Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generateUrl function produces an invalid otpauth url "algorithm" paramater when attempting to scan into Google Authenticator #292

Open
TJSTONE99 opened this issue Apr 4, 2024 · 0 comments
Open

generateUrl function produces an invalid otpauth url "algorithm" paramater when attempting to scan into Google Authenticator #292

TJSTONE99 opened this issue Apr 4, 2024 · 0 comments

Comments

@TJSTONE99
Copy link

TJSTONE99 commented Apr 4, 2024
edited
Loading

Hi,

Upon using the library I have noticed that the otpauth url produced by the generateUrl function causes issues when scanned by Google Authenticator. I believe this is because the algorithm parameter appended to the otpauth url string does not fit the specification for googles otpauth URL.

Currently TotpConfig has an algo typed property supporting 'sha1', 'sha256' & 'sha512' all lowercase. However, I believe google authenticator expects these to be capitalised when presented in the otpauth url within the algorithm parameter. This is suggested in the documentation here

Here is the defined type:
type Algorithms = "sha1" | "sha256" | "sha512";

Code the produces the invalid otpauth url:

const tokenConfig = time2fa.generateConfig({
    algo: 'sha256', // notice lowercase
    digits: 6,
    period: 60,
    secretSize: 10
})

const url = time2fa.generateUrl({ secret: 'S5V43NFEQPKEH3C4', issuer: 'exampleissuer', user: 'example@example.com'}, tokenConfig)

This produces an otpauth like this:
otpauth://totp/exampleissuer:example%4example.com?issuer=exampleissuer&period=60&secret=S5V43NFEQPKEH3C4&algorithm=sha256
This causes Google Authenticator app to fail scanning the QR code. Showing the "Can't scan this QR code"

Code that produces valid otpauth url:

const tokenConfig = time2fa.generateConfig({
    algo: 'SHA256', // notice capitalised even though unsupported in terms of the type
    digits: 6,
    period: 60,
    secretSize: 10
})

  const url = time2fa.generateUrl({ secret: 'S5V43NFEQPKEH3C4', issuer: 'exampleissuer', user: 'example@example.com'}, tokenConfig)

This produces an otpauth like this:
otpauth://totp/exampleissuer:example%4example.com?issuer=exampleissuer&period=60&secret=S5V43NFEQPKEH3C4&algorithm=SHA256
This scans correctly in Google Authenticator.

Therefore, I think you need to update your type "Algorithms" with the capitalised version or need to convert config.algo toUpperCase() when setting as a url param within generateUrl function.

Here:

if (config.algo !== DEFAULT_TOTP_ALGO) {
  params.set("algorithm", config.algo);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TJSTONE99