otp 2.2.1

  • Readme
  • Changelog
  • Example
  • Installing
  • 93

Build Status

dart-otp #

RFC4226/RFC6238 One-Time Password / Google Authenticator Library

Features:

Getting Started #

Pubspec #

pub.dartlang.org: (you can use 'any' instead of a version if you just want the latest always)

dependencies:
  otp: 2.2.1
import 'package:otp/otp.dart';

Start generating tokens.

// Generate TOTP code. (String versin of function incase of leading 0)
OTP.generateTOTPCodeString("JBSWY3DPEHPK3PXP", 1362302550000); // -> '637305'

// Generate HOTP Code.
OTP.generateHOTPCodeString("JBSWY3DPEHPK3PXP", 7); // -> '346239'

API #

Notes #

This library does not support any other secret input other than Base32. It is what is used standard most places, and by Google Authenticator. If your secrets are not Base32 forms, please use my Base32 library (the one I use as a dependency for this library) or any other base32 library to encode your secret before passing it into the functions. All generate functions force decode of Base32.

Global Settings #

useTOTPPaddingForHOTP (bool, default: false) Uses the TOTP padding method for handling secrets bigger or smaller than the mandatory sizes for SHA256/SHA512. This is needed as HOTP does not have an official method of using SHA256 or SHA512 in the RFC spec and most libraries don't pad HOTP for use with SHA256 or SHA512. (examples: otplib and speakeasy from Node.js)

If you enable this, it will use the same padding as TOTP (repeating the secret to the right length) but might cause incompatibilies with other libraries. I am defaulting to no padding, as this is the predominant behavior I am finding for HOTP.

OTP.generateTOTPCode(String secret, int currentTime, {int length: 6, int interval: 30, Algorithm algorithm: Algorithm.SHA1, bool isGoogle: true}) #

Generate a code for the provided secret and time.

  • secret - (String) A Base32 String.
  • currentTime - (int) The current time in milliseconds.
  • length - (int) The length of the resulting code.
  • interval - (int) Refresh interval to get a new code.
  • algorithm - (Algorithm) Hashing method.
  • isGoogle - (bool) flag to turn off secret padding for Google Auth.

Returns an int code. Does not preserve leading zeros.

OTP.generateTOTPCodeString(String secret, int currentTime, {int length: 6, int interval: 30, Algorithm algorithm: Algorithm.SHA1, bool isGoogle: true}) #

Generate a code for the provided secret and time.

  • secret - (String) A Base32 String.
  • currentTime - (int) The current time in milliseconds.
  • length - (int) The length of the resulting code.
  • interval - (int) Refresh interval to get a new code.
  • algorithm - (Algorithm) Hashing method.
  • isGoogle - (bool) flag to turn off secret padding for Google Auth.

Returns an String code. Preserves leading zeros.

OTP.generateHOTPCode(String secret, int counter, {int length: 6}) #

Generate a code for the provided secret and time.

  • secret - (String) A Base32 String.
  • counter - (int) An int counter.
  • length - (int) the length of the resulting code.

Returns an int code. Does not preserve leading zeros

OTP.generateHOTPCodeString(String secret, int counter, {int length: 6}) #

Generate a code for the provided secret and time.

  • secret - (String) A Base32 String.
  • counter - (int) An int counter.
  • length - (int) the length of the resulting code.

Returns an String code. Preserves leading zeros

OTP.constantTimeVerification(final String code, final String othercode) #

!DISCLAIMER! I can only get this to be within 1 millisecond between different codes and same codes. I have yet to get them to be equal. but 1 millisecond should be an OK room for error though.

Compares 2 codes in constant time to minimize risk of timing attacks.

  • code - (String) A Base32 String.
  • othercode - (String) A Base32 String.

Returns an bool if they match or not.

Testing #

pub run test

Release notes #

See CHANGELOG.md

Changelog #

v2.2.1

  • Correctly use Google Auth flag (isGoogle) to disable padding.

v2.2.0

  • Add Google Auth flag, because they do SHA1 TOTP without Padding the secret.
  • Reverting _int2bytes function back to old implementation, as the new on uses int64 which breaks flutter web and dart2js as it doesn't have support for Int64.

v2.1.0

  • Fix secret paddding to follow proper TOTP secret padding and sizing for SHA256, SHA512
  • Remove RFC unsupported hashes. SHA224 and SHA384 are no longer supported.
  • Show warning when using anything other than SHA1, as the RFC doesn't support it so I have found that libraries don't pad correctly for HOTP.
  • At the same time, SHA1 is now again the HOTP default.
  • Add optional TOTP style paddding for HOTP when using SHA256 and SHA512.
  • Force version 1.1.1 of Base32 library, as that was a major bug fix release that improved Base32 support.
  • Add documentation and additional information on how to use this library.

v2.0.3

  • Fix type error at runtime for RandomSecret generation. MR #14 (thanks readytopark)

v2.0.2

  • Switch to crypto lib inplace of PointyCastle for HMAC

v2.0.1, v2.0.0

  • Formatting
  • No changes from rc1, accepting the 1-3 second timing difference between constant time code checks until someone can help me figure out how to make it match.

v2.0.0-rc1

  • BREAKING CHANGE Switched default hashing algorithm to SHA256 from SHA1
  • Add constant time verification function to avoid timing attacks on code comparison.
  • Add String return variant of code generation.

v1.0.3

  • Switched to PointyCastle for crypto and support for more than SHA1 hashing for tokens (amadejkastelic)

v1.0.2

  • Add new TOTP interval parameters (optional)

v1.0.1

  • Cleanup and remove dead code

v1.0.0

  • Dart 2.0 updates

v0.1.0

  • Dart 1.0 Readiness

v0.0.4

  • Fixing crypto library.

v0.0.3

  • Fixing language changes.

v0.0.2

  • No functionality changes, just fixing a bad file state it git and in the package involving the case of the file.

v0.0.1

  • Initial Documented Release

example/example.dart

import 'package:otp/otp.dart';

void main() {
  var code = OTP.generateTOTPCodeString('JBSWY3DPEHPK3PXP', DateTime.now().millisecondsSinceEpoch);
  print(code);

  var code2 = OTP.generateTOTPCodeString('JBSWY3DPEHPK3PXP', DateTime.now().millisecondsSinceEpoch, interval: 10);
  print(code2);

  var code3 = OTP.generateTOTPCodeString('JBSWY3DPEHPK3PXP', DateTime.now().millisecondsSinceEpoch, interval: 20, algorithm: Algorithm.SHA512);
  print(code3);

  var code4 = OTP.generateHOTPCodeString('OBRWE5CEFNFWQQJRMZRGM4LZMZIGKKZU', 1);
  print(code4);

  var code5 = OTP.generateTOTPCodeString('JBSWY3DPEHPK3PXP', 1362302550000);
  print(code5);
}

Use this package as a library

1. Depend on it

Add this to your package's pubspec.yaml file:


dependencies:
  otp: ^2.2.1

2. Install it

You can install packages from the command line:

with pub:


$ pub get

with Flutter:


$ flutter pub get

Alternatively, your editor might support pub get or flutter pub get. Check the docs for your editor to learn more.

3. Import it

Now in your Dart code, you can use:


import 'package:otp/otp.dart';
  
Popularity:
Describes how popular the package is relative to other packages. [more]
86
Health:
Code health derived from static analysis. [more]
100
Maintenance:
Reflects how tidy and up-to-date the package is. [more]
100
Overall:
Weighted score of the above. [more]
93
Learn more about scoring.

We analyzed this package on Jun 4, 2020, and provided a score, details, and suggestions below. Analysis was completed with status completed using:

  • Dart: 2.8.2
  • pana: 0.13.8-dev

Health suggestions

Format lib/otp.dart.

Run dartfmt to format lib/otp.dart.

Dependencies

Package Constraint Resolved Available
Direct dependencies
Dart SDK >=2.0.0 <3.0.0
base32 >=1.1.1 <2.0.0 1.1.1
convert >=2.0.0 <3.0.0 2.1.1
crypto >=2.1.3 <3.0.0 2.1.5
quick_log >=0.4.0 <1.0.0 0.4.1
Transitive dependencies
charcode 1.1.3
collection 1.14.12
path 1.7.0
rxdart 0.24.1
typed_data 1.1.6
Dev dependencies
pedantic ^1.0.0
test any