suvash / one-time Goto Github PK
View Code? Open in Web Editor NEWOne Time Password (TOTP and HOTP) library for Clojure. TOTP/HOTP is widely used for Two Factor / Multi Factor Authentication.
License: Eclipse Public License 1.0
one-time's People
Contributors
Stargazers
Watchers
Forkers
trevorbernard megakorre tony824 pyons kanwei tampix lvh mantuxmertua boxxxie jhny loudnl gomosdg daviddurand trueneu kingdominternal-dev-mipa kernelp4nic shorttrackllcone-time's Issues
Please update dependency versions OSV:GHSA-2H63-QP69-FWVW
According to Grype the dependencies batik-util and batik-xml that one-time uses are vulnerable to Server-side request forgery (SSRF). Please provide an update.
✔ Vulnerability DB [no update available]
✔ Indexed target/package.jar
✔ Cataloged packages [112 packages]
✔ Scanned image [2 vulnerabilities]
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
batik-util 1.10 1.14 java-archive GHSA-2h63-qp69-fwvw High
batik-xml 1.10 1.14 java-archive GHSA-2h63-qp69-fwvw HighDependency tree:
[one-time "0.7.0" :exclusions [[commons-codec]]]
[com.github.kenglxn.qrgen/javase "2.6.0"]
[com.github.kenglxn.qrgen/core "2.6.0"]
[com.google.zxing/javase "3.3.0"]
[com.beust/jcommander "1.48"]
[com.github.jai-imageio/jai-imageio-core "1.3.1"]
[com.google.zxing/core "3.3.0"]
[org.apache.xmlgraphics/batik-dom "1.10"]
[org.apache.xmlgraphics/batik-css "1.10"]
[org.apache.xmlgraphics/batik-ext "1.10"]
[org.apache.xmlgraphics/batik-xml "1.10"]
[xalan "2.7.2"]
[xalan/serializer "2.7.2"]
[xml-apis/xml-apis-ext "1.3.04"]
[xml-apis "1.3.04"]
[org.apache.xmlgraphics/batik-svggen "1.10"]
[org.apache.xmlgraphics/batik-awt-util "1.10"]
[org.apache.xmlgraphics/xmlgraphics-commons "2.2"]
[org.apache.xmlgraphics/batik-util "1.10"]
[org.apache.xmlgraphics/batik-constants "1.10"]
[org.apache.xmlgraphics/batik-i18n "1.10"]
[ring/ring-codec "1.1.2"](ot/get-totp-token secret-key) failing with Github 2fa, any ideas?
Probably not a one-time issue, probably just me and/or github.
I'm trying to use the one-time code to set up my github 2fa, but it rejects the token every time.
Is there perhaps some time-zone or other dependency I'm missing?
I tried https://github.com/djui/clj-otp too, it's generating the same tokens, so unlikely a 'one-time' issue.
Sorry to ask here, didn't see other contact/forums for the question.
get-token should probably return strings, not ints
get-token doesn't always return codes that look like what the user is supposed to type in, sometimes i get 5 or 4 digit codes
(get-token "OV2K2K5SOWKN2RCZ" 1) ;; => 3799
so, I have to do some work to present this to the user (authenticator apps will pad with leading 0s)
also i have to do work to take what my form gives me, and turn that into an int.
there is possibly another problem, clojure does treat numbers with leading 0s differently, i haven't run into this being an issue, but i imagine it could be for some people/situations.
(str 00003123) ;; => "1619"
(str 3123) ;; => "3123"
I think it would be simpler to keep these tokens as strings. below is a proposed change to the get-token function
only the last line has been altered.
(defn get-token
"Return a HOTP token (HMAC-Based One-Time Password Algorithm)
based on a secret and a counter, as specified in
https://tools.ietf.org/html/rfc4226"
([secret counter]
;; Use HMAC-SHA-1 as default when not provided
(get-token secret counter :hmac-sha-1))
([secret counter hmac-sha-type]
(let [digest (hmac-sha-digest secret counter hmac-sha-type)
offset (bit-and (digest 19) 0xf)
code (bit-or (bit-shift-left (bit-and (digest offset) 0x7f) 24)
(bit-shift-left (bit-and (digest (+ offset 1)) 0xff) 16)
(bit-shift-left (bit-and (digest (+ offset 2)) 0xff) 8)
(bit-and (digest (+ offset 3)) 0xff))]
(->>
(rem code 1000000)
(format "%06d")))))
Error building classpath. Could not find artifact com.github.kenglxn.qrgen:javase:jar:2.6.0 in central
Hello,
I added one-time/one-time {:mvn/version "0.8.0"} to my deps.edn and tried to start my project. It was able to find a bunch of jars but choked on one:
$ clojure -M:dev:cms:nrepl
Downloading: one-time/one-time/0.8.0/one-time-0.8.0.pom from clojars
Downloading: com/google/zxing/javase/3.5.0/javase-3.5.0.pom from central
Downloading: org/apache/xmlgraphics/batik-svggen/1.15/batik-svggen-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-dom/1.15/batik-dom-1.15.pom from central
Downloading: com/google/zxing/zxing-parent/3.5.0/zxing-parent-3.5.0.pom from central
Downloading: org/apache/xmlgraphics/batik/1.15/batik-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-css/1.15/batik-css-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-util/1.15/batik-util-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-shared-resources/1.15/batik-shared-resources-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-ext/1.15/batik-ext-1.15.pom from central
Downloading: xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.pom from central
Downloading: org/apache/xmlgraphics/batik-xml/1.15/batik-xml-1.15.pom from central
Downloading: xml-apis/xml-apis-ext/1.3.04/xml-apis-ext-1.3.04.pom from central
Downloading: org/apache/xmlgraphics/batik-awt-util/1.15/batik-awt-util-1.15.pom from central
Downloading: com/beust/jcommander/1.82/jcommander-1.82.pom from central
Downloading: com/github/jai-imageio/jai-imageio-core/1.4.0/jai-imageio-core-1.4.0.pom from central
Downloading: com/google/zxing/core/3.5.0/core-3.5.0.pom from central
Downloading: org/apache/xmlgraphics/xmlgraphics-commons/2.7/xmlgraphics-commons-2.7.pom from central
Downloading: org/apache/xmlgraphics/batik-constants/1.15/batik-constants-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-i18n/1.15/batik-i18n-1.15.pom from central
Downloading: org/apache/apache/7/apache-7.pom from central
Downloading: commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.pom from central
Downloading: org/apache/xmlgraphics/batik-dom/1.15/batik-dom-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-xml/1.15/batik-xml-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-svggen/1.15/batik-svggen-1.15.jar from central
Downloading: org/apache/xmlgraphics/xmlgraphics-commons/2.7/xmlgraphics-commons-2.7.jar from central
Downloading: org/apache/xmlgraphics/batik-css/1.15/batik-css-1.15.jar from central
Downloading: xml-apis/xml-apis-ext/1.3.04/xml-apis-ext-1.3.04.jar from central
Downloading: org/apache/xmlgraphics/batik-constants/1.15/batik-constants-1.15.jar from central
Downloading: com/github/jai-imageio/jai-imageio-core/1.4.0/jai-imageio-core-1.4.0.jar from central
Downloading: commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar from central
Downloading: xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.jar from central
Downloading: org/apache/xmlgraphics/batik-shared-resources/1.15/batik-shared-resources-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-util/1.15/batik-util-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-awt-util/1.15/batik-awt-util-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-i18n/1.15/batik-i18n-1.15.jar from central
Downloading: com/google/zxing/core/3.5.0/core-3.5.0.jar from central
Downloading: com/google/zxing/javase/3.5.0/javase-3.5.0.jar from central
Downloading: com/beust/jcommander/1.82/jcommander-1.82.jar from central
Downloading: org/apache/xmlgraphics/batik-ext/1.15/batik-ext-1.15.jar from central
Downloading: one-time/one-time/0.8.0/one-time-0.8.0.jar from clojars
Error building classpath. Could not find artifact com.github.kenglxn.qrgen:javase:jar:2.6.0 in central (https://repo1.maven.org/maven2/)
I found this issue which appears to describe the same problem. However, javase and jitpack are new to me, so I don't quite understand the fix.
Document the notion of time-steps
Hi Suvash,
first of all thanks for the library! Kudos for the great work.
I'm wondering what the :time-step option does.
Actually, I got a rough idea:
one-time.totp> (counter-since-epoch (Date.) 40)
38697200
one-time.totp> (counter-since-epoch (Date.) 20)
77394401
one-time.totp> (counter-since-epoch (Date.) 30)
51596267
So, it divides the time in chunks.
But I don't know the purpose of this? What would be a use case for setting a :time-step value other than 30? And what's the current effect of the default value of 30?
Thanks - Victor
[feature request] TOTP support for time-step offset
Hello and thanks for this great library.
In order to accommodate end users who might have clock drift issues (especially common with dedicated hardware MFA device), https://tools.ietf.org/html/rfc6238#section-6 recommends to handle time-steps around the current date.
Currently, the library doesn't offer any OOTB way to handle those drifts.
It can be circumvented in a few ways though :
(ns foo.core
(:require [one-time.core :as ot])
(:import java.util.Date))
(def drift-window-limit 1)
(def time-step 30)
;; Validate using date offsets. It works but it's a bit convoluted imo
(comment
(defn- plus-seconds
[date seconds]
(-> date .toInstant (.plusSeconds seconds) Date/from))
(defn- get-dates-in-window
[date time-step window]
(->> (range (- window) (inc window))
(map #(plus-seconds (* time-step %)))))
(let [secret-key (ot/generate-secret-key)
date (plus-seconds (Date.) (- time-step))
token (ot/get-totp-token secret-key {:date date
:time-step time-step})]
(->> (get-dates-in-window (Date.) time-step drift-window-limit)
(some #(ot/is-valid-totp-token? token secret-key {:date %
:time-step time-step}))))
;; => true
)
;; We could validate using get-hotp-token too, be that would mean
;; reimplementing one-time.totp/counter-since-epoch, which is less
;; than idealOne way to introduce this feature would be by adding a :time-step-offset in the option map passed to get-totp-token and is-valid-totp-token?. This parameter would then be used to adjust the counter feeded to get-hotp-token by adding this parameter to the result of counter-since-epoch.
That way, it would be pretty trivial for developers to implement :
- Clock drift synchronization (persist an offset and feed it to the library)
- Error window (feed -1, 0 and 1 as offsets to the library to accomodate for small clock drifts / slow typing from the end user)
- Combination of both of the above
Let me know if you're ok with the idea.
dependant repos need to be added to deps.edn file
i have to add this to my deps.edn or clojure throws nonsense errors
:mvn/repos {
"jitpack" {:url "https://jitpack.io"}
"sonatype" {:url "https://oss.sonatype.org/content/repositories/releases"
:snapshots false
:releases {:checksum :fail :update :always}}
"sonatype-snapshots" {:url "https://oss.sonatype.org/content/repositories/snapshots"
:snapshots true
:releases {:checksum :fail :update :always}}}i have also tried converting the project.clj to deps.edn in my fork, but i still need to add these to my project that uses this library. maybe this is normal and needs to be added to the docs, or maybe there is a way to eliminate the dependant repos
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.