specify period limit

[SebSept]

verifyCode() always fails when TwoFactorAuth() is constructed with a too high value.

For example with 60 seconds it fails.

Maybe you can document this or generate an error while constructing the TwoFactorAuth().

[willpower232]

are you able to provide an example of a value that doesn't work?

I'm blind

[NicolasCARPi]

I cannot see/understand the issue. Please look at this code:

https://gist.github.com/NicolasCARPi/8cab158ecbcf469d0974c101b764ba60

@SebSept where is the issue? Could you please provide a code sample actually showing what you are talking about?

[SebSept]

I didn't have a look at the tests. I'll try to make some tests fail.

$tfa = new TwoFactorAuth(
                new BaconQrCodeProvider(4, '#ffffff', '#000000', 'svg'),
                $this->getIssuer(),
                self::CODE_LENGTH_DIGITS,
                6000, // <- here is the value that causes problems, 30 is ok.
                Algorithm::from('sha1')
            );

$tfa->verifyCode($secret, $user_input_code, 0); // verifyCode() always returns false with $tfa periode set to 6000

with valid data, if period == 30 : everything is fine, with 6000, verifyCode() always returns false .

[NicolasCARPi]

What is self::CODE_LENGTH_DIGITS in your context? It's useless to post code that is not reproducible outside your own context.

Also, why are you setting the discrepency to 0 in verifyCode(). Does it work without this parameter?

[SebSept]

Sure, it was just to provide info before investigating.

60 is correct. but setting 6000 make it always fails.

[SebSept]

code to reproduce :

$secret = 'OaL23YV2VST9vMtru8WE22V35ef7cDMvC9Py39jn1DlDH9bg3pPfokVll6aK8Xvg\/l5fdweGwthq6GRjX6SHMCUhUvtbW75g';

$tfa = new TwoFactorAuth(
                new BaconQrCodeProvider(4, '#ffffff', '#000000', 'svg'),
                'issuer',
                6,
                6000,
                Algorithm::from('sha1')
            );

$tfa->verifyCode($secret, $user_input_code, 0);

Setting discrepency to 1, doesn't solve the problem. Why shouldn't it be set to 0 ?

(I cannot run tests, socket_create() is missing on my install)

[NicolasCARPi]

Why would you use this secret? It needs to be base32. Use getSecret().

If you run this code:

$secret = 'OaL23YV2VST9vMtru8WE22V35ef7cDMvC9Py39jn1DlDH9bg3pPfokVll6aK8Xvg\/l5fdweGwthq6GRjX6SHMCUhUvtbW75g';

$tfa = new TwoFactorAuth(
                new QRServerProvider(),
                'issuer',
                6,
                6000,
            );      
                    
$code = $tfa->getCode($secret);
var_dump($tfa->verifyCode($secret, $code, 0));  

You get: PHP Fatal error: Uncaught RobThree\Auth\TwoFactorAuthException: Invalid base32 string

You can't just provide a random secret of your choosing.