1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
package totp
import (
"encoding/base32"
"fmt"
"github.com/authelia/otp"
"github.com/authelia/otp/totp"
"github.com/authelia/authelia/v4/internal/configuration/schema"
"github.com/authelia/authelia/v4/internal/model"
)
// NewTimeBasedProvider creates a new totp.TimeBased which implements the totp.Provider.
func NewTimeBasedProvider(config schema.TOTP) (provider *TimeBased) {
provider = &TimeBased{
opts: NewTOTPOptionsFromSchema(config),
issuer: config.Issuer,
algorithm: config.DefaultAlgorithm,
digits: uint32(config.DefaultDigits), //nolint:gosec // Validated at runtime.
period: uint(config.DefaultPeriod), //nolint:gosec // Validated at runtime.
size: uint(config.SecretSize), //nolint:gosec // Validated at runtime.
}
if config.Skew != nil && *config.Skew >= 0 {
provider.skew = uint(*config.Skew)
} else {
provider.skew = 1
}
return provider
}
func NewTOTPOptionsFromSchema(config schema.TOTP) *model.TOTPOptions {
return &model.TOTPOptions{
Algorithm: config.DefaultAlgorithm,
Algorithms: config.AllowedAlgorithms,
Period: config.DefaultPeriod,
Periods: config.AllowedPeriods,
Length: config.DefaultDigits,
Lengths: config.AllowedDigits,
}
}
// TimeBased totp.Provider for production use.
type TimeBased struct {
opts *model.TOTPOptions
issuer string
algorithm string
digits uint32
period uint
skew uint
size uint
}
// GenerateCustom generates a TOTP with custom options.
func (p TimeBased) GenerateCustom(ctx Context, username, algorithm, secret string, digits uint32, period, secretSize uint) (config *model.TOTPConfiguration, err error) {
var key *otp.Key
var secretData []byte
if secret != "" {
if secretData, err = base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(secret); err != nil {
return nil, fmt.Errorf("totp generate failed: error decoding base32 string: %w", err)
}
}
if secretSize == 0 {
secretSize = p.size
}
opts := totp.GenerateOpts{
Issuer: p.issuer,
AccountName: username,
Period: period,
Secret: secretData,
SecretSize: secretSize,
Digits: otp.Digits(digits),
Algorithm: otpStringToAlgo(algorithm),
Rand: ctx.GetRandom(),
}
if key, err = totp.Generate(opts); err != nil {
return nil, err
}
config = &model.TOTPConfiguration{
CreatedAt: ctx.GetClock().Now(),
Username: username,
Issuer: p.issuer,
Algorithm: algorithm,
Digits: digits,
Secret: []byte(key.Secret()),
Period: period,
}
return config, nil
}
// Generate generates a TOTP with default options.
func (p TimeBased) Generate(ctx Context, username string) (config *model.TOTPConfiguration, err error) {
return p.GenerateCustom(ctx, username, p.algorithm, "", p.digits, p.period, p.size)
}
// Validate the token against the given configuration.
func (p TimeBased) Validate(ctx Context, token string, config *model.TOTPConfiguration) (valid bool, step uint64, err error) {
opts := totp.ValidateOpts{
Period: config.Period,
Skew: p.skew,
Digits: otp.Digits(config.Digits),
Algorithm: otpStringToAlgo(config.Algorithm),
}
return totp.ValidateCustomStep(token, string(config.Secret), ctx.GetClock().Now().UTC(), opts)
}
// Options returns the configured options for this provider.
func (p TimeBased) Options() model.TOTPOptions {
return *p.opts
}
var (
_ Provider = (*TimeBased)(nil)
)
|
