_prior(otp, drift, prior_time = nil, time = Time.now)
-      # calculate normalized bin start times based on drift
-      first_bin = (time - drift).to_i / interval * interval
-      last_bin = (time + drift).to_i / interval * interval
+    # @param otp [String] the one time password to verify
+    # @param drift_behind [Integer] how many seconds to look back
+    # @param drift_ahead [Integer] how many seconds to look ahead
+    # @param after [Integer] prevent token reuse, last login timestamp
+    # @param at [Time] time at which to generate and verify a particular
+    #   otp. default Time.now
+    # @return [Integer, nil] the last successful timestamp
+    #   interval
+    def verify(otp, drift_ahead: 0, drift_behind: 0, after: nil, at: Time.now)
+      timecodes = get_timecodes(at, drift_behind, drift_ahead)
-      # if prior_time was supplied, adjust first bin if necessary to exclude it
-      if prior_time
-        prior_bin = prior_time.to_i / interval * interval
-        first_bin = prior_bin + interval if prior_bin >= first_bin
-        # fail if we've already used the last available OTP code
-        return if first_bin > last_bin
+      if after
+        timecodes = timecodes.select { |t| t > timecode(after) }
       end
-      times = (first_bin..last_bin).step(interval).to_a
-      times.find { |ti| verify(otp, ti) }
+      result = nil
+      timecodes.each { |t|
+        if (super(otp, self.generate_otp(t)))
+          result = t * interval
+        end
+      }
+      return result
     end
     # Returns the provisioning URI for the OTP
     # This can then be encoded in a QR Code and used
     # to provision the Google Authenticator app
@@ -95,8 +77,24 @@ module ROTP
     private
+    # Get back an array of timecodes for a period
+    def get_timecodes(at, drift_behind, drift_ahead)
+      now = timeint(at)
+      timecode_start = timecode(now - drift_behind)
+      timecode_end = timecode(now + drift_ahead)
+      return (timecode_start..timecode_end).step(1).to_a
+    end
+    # Ensure UTC int
+    def timeint(time)
+      unless time.class == Time
+        return time.to_i
+      end
+      return time.utc.to_i
+    end
     def timecode(time)
-      time.utc.to_i / interval
+      return timeint(time) / interval
     end
   end

data/lib/rotp/version.rb CHANGED

@@ -1,3 +1,3 @@
 module ROTP
-  VERSION = "3.3.1"
+  VERSION = "4.0.0"
 end

data/spec/lib/rotp/arguments_spec.rb CHANGED

@@ -71,6 +71,20 @@ RSpec.describe ROTP::Arguments do
     end
   end
+  context 'generating a counter based secret' do
+    let(:argv) { %w(--time --secret s3same) }
+    describe '#options' do
+      it 'is in hmac mode' do
+        expect(options.mode).to eq :time
+      end
+      it 'knows the secret' do
+        expect(options.secret).to eq 's3same'
+      end
+    end
+  end
   context 'generating a time based secret' do
     let(:argv) { %w(--secret s3same) }

data/spec/lib/rotp/base32_spec.rb CHANGED

@@ -6,8 +6,8 @@ RSpec.describe ROTP::Base32 do
     context 'without arguments' do
       let(:base32) { ROTP::Base32.random_base32 }
-      it 'is 16 characters long' do
-        expect(base32.length).to eq 16
+      it 'is 32 characters long' do
+        expect(base32.length).to eq 32
       end
       it 'is hexadecimal' do

data/spec/lib/rotp/cli_spec.rb CHANGED

@@ -18,6 +18,30 @@ RSpec.describe ROTP::CLI do
     end
   end
+  context 'generating a TOTP with no secret' do
+    let(:argv) { %W(--time --secret) }
+    it 'prints the corresponding token' do
+      expect(output).to match 'You must also specify a --secret'
+    end
+  end
+  context 'generating a TOTP with bad base32 secret' do
+    let(:argv) { %W(--time --secret #{'1' * 32}) }
+    it 'prints the corresponding token' do
+      expect(output).to match 'Secret must be in RFC4648 Base32 format'
+    end
+  end
+  context 'trying to generate an unsupport type' do
+    let(:argv) { %W(--notreal --secret #{'a' * 32}) }
+    it 'prints the corresponding token' do
+      expect(output).to match 'invalid option: --notreal'
+    end
+  end
   context 'generating a HOTP' do
     let(:argv) { %W(--hmac --secret #{'a' * 32} --counter 1234) }

data/spec/lib/rotp/hotp_spec.rb CHANGED

@@ -14,14 +14,6 @@ RSpec.describe ROTP::HOTP do
       end
     end
-    context 'without padding' do
-      let(:token) { hotp.at counter, false }
-      it 'generates an integer OTP' do
-        expect(token).to eq 161024
-      end
-    end
     context 'RFC compatibility' do
       let(:hotp) { ROTP::HOTP.new('GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ') }
@@ -69,6 +61,45 @@ RSpec.describe ROTP::HOTP do
         expect(hotp.verify(token, 10)).to be_falsey
       end
     end
+    describe 'with retries' do
+      let(:verification) { hotp.verify token, counter, retries:retries }
+      context 'counter outside than retries' do
+        let(:counter) { 1223 }
+        let(:retries) { 10 }
+        it 'is false' do
+          expect(verification).to be_falsey
+        end
+      end
+      context 'counter exactly in retry range' do
+        let(:counter) { 1224 }
+        let(:retries) { 10 }
+        it 'is true' do
+          expect(verification).to eq 1234
+        end
+      end
+      context 'counter in retry range' do
+        let(:counter) { 1224 }
+        let(:retries) { 11 }
+        it 'is true' do
+          expect(verification).to eq 1234
+        end
+      end
+      context 'counter ahead of token' do
+        let(:counter) { 1235 }
+        let(:retries) { 3 }
+        it 'is false' do
+          expect(verification).to be_falsey
+        end
+      end
+    end
   end
   describe '#provisioning_uri' do
@@ -98,59 +129,4 @@ RSpec.describe ROTP::HOTP do
     end
   end
-  describe '#verify_with_retries' do
-    let(:verification) { hotp.verify_with_retries token, counter, retries }
-    context 'negative retries' do
-      let(:retries) { -1 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-    context 'zero retries' do
-      let(:retries) { 0 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-    context 'counter lower than retries' do
-      let(:counter) { 1223 }
-      let(:retries) { 10 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-    context 'counter exactly in retry range' do
-      let(:counter) { 1224 }
-      let(:retries) { 10 }
-      it 'is true' do
-        expect(verification).to eq 1234
-      end
-    end
-    context 'counter in retry range' do
-      let(:counter) { 1224 }
-      let(:retries) { 11 }
-      it 'is true' do
-        expect(verification).to eq 1234
-      end
-    end
-    context 'counter too high' do
-      let(:counter) { 1235 }
-      let(:retries) { 3 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-  end
 end

data/spec/lib/rotp/totp_spec.rb CHANGED

@@ -1,25 +1,18 @@
 require 'spec_helper'
+TEST_TIME = Time.utc 2016,9,23,9 # 2016-09-23 09:00:00 UTC
+TEST_TOKEN = "082630"
 RSpec.describe ROTP::TOTP do
-  let(:now)   { Time.utc 2012,1,1 }
-  let(:token) { '068212' }
+  let(:now)   { TEST_TIME }
+  let(:token) { TEST_TOKEN }
   let(:totp)  { ROTP::TOTP.new 'JBSWY3DPEHPK3PXP' }
   describe '#at' do
-    context 'with padding' do
-      let(:token) { totp.at now }
-      it 'is a string number' do
-        expect(token).to eq '068212'
-      end
-    end
+    let(:token) { totp.at now }
-    context 'without padding' do
-      let(:token) { totp.at now, false }
-      it 'is an integer' do
-        expect(token).to eq 68212
-      end
+    it 'is a string number' do
+      expect(token).to eq TEST_TOKEN
     end
     context 'RFC compatibility' do
@@ -35,26 +28,26 @@ RSpec.describe ROTP::TOTP do
   end
   describe '#verify' do
-    let(:verification) { totp.verify token, now }
+    let(:verification) { totp.verify token, at: now }
     context 'numeric token' do
-      let(:token) { 68212 }
+      let(:token) { 82630 }
-      it 'raises an error' do
+      it 'raises an error with an integer' do
         expect { verification }.to raise_error(ArgumentError)
       end
     end
     context 'unpadded string token' do
-      let(:token) { '68212' }
+      let(:token) { '82630' }
-      it 'is false' do
+      it 'fails to verify' do
         expect(verification).to be_falsey
       end
     end
     context 'correctly padded string token' do
-      it 'is true' do
+      it 'verifies' do
         expect(verification).to be_truthy
       end
     end
@@ -70,17 +63,168 @@ RSpec.describe ROTP::TOTP do
         let(:token) { '102705' }
         let(:now)   { Time.at 1297553958 }
-        it 'is true' do
+        it 'verifies' do
           expect(totp.verify('102705')).to be_truthy
         end
       end
       context 'wrong time based OTP' do
-        it 'is false' do
+        it 'fails to verify' do
           expect(totp.verify('102705')).to be_falsey
         end
       end
     end
+    context 'invalidating reused tokens' do
+      let(:verification) {
+        totp.verify token,
+        after: after,
+        at: now
+      }
+      let(:after) { nil }
+      context 'passing in the `after` timestamp' do
+        let(:after) {
+          totp.verify TEST_TOKEN, after: nil, at: now
+        }
+        it 'returns a timecode' do
+          expect(after).to be_kind_of(Integer)
+          expect(after).to be_within(30).of(now.to_i)
+        end
+        context 'reusing same token' do
+          it 'is false' do
+            expect(verification).to be_falsy
+          end
+        end
+      end
+    end
+  end
+  def get_timecodes(at, b, a)
+    # Test the private method
+    totp.send('get_timecodes', at, b, a)
+  end
+  describe "drifting timecodes" do
+    it 'should get timecodes behind' do
+      expect(get_timecodes(TEST_TIME+15, 15, 0)).to eq([49154040])
+      expect(get_timecodes(TEST_TIME, 15, 0)).to eq([49154039, 49154040])
+      expect(get_timecodes(TEST_TIME, 40, 0)).to eq([49154038, 49154039, 49154040])
+      expect(get_timecodes(TEST_TIME, 90, 0)).to eq([49154037, 49154038, 49154039, 49154040])
+    end
+    it 'should get timecodes ahead' do
+      expect(get_timecodes(TEST_TIME, 0, 15)).to eq([49154040])
+      expect(get_timecodes(TEST_TIME+15, 0, 15)).to eq([49154040, 49154041])
+      expect(get_timecodes(TEST_TIME, 0, 30)).to eq([49154040, 49154041])
+      expect(get_timecodes(TEST_TIME, 0, 70)).to eq([49154040, 49154041, 49154042])
+      expect(get_timecodes(TEST_TIME, 0, 90)).to eq([49154040, 49154041, 49154042, 49154043])
+    end
+    it 'should get timecodes behind and ahead' do
+      expect(get_timecodes(TEST_TIME, 30, 30)).to eq([49154039, 49154040, 49154041])
+      expect(get_timecodes(TEST_TIME, 60, 60)).to eq([49154038, 49154039, 49154040, 49154041, 49154042])
+    end
+  end
+  describe '#verify with drift' do
+    let(:verification) { totp.verify token, drift_ahead: drift_ahead, drift_behind: drift_behind, at: now }
+    let(:drift_ahead) { 0 }
+    let(:drift_behind) { 0 }
+    context 'with an old OTP' do
+      let(:token) { totp.at TEST_TIME - 30 } # Previous token at 2016-09-23 08:59:30 UTC
+      let(:drift_behind) { 15 }
+      # Tested at 2016-09-23 09:00:00 UTC, and with drift back to 2016-09-23 08:59:45 UTC
+      # This would therefore include 2 intervals
+      it 'inside of drift range' do
+        expect(verification).to be_truthy
+      end
+      # Tested at 2016-09-23 09:00:20 UTC, and with drift back to 2016-09-23 09:00:05 UTC
+      # This only includes 1 interval, therefore only the current token is valid
+      context 'outside of drift range' do
+        let(:now)   { TEST_TIME + 20 }
+        it 'is nil' do
+          expect(verification).to be_nil
+        end
+      end
+    end
+    context 'with a future OTP' do
+      let(:token) { totp.at TEST_TIME + 30 } # The next valid token - 2016-09-23 09:00:30 UTC
+      let(:drift_ahead) { 15 }
+      # Tested at 2016-09-23 09:00:00 UTC, and ahead to 2016-09-23 09:00:15 UTC
+      # This only includes 1 interval, therefore only the current token is valid
+      it 'outside of drift range' do
+        expect(verification).to be_falsey
+      end
+      # Tested at 2016-09-23 09:00:20 UTC, and with drift ahead to 2016-09-23 09:00:35 UTC
+      # This would therefore include 2 intervals
+      context 'inside of drift range' do
+        let(:now)   { TEST_TIME + 20 }
+        it 'is true' do
+          expect(verification).to be_truthy
+        end
+      end
+    end
+  end
+  describe '#verify with drift and prevent token reuse' do
+    let(:verification) { totp.verify token, drift_ahead: drift_ahead, drift_behind: drift_behind, after: after, at: now }
+    let(:drift_ahead) { 0 }
+    let(:drift_behind) { 0 }
+    let(:after) { nil }
+    context 'with the `after` timestamp set' do
+      context 'older token' do
+        let(:token) { totp.at TEST_TIME - 30 }
+        let(:drift_behind) { 15 }
+        it 'is true' do
+          expect(verification).to be_truthy
+          expect(verification).to eq((TEST_TIME - 30).to_i)
+        end
+        context 'after it has been used' do
+          let(:after) {
+            totp.verify token, after: nil, at: now, drift_behind: drift_behind
+          }
+          it 'is false' do
+            expect(verification).to be_falsey
+          end
+        end
+      end
+      context 'newer token' do
+        let(:token) { totp.at TEST_TIME + 30 }
+        let(:drift_ahead) { 15 }
+        let(:now) { TEST_TIME + 15 }
+        it 'is true' do
+          expect(verification).to be_truthy
+          expect(verification).to eq((TEST_TIME + 30).to_i)
+        end
+        context 'after it has been used' do
+          let(:after) {
+            totp.verify token, after: nil, at: now, drift_ahead: drift_ahead
+          }
+          it 'is false' do
+            expect(verification).to be_falsey
+          end
+        end
+      end
+    end
   end
   describe '#provisioning_uri' do
@@ -161,115 +305,6 @@ RSpec.describe ROTP::TOTP do
   end
-  describe 'invalid_verification with nil time as argument' do
-    let(:verification) { totp.verify_with_drift token, drift, nil }
-    context 'positive drift' do
-      let(:token) { totp.at now - 30 }
-      let(:drift) { 60 }
-      it 'raises error' do
-        expect do
-          verification
-        end.to raise_error(ArgumentError)
-      end
-    end
-  end
-  describe '#verify_with_drift' do
-    let(:verification) { totp.verify_with_drift token, drift, now }
-    let(:drift) { 0 }
-    context 'slightly old number' do
-      let(:token) { totp.at now - 30 }
-      let(:drift) { 60 }
-      it 'is true' do
-        expect(verification).to be_truthy
-      end
-    end
-    context 'slightly new number' do
-      let(:token) { totp.at now + 60 }
-      let(:drift) { 60 }
-      it 'is true' do
-        expect(verification).to be_truthy
-      end
-    end
-    context 'outside of drift range' do
-      let(:token) { totp.at now - 60 }
-      let(:drift) { 30 }
-      it 'is false' do
-        expect(verification).to be_falsey
-      end
-    end
-    context 'drift is not multiple of TOTP interval' do
-      context 'slightly old number' do
-        let(:token) { totp.at now - 45 }
-        let(:drift) { 45 }
-        it 'is true' do
-          expect(verification).to be_truthy
-        end
-      end
-      context 'slightly new number' do
-        let(:token) { totp.at now + 40 }
-        let(:drift) { 40 }
-        it 'is true' do
-          expect(verification).to be_truthy
-        end
-      end
-    end
-  end
-  describe '#verify_with_drift_and_prior' do
-    let(:verification) { totp.verify_with_drift_and_prior token, drift, prior, now }
-    let(:drift) { 0 }
-    let(:prior) { nil }
-    context 'with a prior verify' do
-      let(:prior) { totp.verify_with_drift_and_prior '068212', 0, nil, now }
-      it 'returns a timecode' do
-        expect(prior).to be_kind_of(Integer)
-        expect(prior).to be_within(30).of(now.to_i)
-      end
-      context 'reusing same token' do
-        it 'is false' do
-          expect(verification).to be_falsy
-        end
-      end
-      context 'newer token' do
-        let(:token) { totp.at now + 40 }
-        let(:drift) { 40 }
-        it 'is true' do
-          expect(verification).to be_kind_of(Integer)
-          expect(verification).to be_within(30).of(now.to_i)
-          expect(verification).to be_truthy
-        end
-      end
-      context 'older token' do
-        let(:token) { totp.at now - 40 }
-        let(:drift) { 40 }
-        it 'is false' do
-          expect(verification).to be_falsy
-        end
-      end
-    end
-  end
   describe '#now' do
     before do
       Timecop.freeze now

data/spec/spec_helper.rb CHANGED

@@ -1,6 +1,10 @@
+require 'simplecov'
+SimpleCov.start do
+  add_filter "/spec/"
+end
 require 'rotp'
 require 'timecop'
-require 'simplecov'
 RSpec.configure do |config|
   config.disable_monkey_patching!
@@ -13,6 +17,5 @@ RSpec.configure do |config|
   end
 end
-SimpleCov.start
 require_relative '../lib/rotp'

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rotp
 version: !ruby/object:Gem::Version
-  version: 3.3.1
+  version: 4.0.0
 platform: ruby
 authors:
 - Mark Percival
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-03-02 00:00:00.000000000 Z
+date: 2018-11-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -140,7 +140,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: rotp
-rubygems_version: 2.2.2
+rubygems_version: 2.7.6
 signing_key:
 specification_version: 4
 summary: A Ruby library for generating and verifying one time passwords
@@ -151,4 +151,3 @@ test_files:
 - spec/lib/rotp/hotp_spec.rb
 - spec/lib/rotp/totp_spec.rb
 - spec/spec_helper.rb
-has_rdoc: