Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/philnash/crotp
CrOTP - One Time Passwords for Crystal
https://github.com/philnash/crotp
2fa crystal hotp otp shard totp two-factor-authentication
Last synced: about 1 month ago
JSON representation
CrOTP - One Time Passwords for Crystal
- Host: GitHub
- URL: https://github.com/philnash/crotp
- Owner: philnash
- License: mit
- Created: 2017-01-07T18:32:57.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2023-09-22T17:58:53.000Z (about 1 year ago)
- Last Synced: 2024-10-25T15:36:55.696Z (about 2 months ago)
- Topics: 2fa, crystal, hotp, otp, shard, totp, two-factor-authentication
- Language: Crystal
- Size: 36.1 KB
- Stars: 63
- Watchers: 5
- Forks: 11
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
- awesome-crystal - CrOTP - HOTP and TOTP implementation for two factor authentication (Algorithms and Data structures)
- awesome-crystal - CrOTP - HOTP and TOTP implementation for two factor authentication (Algorithms and Data structures)
README
# CrOTP
The Crystal One Time Password library. Use this to generate HOTP or TOTP codes for two factor authentication.
[![Build Status](https://github.com/philnash/crotp/workflows/Tests/badge.svg)](https://github.com/philnash/crotp/actions?query=workflow%3ATests)
## Table of Contents
* [Table of Contents](#table-of-contents)
* [Installation](#installation)
* [Usage](#usage)
* [HOTP](#hotp)
* [TOTP](#totp)
* [TOTP hashing algorithms](#totp-hashing-algorithms)
* [Authenticator applications](#authenticator-applications)
* [HOTP](#hotp-1)
* [TOTP](#totp-1)
* [Base 32 secret](#base-32-secret)
* [Todo](#todo)
* [Running the project locally](#running-the-project-locally)
* [Contributing](#contributing)
* [License](#license)
* [Contributors](#contributors)## Installation
Add this to your application's `shard.yml`:
```yaml
dependencies:
crotp:
github: philnash/crotp
```## Usage
### HOTP
```crystal
require "crotp"hotp = CrOTP::HOTP.new("secret")
counter = 1# Generate a token
token = hotp.generate(counter)
# => "533881"# Verify code
result = hotp.verify(token, counter)
# => true
```### TOTP
```crystal
require "crotp"totp = CrOTP::TOTP.new("secret")
# Generate a code at a specific time stamp (by default, #generate will make a
# code using Time.now)
token = totp.generate(at: 1484007247)
# => "020567"# Verify code at a specific time stamp
result = totp.verify(token, at: 1484007247)
# => true# Verify code at different time stamp, with allowed drift
result = totp.verify(token, at: 1484007299, allowed_drift: 1)
# => true# Verify code at different time stamp, outside allowed drift
result = totp.verify(token, at: 1484007300, allowed_drift: 1)
# => false
```#### TOTP hashing algorithms
According to [RFC 6238](https://tools.ietf.org/html/rfc6238) section 1.2:
> TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226](https://tools.ietf.org/html/rfc4226).
To use either SHA-256 or SHA-512 as the hashing function, initialise your `CrOTP::TOTP` object with the algorithm you want:
```crystal
require "crotp"totp = CrOTP::TOTP.new("secret", algorithm: OpenSSL::Algorithm::SHA512)
```_Note: [authenticator applications may ignore the algorithm parameter](https://github.com/google/google-authenticator/wiki/Key-Uri-Format#algorithm) when you encode your secret in a URL/QR code as below._
### Authenticator applications
To share secrets with an authenticator application, like [Authy](https://authy.com/) or Google Authenticator you need a URI that you can share as a QR code. The [implementation details for the URI are in the Google Authenticator wiki](https://github.com/google/google-authenticator/wiki/Key-Uri-Format).
Here is how you can get the URI and, in case your user can't scan the code, the base 32 representation of the secret.
#### HOTP
```crystal
# For HOTP you need the initial counter and an issuer
puts hotp.authenticator_uri(initial_counter: 0, issuer: "Test app")
# => otpauth://hotp/Test%20app?secret=ONSWG4TFOQ&algorithm=SHA1&counter=0&digits=6&issuer=Test%20app# You can add a user account detail too, normally an email address or username, that shows up in the authenticator app
puts hotp.authenticator_uri(initial_counter: 0, issuer: "Test app", user: "[email protected]")
# => otpauth://hotp/Test%20app:philnash%40example.com?secret=ONSWG4TFOQ&algorithm=SHA1&counter=0&digits=6&issuer=Test%20app
```#### TOTP
```crystal
# For TOTP you only need an issuer
puts totp.authenticator_uri(issuer: "Test app")
# => otpauth://totp/Test%20app?secret=ONSWG4TFOQ&algorithm=SHA1&period=30&digits=6&issuer=Test%20app# You can add a user detail here too
puts totp.authenticator_uri(issuer: "Test app", user: "[email protected]")
# => otpauth://totp/Test%20app:philnash%40example.com?secret=ONSWG4TFOQ&algorithm=SHA1&period=30&digits=6&issuer=Test%20app
```#### Base 32 secret
```crystal
puts hotp.base32_secret
# => ONSWG4TFOQputs totp.base32_secret
# => ONSWG4TFOQ
```You can see and run these examples and more in `example/crotp.cr`.
## Todo
- [x] Basic HOTP and TOTP generation and verification
- [x] Rewrite `int_to_bytes` and extract from `CrOTP::OTP`
- [x] Verifying a token over a window of counters/time
- [x] Google Authenticator otpauth URI generation
- [x] Ability to choose algorithm (currently only sha1)
- [ ] Ability to choose size of period in TOTP
- [ ] Example application using Kemal
- [ ] Much more documentation## Running the project locally
First clone the project:
```bash
git clone https://github.com/philnash/crotp.git
cd crotp
```Run the tests with:
```bash
crystal spec
```## Contributing
1. Fork it ( https://github.com/philnash/crotp/fork )
2. Create your feature branch (git checkout -b my-new-feature)
3. Commit your changes (git commit -am 'Add some feature')
4. Push to the branch (git push origin my-new-feature)
5. Create a new Pull Request## License
This code is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
## Contributors
- [philnash](https://github.com/philnash) Phil Nash - creator, maintainer
- [benoist](https://github.com/benoist) Benoist Claassen
- [Xosmond](https://github.com/Xosmond) Jordano Moscoso