Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support validating OTP without a generated_at time and with a specified secret #3059

Merged
merged 2 commits into from
Aug 9, 2024
Merged

support validating OTP without a generated_at time and with a specified secret #3059

merged 2 commits into from
Aug 9, 2024

Conversation

alkesh
Copy link
Contributor

@alkesh alkesh commented Aug 6, 2024
edited
Loading

We need 2 changes to the OTP code for the EY magic link:

  • allow OTP code to be validated without having a generated_at time.
  • allow OTP codes to be generated and verified using a specified secret (because we now are verifying codes generated in a separate session)

@alkesh alkesh force-pushed the one-time-password-refactor branch from 4b46af8 to 3aa13dc Compare August 6, 2024 11:09
alkesh
alkesh commented Aug 6, 2024
View reviewed changes
lib/one_time_password/validator.rb
end

private

attr_reader :code, :generated_at

def wrong_length?
return @wrong_length if defined?(@wrong_length)

@wrong_length = code.gsub(/\D/, "").length != LENGTH
Copy link
Contributor Author

@alkesh alkesh Aug 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what this was ever doing - ignoring non-digits when checking for length doesn't seem useful.
e.g. code "1234A5B6" would have the correct length in this case, but would still not be a valid code (it still fails the ROTP:TOTP#verify)

@alkesh alkesh force-pushed the one-time-password-refactor branch from 3aa13dc to a5c7cfe Compare August 6, 2024 11:16
@alkesh alkesh closed this Aug 6, 2024
@alkesh alkesh reopened this Aug 6, 2024
kenfodder
kenfodder reviewed Aug 6, 2024
View reviewed changes
lib/one_time_password/validator.rb Outdated Show resolved Hide resolved
lib/one_time_password/validator.rb Outdated Show resolved Hide resolved
@alkesh alkesh force-pushed the one-time-password-refactor branch from a5c7cfe to 1126e06 Compare August 6, 2024 16:28
@alkesh alkesh changed the title support validating OTP without a generated_at time support validating OTP without a generated_at time and with a specified secret Aug 7, 2024
@alkesh alkesh force-pushed the one-time-password-refactor branch from c5a07b5 to 30200c9 Compare August 7, 2024 16:52
@alkesh alkesh requested review from kenfodder and asmega August 8, 2024 13:48
asmega
asmega reviewed Aug 8, 2024
View reviewed changes
spec/lib/one_time_password/validator_spec.rb
Comment on lines +6 to +7
let!(:one_time_passcode) { OneTimePassword::Generator.new.code }
let!(:generated_at) { Time.now }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not blocking but don't see why these can't be lazy ie let instead of let!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because I have a spec that uses travel to move 20 minutes into the future, to test for passcode expiry.

@alkesh alkesh force-pushed the one-time-password-refactor branch from 30200c9 to a007cdf Compare August 8, 2024 15:59
@alkesh alkesh force-pushed the one-time-password-refactor branch from a007cdf to 65c5481 Compare August 9, 2024 08:00
@alkesh alkesh added the deploy Deploy a review app for this PR label Aug 9, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 9, 2024

Deployments

Journey URL
Additional Payments https://claim-additional-payments-for-teaching-review-3059-web.test.teacherservices.cloud/additional-payments/claim
Student Loans https://claim-additional-payments-for-teaching-review-3059-web.test.teacherservices.cloud/student-loans/claim
Further Education https://claim-additional-payments-for-teaching-review-3059-web.test.teacherservices.cloud/further-education-payments/landing-page
Early Years Payment https://claim-additional-payments-for-teaching-review-3059-web.test.teacherservices.cloud/early-years-payment-provider/landing-page
Relocation Payments https://claim-additional-payments-for-teaching-review-3059-web.test.teacherservices.cloud/get-a-teacher-relocation-payment/landing-page
Admin https://claim-additional-payments-for-teaching-review-3059-web.test.teacherservices.cloud/admin

@alkesh alkesh merged commit 4a47f14 into master Aug 9, 2024
17 checks passed
@alkesh alkesh deleted the one-time-password-refactor branch August 9, 2024 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asmega asmega asmega approved these changes

@kenfodder kenfodder Awaiting requested review from kenfodder

Assignees
No one assigned
Labels
deploy Deploy a review app for this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alkesh @kenfodder @asmega