Only works with generated codes?
Closed this issue ยท 5 comments
Hi,
Thanks for the library, it seems like just what I am looking for ๐
However, when I generate a QR code, scan it in an app (I am testing using Authy) and use a code generated by the app the calls to check() fail.
If I use a token from the result of calling generate() the call to check() passes - it is a different code.
I wonder if I am doing something wrong or if this needs more testing with third-party apps.
Any help much appreciated ๐
Hi,
Thanks for reaching out!
When choosing an algorithm, SHA1 is the default. Is it possible you chose another algorithm? (sha256 or sha512)? Most 2fa apps only have support for sha1, but will nonetheless accept the QR code, and then silently fail/fallback to sha1
@constantoine, I was just sitting drinking a coffee and thinking it might be the algorithm - I was using SHA256, reverting to the default SHA1 fixed the issue and the token now validates!
Thanks very much for pointing me in the right direction, I might add a PR with a warning in the doc comments if thats ok?
That would be nice of you, yes!
HMAC-SHA1 being the default is mentionned here https://datatracker.ietf.org/doc/html/rfc6238#section-5.1
That would be nice of you, yes!
HMAC-SHA1 being the default is mentionned here https://datatracker.ietf.org/doc/html/rfc6238#section-5.1
That's done, a small PR with the warning.
That's fine that SHA1 is the default but the apps should not silently fallback when another algorithm is specified.
Oddly enough, they fail with an error when I specify a blank string for the username ๐คช
Yeah, apparently instead of parsing the algorithm parameter, most apps outright don't read it, so they don't warn you. That caused much confusion for me too at first.
Thanks a lot for the PR!