time2fa icon indicating copy to clipboard operation
time2fa copied to clipboard
verified publisher icon PlanetHoster

generateUrl function produces an invalid otpauth url "algorithm" paramater when attempting to scan into Google Authenticator

Open TJSTONE99 opened this issue 1 year ago • 0 comments

Hi,

Upon using the library I have noticed that the otpauth url produced by the generateUrl function causes issues when scanned by Google Authenticator. I believe this is because the algorithm parameter appended to the otpauth url string does not fit the specification for googles otpauth URL.

Currently TotpConfig has an algo typed property supporting 'sha1', 'sha256' & 'sha512' all lowercase. However, I believe google authenticator expects these to be capitalised when presented in the otpauth url within the algorithm parameter. This is suggested in the documentation here

Here is the defined type: type Algorithms = "sha1" | "sha256" | "sha512";

Code the produces the invalid otpauth url:

const tokenConfig = time2fa.generateConfig({
    algo: 'sha256', // notice lowercase
    digits: 6,
    period: 60,
    secretSize: 10
})

const url = time2fa.generateUrl({ secret: 'S5V43NFEQPKEH3C4', issuer: 'exampleissuer', user: '[email protected]'}, tokenConfig)

This produces an otpauth like this: otpauth://totp/exampleissuer:example%4example.com?issuer=exampleissuer&period=60&secret=S5V43NFEQPKEH3C4&algorithm=sha256 This causes Google Authenticator app to fail scanning the QR code. Showing the "Can't scan this QR code"

Code that produces valid otpauth url:

const tokenConfig = time2fa.generateConfig({
    algo: 'SHA256', // notice capitalised even though unsupported in terms of the type
    digits: 6,
    period: 60,
    secretSize: 10
})

  const url = time2fa.generateUrl({ secret: 'S5V43NFEQPKEH3C4', issuer: 'exampleissuer', user: '[email protected]'}, tokenConfig)

This produces an otpauth like this: otpauth://totp/exampleissuer:example%4example.com?issuer=exampleissuer&period=60&secret=S5V43NFEQPKEH3C4&algorithm=SHA256 This scans correctly in Google Authenticator.

Therefore, I think you need to update your type "Algorithms" with the capitalised version or need to convert config.algo toUpperCase() when setting as a url param within generateUrl function.

Here:

if (config.algo !== DEFAULT_TOTP_ALGO) {
  params.set("algorithm", config.algo);
}

TJSTONE99 avatar Apr 04 '24 20:04 TJSTONE99