keeweb/app/scripts/util/data/otp.js

import { Logger } from 'util/logger';

const logger = new Logger('otp');

const Otp = function(url, params) {
    if (['hotp', 'totp'].indexOf(params.type) < 0) {
        throw 'Bad type: ' + params.type;
    }
    if (!params.secret) {
        throw 'Empty secret';
    }
    if (params.algorithm && ['SHA1', 'SHA256', 'SHA512'].indexOf(params.algorithm) < 0) {
        throw 'Bad algorithm: ' + params.algorithm;
    }
    if (params.digits && ['6', '7', '8'].indexOf(params.digits) < 0) {
        throw 'Bad digits: ' + params.digits;
    }
    if (params.type === 'hotp' && !params.counter) {
        throw 'Bad counter: ' + params.counter;
    }
    if ((params.period && isNaN(params.period)) || params.period < 1) {
        throw 'Bad period: ' + params.period;
    }

    this.url = url;

    this.type = params.type;
    this.issuer = params.issuer;
    this.account = params.account;
    this.secret = params.secret;
    this.issuer = params.issuer;
    this.algorithm = params.algorithm ? params.algorithm.toUpperCase() : 'SHA1';
    this.digits = params.digits ? +params.digits : 6;
    this.counter = params.counter;
    this.period = params.period ? +params.period : 30;

    this.key = Otp.fromBase32(this.secret);
    if (!this.key) {
        throw 'Bad key: ' + this.key;
    }
};

Otp.prototype.next = function(callback) {
    let valueForHashing;
    let timeLeft;
    if (this.type === 'totp') {
        const now = Date.now();
        const epoch = Math.round(now / 1000);
        valueForHashing = Math.floor(epoch / this.period);
        const msPeriod = this.period * 1000;
        timeLeft = msPeriod - (now % msPeriod);
    } else {
        valueForHashing = this.counter;
    }
    const data = new Uint8Array(8).buffer;
    new DataView(data).setUint32(4, valueForHashing);
    this.hmac(data, (sig, err) => {
        if (!sig) {
            logger.error('OTP calculation error', err);
            return callback();
        }
        sig = new DataView(sig);
        const offset = sig.getInt8(sig.byteLength - 1) & 0xf;
        let pass = (sig.getUint32(offset) & 0x7fffffff).toString();
        pass = Otp.leftPad(pass.substr(pass.length - this.digits), this.digits);
        callback(pass, timeLeft);
    });
};

Otp.prototype.hmac = function(data, callback) {
    const subtle = window.crypto.subtle || window.crypto.webkitSubtle;
    const algo = { name: 'HMAC', hash: { name: this.algorithm.replace('SHA', 'SHA-') } };
    subtle
        .importKey('raw', this.key, algo, false, ['sign'])
        .then(key => {
            subtle
                .sign(algo, key, data)
                .then(sig => {
                    callback(sig);
                })
                .catch(err => {
                    callback(null, err);
                });
        })
        .catch(err => {
            callback(null, err);
        });
};

Otp.fromBase32 = function(str) {
    const alphabet = 'abcdefghijklmnopqrstuvwxyz234567';
    let bin = '';
    let i;
    for (i = 0; i < str.length; i++) {
        const ix = alphabet.indexOf(str[i].toLowerCase());
        if (ix < 0) {
            return null;
        }
        bin += Otp.leftPad(ix.toString(2), 5);
    }
    const hex = new Uint8Array(Math.floor(bin.length / 8));
    for (i = 0; i < hex.length; i++) {
        const chunk = bin.substr(i * 8, 8);
        hex[i] = parseInt(chunk, 2);
    }
    return hex.buffer;
};

Otp.leftPad = function(str, len) {
    while (str.length < len) {
        str = '0' + str;
    }
    return str;
};

Otp.parseUrl = function(url) {
    const match = /^otpauth:\/\/(\w+)\/([^\?]+)\?(.*)/i.exec(url);
    if (!match) {
        throw 'Not OTP url';
    }
    const params = {};
    const label = decodeURIComponent(match[2]);
    if (label) {
        const parts = label.split(':');
        params.issuer = parts[0].trim();
        if (parts.length > 1) {
            params.account = parts[1].trim();
        }
    }
    params.type = match[1].toLowerCase();
    match[3].split('&').forEach(part => {
        const parts = part.split('=', 2);
        params[parts[0].toLowerCase()] = decodeURIComponent(parts[1]);
    });
    return new Otp(url, params);
};

Otp.isSecret = function(str) {
    return !!Otp.fromBase32(str);
};

Otp.makeUrl = function(secret, period, digits) {
    return (
        'otpauth://totp/default?secret=' +
        secret +
        (period ? '&period=' + period : '') +
        (digits ? '&digits=' + digits : '')
    );
};

export { Otp };
imports 2019-09-15 14:16:32 +02:00			`import { Logger } from 'util/logger';`
otp 2016-04-01 21:19:27 +02:00
var => let 2017-01-31 07:50:28 +01:00			`const logger = new Logger('otp');`
otp 2016-04-01 21:19:27 +02:00
var => let 2017-01-31 07:50:28 +01:00			`const Otp = function(url, params) {`
reading otp qr codes 2016-03-31 22:52:04 +02:00			`if (['hotp', 'totp'].indexOf(params.type) < 0) {`
			`throw 'Bad type: ' + params.type;`
			`}`
			`if (!params.secret) {`
			`throw 'Empty secret';`
			`}`
			`if (params.algorithm && ['SHA1', 'SHA256', 'SHA512'].indexOf(params.algorithm) < 0) {`
			`throw 'Bad algorithm: ' + params.algorithm;`
			`}`
fix #1226: 7-digit Authy OTP support 2019-09-11 22:41:00 +02:00			`if (params.digits && ['6', '7', '8'].indexOf(params.digits) < 0) {`
reading otp qr codes 2016-03-31 22:52:04 +02:00			`throw 'Bad digits: ' + params.digits;`
			`}`
			`if (params.type === 'hotp' && !params.counter) {`
			`throw 'Bad counter: ' + params.counter;`
			`}`
prettier 2019-08-16 23:05:39 +02:00			`if ((params.period && isNaN(params.period)) \|\| params.period < 1) {`
reading otp qr codes 2016-03-31 22:52:04 +02:00			`throw 'Bad period: ' + params.period;`
			`}`
otp 2016-04-01 21:19:27 +02:00
reading otp qr codes 2016-03-31 22:52:04 +02:00			`this.url = url;`
otp 2016-04-01 21:19:27 +02:00
reading otp qr codes 2016-03-31 22:52:04 +02:00			`this.type = params.type;`
			`this.issuer = params.issuer;`
			`this.account = params.account;`
			`this.secret = params.secret;`
			`this.issuer = params.issuer;`
			`this.algorithm = params.algorithm ? params.algorithm.toUpperCase() : 'SHA1';`
			`this.digits = params.digits ? +params.digits : 6;`
			`this.counter = params.counter;`
			`this.period = params.period ? +params.period : 30;`
otp 2016-04-01 21:19:27 +02:00
			`this.key = Otp.fromBase32(this.secret);`
enter otp manually 2016-04-04 20:45:17 +02:00			`if (!this.key) {`
			`throw 'Bad key: ' + this.key;`
			`}`
otp 2016-04-01 21:19:27 +02:00			`};`

			`Otp.prototype.next = function(callback) {`
var => let 2017-01-31 07:50:28 +01:00			`let valueForHashing;`
			`let timeLeft;`
hotp 2016-04-01 23:16:23 +02:00			`if (this.type === 'totp') {`
var => let 2017-01-31 07:50:28 +01:00			`const now = Date.now();`
			`const epoch = Math.round(now / 1000);`
hotp 2016-04-01 23:16:23 +02:00			`valueForHashing = Math.floor(epoch / this.period);`
var => let 2017-01-31 07:50:28 +01:00			`const msPeriod = this.period * 1000;`
hotp 2016-04-01 23:16:23 +02:00			`timeLeft = msPeriod - (now % msPeriod);`
			`} else {`
			`valueForHashing = this.counter;`
			`}`
var => let 2017-01-31 07:50:28 +01:00			`const data = new Uint8Array(8).buffer;`
fix otp in safari 2016-04-02 15:57:38 +02:00			`new DataView(data).setUint32(4, valueForHashing);`
eslint 2016-07-17 13:30:38 +02:00			`this.hmac(data, (sig, err) => {`
otp 2016-04-01 21:19:27 +02:00			`if (!sig) {`
			`logger.error('OTP calculation error', err);`
			`return callback();`
			`}`
			`sig = new DataView(sig);`
var => let 2017-01-31 07:50:28 +01:00			`const offset = sig.getInt8(sig.byteLength - 1) & 0xf;`
			`let pass = (sig.getUint32(offset) & 0x7fffffff).toString();`
eslint 2016-07-17 13:30:38 +02:00			`pass = Otp.leftPad(pass.substr(pass.length - this.digits), this.digits);`
otp 2016-04-01 21:19:27 +02:00			`callback(pass, timeLeft);`
			`});`
			`};`

			`Otp.prototype.hmac = function(data, callback) {`
var => let 2017-01-31 07:50:28 +01:00			`const subtle = window.crypto.subtle \|\| window.crypto.webkitSubtle;`
			`const algo = { name: 'HMAC', hash: { name: this.algorithm.replace('SHA', 'SHA-') } };`
prettier 2019-08-16 23:05:39 +02:00			`subtle`
			`.importKey('raw', this.key, algo, false, ['sign'])`
eslint 2016-07-17 13:30:38 +02:00			`.then(key => {`
prettier 2019-08-16 23:05:39 +02:00			`subtle`
			`.sign(algo, key, data)`
			`.then(sig => {`
			`callback(sig);`
			`})`
			`.catch(err => {`
			`callback(null, err);`
			`});`
otp 2016-04-01 21:19:27 +02:00			`})`
prettier 2019-08-16 23:05:39 +02:00			`.catch(err => {`
			`callback(null, err);`
			`});`
otp 2016-04-01 21:19:27 +02:00			`};`

			`Otp.fromBase32 = function(str) {`
var => let 2017-01-31 07:50:28 +01:00			`const alphabet = 'abcdefghijklmnopqrstuvwxyz234567';`
			`let bin = '';`
			`let i;`
otp 2016-04-01 21:19:27 +02:00			`for (i = 0; i < str.length; i++) {`
var => let 2017-01-31 07:50:28 +01:00			`const ix = alphabet.indexOf(str[i].toLowerCase());`
otp 2016-04-01 21:19:27 +02:00			`if (ix < 0) {`
enter otp manually 2016-04-04 20:45:17 +02:00			`return null;`
otp 2016-04-01 21:19:27 +02:00			`}`
			`bin += Otp.leftPad(ix.toString(2), 5);`
			`}`
var => let 2017-01-31 07:50:28 +01:00			`const hex = new Uint8Array(Math.floor(bin.length / 8));`
otp 2016-04-01 21:19:27 +02:00			`for (i = 0; i < hex.length; i++) {`
var => let 2017-01-31 07:50:28 +01:00			`const chunk = bin.substr(i * 8, 8);`
otp 2016-04-01 21:19:27 +02:00			`hex[i] = parseInt(chunk, 2);`
			`}`
			`return hex.buffer;`
			`};`

			`Otp.leftPad = function(str, len) {`
			`while (str.length < len) {`
			`str = '0' + str;`
			`}`
			`return str;`
reading otp qr codes 2016-03-31 22:52:04 +02:00			`};`

			`Otp.parseUrl = function(url) {`
var => let 2017-01-31 07:50:28 +01:00			`const match = /^otpauth:\/\/(\w+)\/([^\?]+)\?(.*)/i.exec(url);`
reading otp qr codes 2016-03-31 22:52:04 +02:00			`if (!match) {`
			`throw 'Not OTP url';`
			`}`
var => let 2017-01-31 07:50:28 +01:00			`const params = {};`
			`const label = decodeURIComponent(match[2]);`
reading otp qr codes 2016-03-31 22:52:04 +02:00			`if (label) {`
var => let 2017-01-31 07:50:28 +01:00			`const parts = label.split(':');`
reading otp qr codes 2016-03-31 22:52:04 +02:00			`params.issuer = parts[0].trim();`
			`if (parts.length > 1) {`
			`params.account = parts[1].trim();`
			`}`
			`}`
			`params.type = match[1].toLowerCase();`
eslint 2016-07-17 13:30:38 +02:00			`match[3].split('&').forEach(part => {`
var => let 2017-01-31 07:50:28 +01:00			`const parts = part.split('=', 2);`
reading otp qr codes 2016-03-31 22:52:04 +02:00			`params[parts[0].toLowerCase()] = decodeURIComponent(parts[1]);`
			`});`
			`return new Otp(url, params);`
			`};`

enter otp manually 2016-04-04 20:45:17 +02:00			`Otp.isSecret = function(str) {`
			`return !!Otp.fromBase32(str);`
			`};`

			`Otp.makeUrl = function(secret, period, digits) {`
prettier 2019-08-16 23:05:39 +02:00			`return (`
			`'otpauth://totp/default?secret=' +`
			`secret +`
			`(period ? '&period=' + period : '') +`
			`(digits ? '&digits=' + digits : '')`
			`);`
enter otp manually 2016-04-04 20:45:17 +02:00			`};`

imports 2019-09-15 14:16:32 +02:00			`export { Otp };`