Skip to content

generateUrl function produces an invalid otpauth url "algorithm" paramater when attempting to scan into Google Authenticator #292

New issue
New issue
Open
Open
generateUrl function produces an invalid otpauth url "algorithm" paramater when attempting to scan into Google Authenticator#292
@TJSTONE99

Description

@TJSTONE99
TJSTONE99
opened on Apr 4, 2024

Hi,

Upon using the library I have noticed that the otpauth url produced by the generateUrl function causes issues when scanned by Google Authenticator. I believe this is because the algorithm parameter appended to the otpauth url string does not fit the specification for googles otpauth URL.

Currently TotpConfig has an algo typed property supporting 'sha1', 'sha256' & 'sha512' all lowercase. However, I believe google authenticator expects these to be capitalised when presented in the otpauth url within the algorithm parameter. This is suggested in the documentation here

Here is the defined type:
type Algorithms = "sha1" | "sha256" | "sha512";

Code the produces the invalid otpauth url:

const tokenConfig = time2fa.generateConfig({
    algo: 'sha256', // notice lowercase
    digits: 6,
    period: 60,
    secretSize: 10
})

const url = time2fa.generateUrl({ secret: 'S5V43NFEQPKEH3C4', issuer: 'exampleissuer', user: 'example@example.com'}, tokenConfig)

This produces an otpauth like this:
otpauth://totp/exampleissuer:example%4example.com?issuer=exampleissuer&period=60&secret=S5V43NFEQPKEH3C4&algorithm=sha256
This causes Google Authenticator app to fail scanning the QR code. Showing the "Can't scan this QR code"

Code that produces valid otpauth url:

const tokenConfig = time2fa.generateConfig({
    algo: 'SHA256', // notice capitalised even though unsupported in terms of the type
    digits: 6,
    period: 60,
    secretSize: 10
})

  const url = time2fa.generateUrl({ secret: 'S5V43NFEQPKEH3C4', issuer: 'exampleissuer', user: 'example@example.com'}, tokenConfig)

This produces an otpauth like this:
otpauth://totp/exampleissuer:example%4example.com?issuer=exampleissuer&period=60&secret=S5V43NFEQPKEH3C4&algorithm=SHA256
This scans correctly in Google Authenticator.

Therefore, I think you need to update your type "Algorithms" with the capitalised version or need to convert config.algo toUpperCase() when setting as a url param within generateUrl function.

Here:

if (config.algo !== DEFAULT_TOTP_ALGO) {
  params.set("algorithm", config.algo);
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions