Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/philnash/crotp

CrOTP - One Time Passwords for Crystal
https://github.com/philnash/crotp

2fa crystal hotp otp shard totp two-factor-authentication

Last synced: 2 months ago
JSON representation

CrOTP - One Time Passwords for Crystal

Lists

README 

        
# CrOTP



The Crystal One Time Password library. Use this to generate HOTP or TOTP codes for two factor authentication.



[![Build Status](https://github.com/philnash/crotp/workflows/Tests/badge.svg)](https://github.com/philnash/crotp/actions?query=workflow%3ATests)



## Table of Contents



* [Table of Contents](#table-of-contents)

* [Installation](#installation)

* [Usage](#usage)

  * [HOTP](#hotp)

  * [TOTP](#totp)

    * [TOTP hashing algorithms](#totp-hashing-algorithms)

  * [Authenticator applications](#authenticator-applications)

    * [HOTP](#hotp-1)

    * [TOTP](#totp-1)

    * [Base 32 secret](#base-32-secret)

* [Todo](#todo)

* [Running the project locally](#running-the-project-locally)

* [Contributing](#contributing)

* [License](#license)

* [Contributors](#contributors)



## Installation



Add this to your application's `shard.yml`:



```yaml

dependencies:

  crotp:

    github: philnash/crotp

```



## Usage



### HOTP



```crystal

require "crotp"



hotp = CrOTP::HOTP.new("secret")

counter = 1



# Generate a token

token = hotp.generate(counter)

# => "533881"



# Verify code

result = hotp.verify(token, counter)

# => true

```



### TOTP



```crystal

require "crotp"



totp = CrOTP::TOTP.new("secret")



# Generate a code at a specific time stamp (by default, #generate will make a

# code using Time.now)

token = totp.generate(at: 1484007247)

# => "020567"



# Verify code at a specific time stamp

result = totp.verify(token, at: 1484007247)

# => true



# Verify code at different time stamp, with allowed drift

result = totp.verify(token, at: 1484007299, allowed_drift: 1)

# => true



# Verify code at different time stamp, outside allowed drift

result = totp.verify(token, at: 1484007300, allowed_drift: 1)

# => false

```



#### TOTP hashing algorithms



According to [RFC 6238](https://tools.ietf.org/html/rfc6238) section 1.2:



> TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226](https://tools.ietf.org/html/rfc4226).



To use either SHA-256 or SHA-512 as the hashing function, initialise your `CrOTP::TOTP` object with the algorithm you want:



```crystal

require "crotp"



totp = CrOTP::TOTP.new("secret", algorithm: OpenSSL::Algorithm::SHA512)

```



_Note: [authenticator applications may ignore the algorithm parameter](https://github.com/google/google-authenticator/wiki/Key-Uri-Format#algorithm) when you encode your secret in a URL/QR code as below._



### Authenticator applications



To share secrets with an authenticator application, like [Authy](https://authy.com/) or Google Authenticator you need a URI that you can share as a QR code. The [implementation details for the URI are in the Google Authenticator wiki](https://github.com/google/google-authenticator/wiki/Key-Uri-Format).



Here is how you can get the URI and, in case your user can't scan the code, the base 32 representation of the secret.



#### HOTP



```crystal

# For HOTP you need the initial counter and an issuer

puts hotp.authenticator_uri(initial_counter: 0, issuer: "Test app")

# => otpauth://hotp/Test%20app?secret=ONSWG4TFOQ&algorithm=SHA1&counter=0&digits=6&issuer=Test%20app



# You can add a user account detail too, normally an email address or username, that shows up in the authenticator app

puts hotp.authenticator_uri(initial_counter: 0, issuer: "Test app", user: "[email protected]")

# => otpauth://hotp/Test%20app:philnash%40example.com?secret=ONSWG4TFOQ&algorithm=SHA1&counter=0&digits=6&issuer=Test%20app

```



#### TOTP



```crystal

# For TOTP you only need an issuer

puts totp.authenticator_uri(issuer: "Test app")

# => otpauth://totp/Test%20app?secret=ONSWG4TFOQ&algorithm=SHA1&period=30&digits=6&issuer=Test%20app



# You can add a user detail here too

puts totp.authenticator_uri(issuer: "Test app", user: "[email protected]")

# => otpauth://totp/Test%20app:philnash%40example.com?secret=ONSWG4TFOQ&algorithm=SHA1&period=30&digits=6&issuer=Test%20app

```



#### Base 32 secret



```crystal

puts hotp.base32_secret

# => ONSWG4TFOQ



puts totp.base32_secret

# => ONSWG4TFOQ

```



You can see and run these examples and more in `example/crotp.cr`.



## Todo



- [x] Basic HOTP and TOTP generation and verification

- [x] Rewrite `int_to_bytes` and extract from `CrOTP::OTP`

- [x] Verifying a token over a window of counters/time

- [x] Google Authenticator otpauth URI generation

- [x] Ability to choose algorithm (currently only sha1)

- [ ] Ability to choose size of period in TOTP

- [ ] Example application using Kemal

- [ ] Much more documentation



## Running the project locally



First clone the project:



```bash

git clone https://github.com/philnash/crotp.git

cd crotp

```



Run the tests with:



```bash

crystal spec

```



## Contributing



1. Fork it ( https://github.com/philnash/crotp/fork )

2. Create your feature branch (git checkout -b my-new-feature)

3. Commit your changes (git commit -am 'Add some feature')

4. Push to the branch (git push origin my-new-feature)

5. Create a new Pull Request



## License



This code is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).



## Contributors



- [philnash](https://github.com/philnash) Phil Nash - creator, maintainer

- [benoist](https://github.com/benoist) Benoist Claassen

- [Xosmond](https://github.com/Xosmond) Jordano Moscoso