question - how to support steam?
Closed this issue · 11 comments
Steam Authenticator uses TOTP but with digits=5
.
Is this something you're interested in supporting, somehow?
I'd love to see this as well!
It's not just digits=5, because the authenticator also shows alphabetic characters.
Here's an example implementation: https://github.com/ran-sama/python-steam-authenticator/blob/master/steam.py
@constantoine Just a small note, I was able to extract my Steam key without using Android (there's a desktop app and it stores the totp secret in a plaintext json file if you opt-out of "encryption". I think there's also a non-root Android method but I haven't tried. (I can't speak to the API changes, not experienced enough with writing Rust libs or using totp-rs to have thoughts!)
I also don't know enough about HOTP/TOTP, but if the Steam implementation of the actual underlying "math" is different, maybe it's not appropriate here, I'm not sure. I was hoping it was "same algorithm just with 5 instead of 6".
@colemickens huh, that's definetly interesting, I didn't know about that
It is actually the same maths, the only difference is once you get a numeric result, the way you display it is just a tad bit different
@constantoine I'd be happy to implement a Algorithm::Steam
behind a steam
feature. Should I give that a try?
By the way, I do have a rooted phone. Aegis outputs Steam as:
otpauth://steam/Steam%3Atimvisee?period=30&digits=5&algorithm=SHA1&secret=ABCDEFGHIJKLMNOPQRSTUVWXYZ234567&issuer=Steam
So that means:
- a different path:
steam
- a
:
in the account name: `Steam:timvisee - 5 digits
- a different algorithm
The Issuer:AccountName part is nice/standard, so that won't be a problem
The Issuer:AccountName part is nice/standard, so that won't be a problem
Usage of :
is currently prevented by this:
Lines 265 to 267 in d460bd2
I'll remove that then.
I see the confusion
When instanciating from the API, the lib asks for an Issuer and an AccountName
When parsing from a URL, it will need to be in the form of
otpauth://totp/Issuer:AccountName?issuer=Issuer
Since Issuer and AccountName are separated from a :
, they can't contain :
themselves
It seems that the account name is commonly encoded using URL encoding, which would mean it can contain a :
as %3A
, which is also what you see here: #45 (comment)
That means that the :
check may be used in from_url
. And that (edit: already done)TOTP::get_url()
should encode the account name.
Hey @colemickens @timvisee, just a quick ping to tell you v4.1 has been released :)