Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to generate a token that is valid only 15 minutes? #124

Open
MacgyverMartins opened this issue Apr 26, 2019 · 3 comments
Open

How to generate a token that is valid only 15 minutes? #124

MacgyverMartins opened this issue Apr 26, 2019 · 3 comments

Comments

@MacgyverMartins
Copy link

Hi all!
I'm tring to implement this logic:
User types his email and the API send him a token by email (without use Google Authenticator) .
This token has to be valid only for 15 minutes. But all my tentatives after generate token return false.

First question: Can I do this with speakeasy without use Google Auth.. ?
Second question: If yes, do you guys can help me, by showing what I am doing wrong in this code below?

    // generate token
    const secret = speakeasy.generateSecret();
    const base32secret = secret.base32;

    const access = await Access.findOne({ where: { email: email } });
    access.base32secret = secret.base32;
    await access.save();

    return speakeasy.totp({
      secret: base32secret,
      encoding: 'base32',
      step: 900
    });
  // validate
  const access = await Access.findOne({ where: { email: email } });
  return speakeasy.totp.verify({
    secret: access.base32secret,
    encoding: 'base32',
    token: token
  });

If I remove step it works, but just for 30 seconds
How can I change this?
Thanks a lot
@MacgyverMartins MacgyverMartins changed the title How to generate a token that is valid only 15 minutes after been generate How to generate a token that is valid only 15 minutes? Apr 26, 2019
@railsstudent
Copy link
Collaborator

railsstudent commented Apr 28, 2019
edited

use window delta
There is example in https://github.com/speakeasyjs/speakeasy/wiki/General-Usage-for-Time-Based-Token that uses custom time
Test the delta of the token at a custom time is between 0 and 30.

@MacgyverMartins
Copy link
Author

Thanks @railsstudent
Sorry, but I still don't understanding very well.

I try this:

token = speakeasy.totp({ secret: secret.base32, encoding: 'base32', step: 60 });

// return true
speakeasy.totp.verify({ secret: secret.base32, encoding: 'base32', token: token, window: 6, step: 60});

// returns {delta: -8}
speakeasy.totp.verifyDelta({ secret: secret.base32, encoding: 'base32', token: token, window: 15, step: 60});

Is that right? Is this the right way ensure that token is valid only 15 minutes from now?

@railsstudent
Copy link
Collaborator

Sorry, my previous reply is incorrect.

if the token is valid for 15 minutes, step is 60 * 15 = 900. Therefore,

// token expires every 15 minutes
token = speakeasy.totp({ secret: secret.base32, encoding: 'base32', step: 900 });

// validate token against the current time
// return true
speakeasy.totp.verify({ secret: secret.base32, encoding: 'base32', token: token, step: 900});

// compute the delta against the current time
// return {delta: 0}
speakeasy.totp.verify({ secret: secret.base32, encoding: 'base32', token: token, step: 900});

Thanks @railsstudent
Sorry, but I still don't understanding very well.

I try this:

token = speakeasy.totp({ secret: secret.base32, encoding: 'base32', step: 60 });

// return true
speakeasy.totp.verify({ secret: secret.base32, encoding: 'base32', token: token, window: 6, step: 60});

// returns {delta: -8}
speakeasy.totp.verifyDelta({ secret: secret.base32, encoding: 'base32', token: token, window: 15, step: 60});

Is that right? Is this the right way ensure that token is valid only 15 minutes from now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@railsstudent @MacgyverMartins