one_time_pass_ecto v1.1.1 OneTimePassEcto View Source
Module to handle one-time passwords, usually for use in two factor authentication.
One-time password options
There are the following options for the one-time passwords:
HMAC-based one-time passwords
:token_length
- the length of the one-time password- the default is 6
:last
- the count when the one-time password was last used- this count needs to be stored server-side
:window
- the number of future attempts allowed- the default is 3
Time-based one-time passwords
:token_length
- the length of the one-time password- the default is 6
:interval_length
- the length of each timed interval- the default is 30 (seconds)
:window
- the number of attempts, before and after the current one, allowed- the default is 1 (1 interval before and 1 interval after)
Both HOTP and TOTP
:otp_secret
- name of the Ecto field holding the secret (default :otp_secret):otp_last
- name of the Ecto field holding the last value (default :otp_last)
See the documentation for the OneTimePassEcto.Base module for more details about generating and verifying one-time passwords.
Implementation details
The following notes provide details about how this module implements the verification of one-time passwords.
It is important not to allow the one-time password to be reused within the timeframe that it is valid.
For TOTPs, one method of preventing reuse is to compare the output of
check_totp (the last
value) with the previous output. The output
should be greater than the previous last
value.
In the case of HOTPs, it is important that the database is locked
from the time the last
value is checked until the last
value is
updated.
Link to this section Summary
Functions
Check the one-time password, and return {:ok, user} if the one-time password is correct or {:error, message} if there is an error
Link to this section Functions
verify(params, repo, user_schema, opts \\ []) View Source
Check the one-time password, and return {:ok, user} if the one-time password is correct or {:error, message} if there is an error.
After this function has been called, you need to either add the user
to the session, by running put_session(conn, :user_id, id)
, or send
an API token to the user.
See the One-time password options
in this module's documentation
for available options to be used as the second argument to this
function.