QRCoder icon indicating copy to clipboard operation
QRCoder copied to clipboard
verified publisher icon codebude

OneTimePassword payload doesn't seem to respect Algorithm, Digits, or Period

Open mbaker-e2open opened this issue 6 months ago • 0 comments

I'm a bit confused, but it seems when the OneTimePassword payload is created, and the AuthAlgorithm is set to OneTimePasswordAuthAlgorithm.SHA256 .... this doesn't seem to actually get read in by any of the library. The code generator application (In this case, the well known Yubico Authenticator) sees the QR code as an SHA1-encoded secret.

Is this supposed to work?

Testing details:

I tested both the Otp.NET project URI implementation, and the QRCoder project URI implementation:

Code to generate URIs:

        public static Tuple<string, string> GenerateQRUrl(byte[] secret)
        {
            // Use the Otp.NET Base32Encoding class to generate a Base32-encoded secret
            string base32Secret = Base32Encoding.ToString(secret);

            // Test URI generation from the Otp.NET implementation:
            string test1 = new OtpUri(schema: OtpType.Totp, secret: base32Secret, user: "LABEL", issuer: "ISSUER", algorithm: OtpHashMode.Sha256, digits: 6, period: 30, counter: 0).ToString();

            // Test URI generation from the QRCoder implementation:

            OneTimePassword generator = new OneTimePassword()
            {
                Type = OneTimePassword.OneTimePasswordAuthType.TOTP,
                AuthAlgorithm = OneTimePassword.OneTimePasswordAuthAlgorithm.SHA256,
                Secret = base32Secret,
                Issuer = "ISSUER",
                Label = "LABEL",
                Digits = 6,
                Period = 30
            };

            string test2 = generator.ToString();

            return new Tuple<string, string>(test1, test2);
        }

MSTest code:

private readonly byte[] _secret = { 79, 228, 194, 206, 22, 106, 240, 186, 148, 147, 125, 28, 78, 227, 20, 220, 229, 172, 44, 44, 202, 147, 69, 188, 25, 247, 28, 98, 175, 138, 134, 252 };
   
    [TestMethod]
    public void MultiFactorTOTP_TestUriGeneration()
    {
        DateTime timeStampUtc = DateTime.UtcNow;
        DateTime timeStamp = DateTime.Now;

        Tuple<string, string> urlCompare = MultiFactorTOTP.GenerateQRUrl(_secret);

        _testContext?.WriteLine($"{nameof(MultiFactorTOTP_Tests)} MultiFactorTOTP_TestUriGeneration(): Otp.NET: \"{urlCompare.Item1}\"");
        _testContext?.WriteLine($"{nameof(MultiFactorTOTP_Tests)} MultiFactorTOTP_TestUriGeneration(): QRCoder: \"{urlCompare.Item2}\"");
    }

Results:

    TestContext Messages:
MultiFactorTOTP_Tests ClassInitialize()
MultiFactorTOTP_Tests MultiFactorTOTP_TestUriGeneration(): Otp.NET: "otpauth://totp/ISSUER:LABEL?secret=J7SMFTQWNLYLVFETPUOE5YYU3TS2YLBMZKJULPAZ64OGFL4KQ36A&issuer=ISSUER&algorithm=SHA256&digits=6&period=30"
MultiFactorTOTP_Tests MultiFactorTOTP_TestUriGeneration(): QRCoder: "otpauth://totp/ISSUER:LABEL?secret=J7SMFTQWNLYLVFETPUOE5YYU3TS2YLBMZKJULPAZ64OGFL4KQ36A====&issuer=ISSUER"

As you can see, the Otp.NET output is correct, and the QRCoder output lacks a lot of data.

mbaker-e2open avatar Jun 13 '25 01:06 mbaker-e2open