suvash / one-time Goto Github PK
View Code? Open in Web Editor NEWOne Time Password (TOTP and HOTP) library for Clojure. TOTP/HOTP is widely used for Two Factor / Multi Factor Authentication.
License: Eclipse Public License 1.0
One Time Password (TOTP and HOTP) library for Clojure. TOTP/HOTP is widely used for Two Factor / Multi Factor Authentication.
License: Eclipse Public License 1.0
According to Grype the dependencies batik-util and batik-xml that one-time uses are vulnerable to Server-side request forgery (SSRF). Please provide an update.
✔ Vulnerability DB [no update available]
✔ Indexed target/package.jar
✔ Cataloged packages [112 packages]
✔ Scanned image [2 vulnerabilities]
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
batik-util 1.10 1.14 java-archive GHSA-2h63-qp69-fwvw High
batik-xml 1.10 1.14 java-archive GHSA-2h63-qp69-fwvw High
Dependency tree:
[one-time "0.7.0" :exclusions [[commons-codec]]]
[com.github.kenglxn.qrgen/javase "2.6.0"]
[com.github.kenglxn.qrgen/core "2.6.0"]
[com.google.zxing/javase "3.3.0"]
[com.beust/jcommander "1.48"]
[com.github.jai-imageio/jai-imageio-core "1.3.1"]
[com.google.zxing/core "3.3.0"]
[org.apache.xmlgraphics/batik-dom "1.10"]
[org.apache.xmlgraphics/batik-css "1.10"]
[org.apache.xmlgraphics/batik-ext "1.10"]
[org.apache.xmlgraphics/batik-xml "1.10"]
[xalan "2.7.2"]
[xalan/serializer "2.7.2"]
[xml-apis/xml-apis-ext "1.3.04"]
[xml-apis "1.3.04"]
[org.apache.xmlgraphics/batik-svggen "1.10"]
[org.apache.xmlgraphics/batik-awt-util "1.10"]
[org.apache.xmlgraphics/xmlgraphics-commons "2.2"]
[org.apache.xmlgraphics/batik-util "1.10"]
[org.apache.xmlgraphics/batik-constants "1.10"]
[org.apache.xmlgraphics/batik-i18n "1.10"]
[ring/ring-codec "1.1.2"]
Probably not a one-time issue, probably just me and/or github.
I'm trying to use the one-time code to set up my github 2fa, but it rejects the token every time.
Is there perhaps some time-zone or other dependency I'm missing?
I tried https://github.com/djui/clj-otp too, it's generating the same tokens, so unlikely a 'one-time' issue.
Sorry to ask here, didn't see other contact/forums for the question.
get-token
doesn't always return codes that look like what the user is supposed to type in, sometimes i get 5 or 4 digit codes
(get-token "OV2K2K5SOWKN2RCZ" 1) ;; => 3799
so, I have to do some work to present this to the user (authenticator apps will pad with leading 0s)
also i have to do work to take what my form gives me, and turn that into an int.
there is possibly another problem, clojure does treat numbers with leading 0s differently, i haven't run into this being an issue, but i imagine it could be for some people/situations.
(str 00003123) ;; => "1619"
(str 3123) ;; => "3123"
I think it would be simpler to keep these tokens as strings. below is a proposed change to the get-token function
only the last line has been altered.
(defn get-token
"Return a HOTP token (HMAC-Based One-Time Password Algorithm)
based on a secret and a counter, as specified in
https://tools.ietf.org/html/rfc4226"
([secret counter]
;; Use HMAC-SHA-1 as default when not provided
(get-token secret counter :hmac-sha-1))
([secret counter hmac-sha-type]
(let [digest (hmac-sha-digest secret counter hmac-sha-type)
offset (bit-and (digest 19) 0xf)
code (bit-or (bit-shift-left (bit-and (digest offset) 0x7f) 24)
(bit-shift-left (bit-and (digest (+ offset 1)) 0xff) 16)
(bit-shift-left (bit-and (digest (+ offset 2)) 0xff) 8)
(bit-and (digest (+ offset 3)) 0xff))]
(->>
(rem code 1000000)
(format "%06d")))))
Hello,
I added one-time/one-time {:mvn/version "0.8.0"}
to my deps.edn and tried to start my project. It was able to find a bunch of jars but choked on one:
$ clojure -M:dev:cms:nrepl
Downloading: one-time/one-time/0.8.0/one-time-0.8.0.pom from clojars
Downloading: com/google/zxing/javase/3.5.0/javase-3.5.0.pom from central
Downloading: org/apache/xmlgraphics/batik-svggen/1.15/batik-svggen-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-dom/1.15/batik-dom-1.15.pom from central
Downloading: com/google/zxing/zxing-parent/3.5.0/zxing-parent-3.5.0.pom from central
Downloading: org/apache/xmlgraphics/batik/1.15/batik-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-css/1.15/batik-css-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-util/1.15/batik-util-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-shared-resources/1.15/batik-shared-resources-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-ext/1.15/batik-ext-1.15.pom from central
Downloading: xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.pom from central
Downloading: org/apache/xmlgraphics/batik-xml/1.15/batik-xml-1.15.pom from central
Downloading: xml-apis/xml-apis-ext/1.3.04/xml-apis-ext-1.3.04.pom from central
Downloading: org/apache/xmlgraphics/batik-awt-util/1.15/batik-awt-util-1.15.pom from central
Downloading: com/beust/jcommander/1.82/jcommander-1.82.pom from central
Downloading: com/github/jai-imageio/jai-imageio-core/1.4.0/jai-imageio-core-1.4.0.pom from central
Downloading: com/google/zxing/core/3.5.0/core-3.5.0.pom from central
Downloading: org/apache/xmlgraphics/xmlgraphics-commons/2.7/xmlgraphics-commons-2.7.pom from central
Downloading: org/apache/xmlgraphics/batik-constants/1.15/batik-constants-1.15.pom from central
Downloading: org/apache/xmlgraphics/batik-i18n/1.15/batik-i18n-1.15.pom from central
Downloading: org/apache/apache/7/apache-7.pom from central
Downloading: commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.pom from central
Downloading: org/apache/xmlgraphics/batik-dom/1.15/batik-dom-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-xml/1.15/batik-xml-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-svggen/1.15/batik-svggen-1.15.jar from central
Downloading: org/apache/xmlgraphics/xmlgraphics-commons/2.7/xmlgraphics-commons-2.7.jar from central
Downloading: org/apache/xmlgraphics/batik-css/1.15/batik-css-1.15.jar from central
Downloading: xml-apis/xml-apis-ext/1.3.04/xml-apis-ext-1.3.04.jar from central
Downloading: org/apache/xmlgraphics/batik-constants/1.15/batik-constants-1.15.jar from central
Downloading: com/github/jai-imageio/jai-imageio-core/1.4.0/jai-imageio-core-1.4.0.jar from central
Downloading: commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar from central
Downloading: xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.jar from central
Downloading: org/apache/xmlgraphics/batik-shared-resources/1.15/batik-shared-resources-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-util/1.15/batik-util-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-awt-util/1.15/batik-awt-util-1.15.jar from central
Downloading: org/apache/xmlgraphics/batik-i18n/1.15/batik-i18n-1.15.jar from central
Downloading: com/google/zxing/core/3.5.0/core-3.5.0.jar from central
Downloading: com/google/zxing/javase/3.5.0/javase-3.5.0.jar from central
Downloading: com/beust/jcommander/1.82/jcommander-1.82.jar from central
Downloading: org/apache/xmlgraphics/batik-ext/1.15/batik-ext-1.15.jar from central
Downloading: one-time/one-time/0.8.0/one-time-0.8.0.jar from clojars
Error building classpath. Could not find artifact com.github.kenglxn.qrgen:javase:jar:2.6.0 in central (https://repo1.maven.org/maven2/)
I found this issue which appears to describe the same problem. However, javase
and jitpack are new to me, so I don't quite understand the fix.
Hi Suvash,
first of all thanks for the library! Kudos for the great work.
I'm wondering what the :time-step
option does.
Actually, I got a rough idea:
one-time.totp> (counter-since-epoch (Date.) 40)
38697200
one-time.totp> (counter-since-epoch (Date.) 20)
77394401
one-time.totp> (counter-since-epoch (Date.) 30)
51596267
So, it divides the time in chunks.
But I don't know the purpose of this? What would be a use case for setting a :time-step
value other than 30? And what's the current effect of the default value of 30?
Thanks - Victor
Hello and thanks for this great library.
In order to accommodate end users who might have clock drift issues (especially common with dedicated hardware MFA device), https://tools.ietf.org/html/rfc6238#section-6 recommends to handle time-steps around the current date.
Currently, the library doesn't offer any OOTB way to handle those drifts.
It can be circumvented in a few ways though :
(ns foo.core
(:require [one-time.core :as ot])
(:import java.util.Date))
(def drift-window-limit 1)
(def time-step 30)
;; Validate using date offsets. It works but it's a bit convoluted imo
(comment
(defn- plus-seconds
[date seconds]
(-> date .toInstant (.plusSeconds seconds) Date/from))
(defn- get-dates-in-window
[date time-step window]
(->> (range (- window) (inc window))
(map #(plus-seconds (* time-step %)))))
(let [secret-key (ot/generate-secret-key)
date (plus-seconds (Date.) (- time-step))
token (ot/get-totp-token secret-key {:date date
:time-step time-step})]
(->> (get-dates-in-window (Date.) time-step drift-window-limit)
(some #(ot/is-valid-totp-token? token secret-key {:date %
:time-step time-step}))))
;; => true
)
;; We could validate using get-hotp-token too, be that would mean
;; reimplementing one-time.totp/counter-since-epoch, which is less
;; than ideal
One way to introduce this feature would be by adding a :time-step-offset
in the option map passed to get-totp-token
and is-valid-totp-token?
. This parameter would then be used to adjust the counter
feeded to get-hotp-token
by adding this parameter to the result of counter-since-epoch
.
That way, it would be pretty trivial for developers to implement :
Let me know if you're ok with the idea.
i have to add this to my deps.edn or clojure throws nonsense errors
:mvn/repos {
"jitpack" {:url "https://jitpack.io"}
"sonatype" {:url "https://oss.sonatype.org/content/repositories/releases"
:snapshots false
:releases {:checksum :fail :update :always}}
"sonatype-snapshots" {:url "https://oss.sonatype.org/content/repositories/snapshots"
:snapshots true
:releases {:checksum :fail :update :always}}}
i have also tried converting the project.clj to deps.edn in my fork, but i still need to add these to my project that uses this library. maybe this is normal and needs to be added to the docs, or maybe there is a way to eliminate the dependant repos
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.