├── .github ├── FUNDING.yml └── workflows │ ├── ci.yml │ └── release.yml ├── .gitignore ├── Changes.rst ├── LICENSE ├── MANIFEST.in ├── Makefile ├── README.rst ├── SECURITY.md ├── common.mk ├── docs ├── changelog.rst ├── conf.py ├── index.rst └── toc.html ├── pyproject.toml ├── src └── pyotp │ ├── __init__.py │ ├── compat.py │ ├── contrib │ ├── __init__.py │ └── steam.py │ ├── hotp.py │ ├── otp.py │ ├── py.typed │ ├── totp.py │ └── utils.py └── test.py /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: kislyuk 4 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: Python package 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | runs-on: ${{ matrix.os }} 8 | env: 9 | PIP_DISABLE_PIP_VERSION_CHECK: 1 10 | strategy: 11 | matrix: 12 | os: [ubuntu-22.04, ubuntu-latest, macos-latest] 13 | python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"] 14 | steps: 15 | - uses: actions/checkout@v4 16 | - name: Set up Python ${{ matrix.python-version }} 17 | uses: actions/setup-python@v5 18 | with: 19 | python-version: ${{ matrix.python-version }} 20 | - run: make install 21 | - run: make lint 22 | - run: make test 23 | - uses: codecov/codecov-action@v5 24 | isort: 25 | runs-on: ubuntu-latest 26 | steps: 27 | - uses: isort/isort-action@v1.1.0 28 | ruff: 29 | runs-on: ubuntu-latest 30 | steps: 31 | - uses: actions/checkout@v4 32 | - uses: astral-sh/ruff-action@v1 33 | - uses: astral-sh/ruff-action@v1 34 | with: 35 | args: "format --check" 36 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Publish release to PyPI 2 | 3 | on: 4 | push: 5 | tags: 6 | - 'v[0-9]+.[0-9]+.[0-9]+' 7 | 8 | jobs: 9 | pypi-publish: 10 | name: Build and upload release to PyPI 11 | runs-on: ubuntu-latest 12 | environment: release 13 | permissions: 14 | id-token: write 15 | steps: 16 | - uses: actions/checkout@v4 17 | - uses: actions/setup-python@v5 18 | - run: pip install build 19 | - run: python -m build 20 | - name: Publish package distributions to PyPI 21 | uses: pypa/gh-action-pypi-publish@release/v1 22 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Reminder: 2 | # - A leading slash means the pattern is anchored at the root. 3 | # - No leading slash means the pattern matches at any depth. 4 | 5 | # Python files 6 | *.pyc 7 | __pycache__/ 8 | .tox/ 9 | *.egg-info/ 10 | /build/ 11 | /dist/ 12 | /.eggs/ 13 | 14 | # Sphinx documentation 15 | /docs/_build/ 16 | 17 | # IDE project files 18 | /.pydevproject 19 | 20 | # vim python-mode plugin 21 | /.ropeproject 22 | 23 | # IntelliJ IDEA / PyCharm project files 24 | /.idea 25 | /*.iml 26 | 27 | # JS/node/npm/web dev files 28 | node_modules 29 | npm-debug.log 30 | 31 | # OS X metadata files 32 | .DS_Store 33 | 34 | # Python coverage 35 | .coverage 36 | htmlcov 37 | 38 | # Virtual environments 39 | venv 40 | 41 | # Type checking 42 | .mypy_cache 43 | -------------------------------------------------------------------------------- /Changes.rst: -------------------------------------------------------------------------------- 1 | Changes for v2.9.0 (2023-07-27) 2 | =============================== 3 | 4 | - Add ``parse_uri()`` support for Steam TOTP (#153) 5 | 6 | - Test and documentation improvements 7 | 8 | Changes for v2.8.0 (2022-12-13) 9 | =============================== 10 | 11 | - Modify OTP generation to run in constant time (#148) 12 | 13 | - Documentation improvements 14 | 15 | - Drop Python 3.6 support; introduce Python 3.11 support 16 | 17 | Changes for v2.7.0 (2022-09-11) 18 | =============================== 19 | 20 | - Support Steam TOTP (#142) 21 | 22 | - Build, test, and documentation updates 23 | 24 | Changes for v2.6.0 (2021-02-04) 25 | =============================== 26 | 27 | - Raise default and minimum base32 secret length to 32, and hex secret 28 | length to 40 (160 bits as recommended by the RFC) (#115). 29 | 30 | - Fix issue where provisioning_uri would return invalid results after 31 | calling verify() (#115). 32 | 33 | Changes for v2.5.1 (2021-01-29) 34 | =============================== 35 | 36 | - parse_uri accepts and ignores optional image parameter (#114) 37 | 38 | Changes for v2.5.0 (2021-01-29) 39 | =============================== 40 | 41 | - Add optional image parameter to provisioning_uri (#113) 42 | 43 | - Support for 7-digit codes in ‘parse_uri’ (#111) 44 | 45 | - Raise default and minimum base32 secret length to 26 46 | 47 | Changes for v2.4.1 (2020-10-16) 48 | =============================== 49 | 50 | - parse_uri: Fix handling of period, counter (#108) 51 | 52 | - Add support for timezone aware datetime as argument to 53 | ``TOTP.timecode()`` (#107) 54 | 55 | Changes for v2.4.0 (2020-07-29) 56 | =============================== 57 | 58 | - Fix data type for at(for_time) (#85) 59 | 60 | - Add support for parsing provisioning URIs (#84) 61 | 62 | - Raise error when trying to generate secret that is too short (The 63 | secret must be at least 128 bits) 64 | 65 | - Add random_hex function (#82) 66 | 67 | Changes for v2.3.0 (2019-07-26) 68 | =============================== 69 | 70 | - Fix comparison behavior on Python 2.7 71 | 72 | Changes for v2.2.8 (2019-07-26) 73 | =============================== 74 | 75 | - Fix comparison of unicode chars (#78) 76 | 77 | - Minor documentation and test fixes 78 | 79 | Changes for v2.2.7 (2018-11-05) 80 | =============================== 81 | 82 | - Have random_base32() use ‘secrets’ as rand source (#66) 83 | 84 | - Documentation: Add security considerations, minimal security 85 | checklist, other improvements 86 | 87 | - Update setup.py to reference correct license 88 | 89 | Changes for v2.2.6 (2017-06-10) 90 | =============================== 91 | 92 | - Fix tests wrt double-quoting in provisioning URIs 93 | 94 | Changes for v2.2.5 (2017-06-03) 95 | =============================== 96 | 97 | - Quote issuer QS parameter in provisioning\_uri. Fixes #47. 98 | 99 | - Raise an exception if a negative integer is passed to at() (#41). 100 | 101 | - Documentation and release infrastructure improvements. 102 | 103 | Changes for v2.2.4 (2017-01-04) 104 | =============================== 105 | 106 | - Restore Python 2.6 compatibility (however, Python 2.6 is not 107 | supported) 108 | 109 | - Documentation and test improvements 110 | 111 | - Fix release infra script, part 2 112 | 113 | Changes for v2.2.3 (2017-01-04) 114 | =============================== 115 | 116 | - Restore Python 2.6 compatibility (however, Python 2.6 is not 117 | supported) 118 | 119 | - Documentation and test improvements 120 | 121 | - Fix release infra script 122 | 123 | Changes for v2.2.2 (2017-01-04) 124 | =============================== 125 | 126 | - Restore Python 2.6 compatibility (however, Python 2.6 is not 127 | supported) 128 | 129 | - Documentation and test improvements 130 | 131 | Changes for v2.2.1 (2016-08-30) 132 | =============================== 133 | 134 | - Avoid using python-future; it has subdependencies that limit 135 | compatibility (#34) 136 | - Make test suite pass on 32-bit platforms (#30) 137 | - Timing attack resistance fix: don't reveal string length to attacker. 138 | Thanks to Eeo Jun (#28). 139 | - Support algorithm, digits, period parameters in provisioning\_uri. 140 | Thanks to Dionisio E Alonso (#33). 141 | - Minor style and packaging infrastructure fixes. 142 | 143 | Changes for v2.2.0 (2016-08-30) 144 | =============================== 145 | 146 | - See v2.2.1 147 | 148 | Version 2.1.0 (2016-05-02) 149 | -------------------------- 150 | - Add extended range support to TOTP.verify. Thanks to Zeev Rotshtein (PR #19). 151 | - Handle missing padding of encoded secret. Thanks to Kun Yan (#20). 152 | - Miscellaneous fixes. 153 | 154 | Version 2.0.1 (2015-09-28) 155 | -------------------------- 156 | - Fix packaging issue in v2.0.0 that prevented installation with easy_install. 157 | 158 | Version 2.0.0 (2015-08-22) 159 | -------------------------- 160 | - The ``pyotp.HOTP.at()``, ``pyotp.TOTP.at()``, and 161 | ``pyotp.TOTP.now()`` methods now return strings instead of 162 | integers. Thanks to Rohan Dhaimade (PR #16). 163 | 164 | Version 1.4.2 (2015-07-21) 165 | -------------------------- 166 | - Begin tracking changes in change log. 167 | - Update documentation. 168 | - Introduce Travis CI integration. 169 | 170 | Version 1.3.1 (2012-02-29) 171 | -------------------------- 172 | - Initial release. 173 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (C) 2011-2021 Mark Percival , 2 | Nathan Reynolds , Andrey Kislyuk , 3 | and PyOTP contributors 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include LICENSE 2 | include README.rst 3 | include test.py 4 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | SHELL=/bin/bash 2 | 3 | test_deps: 4 | python -m pip install .[test] 5 | 6 | lint: 7 | ruff check src 8 | mypy --install-types --non-interactive --check-untyped-defs src 9 | 10 | test: 11 | coverage run --branch --include 'src/*' -m unittest discover -s test -v 12 | 13 | init_docs: 14 | cd docs; sphinx-quickstart 15 | 16 | docs: 17 | python -m pip install furo sphinx-copybutton sphinxext-opengraph 18 | sphinx-build docs docs/html 19 | 20 | install: clean 21 | python -m pip install build 22 | python -m build 23 | python -m pip install --upgrade $$(echo dist/*.whl)[test] 24 | 25 | clean: 26 | -rm -rf build dist 27 | -rm -rf *.egg-info 28 | 29 | .PHONY: test_deps lint test docs install clean 30 | 31 | include common.mk 32 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | PyOTP - The Python One-Time Password Library 2 | ============================================ 3 | 4 | PyOTP is a Python library for generating and verifying one-time passwords. It can be used to implement two-factor (2FA) 5 | or multi-factor (MFA) authentication methods in web applications and in other systems that require users to log in. 6 | 7 | Open MFA standards are defined in `RFC 4226 `_ (HOTP: An HMAC-Based One-Time 8 | Password Algorithm) and in `RFC 6238 `_ (TOTP: Time-Based One-Time Password 9 | Algorithm). PyOTP implements server-side support for both of these standards. Client-side support can be enabled by 10 | sending authentication codes to users over SMS or email (HOTP) or, for TOTP, by instructing users to use `Google 11 | Authenticator `_, `Authy `_, or another 12 | compatible app. Users can set up auth tokens in their apps easily by using their phone camera to scan `otpauth:// 13 | `_ QR codes provided by PyOTP. 14 | 15 | Implementers should read and follow the `HOTP security requirements `_ 16 | and `TOTP security considerations `_ sections of the relevant RFCs. At 17 | minimum, application implementers should follow this checklist: 18 | 19 | - Ensure transport confidentiality by using HTTPS 20 | - Ensure HOTP/TOTP secret confidentiality by storing secrets in a controlled access database 21 | - Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most 22 | recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is 23 | seen) 24 | - Throttle (rate limit) brute-force attacks against your application's login functionality (see RFC 4226, section 7.3) 25 | - When implementing a "greenfield" application, consider supporting 26 | `FIDO U2F `_/`WebAuthn `_ in 27 | addition to or instead of HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which 28 | strengthens your MFA solution against server-side attacks. Hardware U2F also sequesters the client secret in a 29 | dedicated single-purpose device, which strengthens your clients against client-side attacks. And by automating scoping 30 | of credentials to relying party IDs (application origin/domain names), U2F adds protection against phishing attacks. 31 | One implementation of FIDO U2F/WebAuthn is PyOTP's sister project, `PyWARP `_. 32 | 33 | We also recommend that implementers read the 34 | `OWASP Authentication Cheat Sheet 35 | `_ and 36 | `NIST SP 800-63-3: Digital Authentication Guideline `_ for a high level overview of 37 | authentication best practices. 38 | 39 | Quick overview of using One Time Passwords on your phone 40 | -------------------------------------------------------- 41 | 42 | * OTPs involve a shared secret, stored both on the phone and the server 43 | * OTPs can be generated on a phone without internet connectivity 44 | * OTPs should always be used as a second factor of authentication (if your phone is lost, you account is still secured 45 | with a password) 46 | * Google Authenticator and other OTP client apps allow you to store multiple OTP secrets and provision those using a QR 47 | Code 48 | 49 | Installation 50 | ------------ 51 | :: 52 | 53 | pip install pyotp 54 | 55 | Usage 56 | ----- 57 | 58 | Time-based OTPs 59 | ~~~~~~~~~~~~~~~ 60 | :: 61 | 62 | import pyotp 63 | import time 64 | 65 | totp = pyotp.TOTP('base32secret3232') 66 | totp.now() # => '492039' 67 | 68 | # OTP verified for current time 69 | totp.verify('492039') # => True 70 | time.sleep(30) 71 | totp.verify('492039') # => False 72 | 73 | Counter-based OTPs 74 | ~~~~~~~~~~~~~~~~~~ 75 | :: 76 | 77 | import pyotp 78 | 79 | hotp = pyotp.HOTP('base32secret3232') 80 | hotp.at(0) # => '260182' 81 | hotp.at(1) # => '055283' 82 | hotp.at(1401) # => '316439' 83 | 84 | # OTP verified with a counter 85 | hotp.verify('316439', 1401) # => True 86 | hotp.verify('316439', 1402) # => False 87 | 88 | Generating a Secret Key 89 | ~~~~~~~~~~~~~~~~~~~~~~~ 90 | A helper function is provided to generate a 32-character base32 secret, compatible with Google Authenticator and other 91 | OTP apps:: 92 | 93 | pyotp.random_base32() 94 | 95 | Some applications want the secret key to be formatted as a hex-encoded string:: 96 | 97 | pyotp.random_hex() # returns a 40-character hex-encoded secret 98 | 99 | Google Authenticator Compatible 100 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 101 | 102 | PyOTP works with the Google Authenticator iPhone and Android app, as well as other OTP apps like Authy. PyOTP includes 103 | the ability to generate provisioning URIs for use with the QR Code scanner built into these MFA client apps:: 104 | 105 | pyotp.totp.TOTP('JBSWY3DPEHPK3PXP').provisioning_uri(name='alice@google.com', issuer_name='Secure App') 106 | 107 | >>> 'otpauth://totp/Secure%20App:alice%40google.com?secret=JBSWY3DPEHPK3PXP&issuer=Secure%20App' 108 | 109 | pyotp.hotp.HOTP('JBSWY3DPEHPK3PXP').provisioning_uri(name="alice@google.com", issuer_name="Secure App", initial_count=0) 110 | 111 | >>> 'otpauth://hotp/Secure%20App:alice%40google.com?secret=JBSWY3DPEHPK3PXP&issuer=Secure%20App&counter=0' 112 | 113 | This URL can then be rendered as a QR Code (for example, using https://github.com/soldair/node-qrcode) which can then be 114 | scanned and added to the users list of OTP credentials. 115 | 116 | Parsing these URLs is also supported:: 117 | 118 | pyotp.parse_uri('otpauth://totp/Secure%20App:alice%40google.com?secret=JBSWY3DPEHPK3PXP&issuer=Secure%20App') 119 | 120 | >>> 121 | 122 | pyotp.parse_uri('otpauth://hotp/Secure%20App:alice%40google.com?secret=JBSWY3DPEHPK3PXP&issuer=Secure%20App&counter=0' 123 | 124 | >>> 125 | 126 | Working example 127 | ~~~~~~~~~~~~~~~ 128 | 129 | Scan the following barcode with your phone's OTP app (e.g. Google Authenticator): 130 | 131 | .. image:: https://quickchart.io/qr?size=250&text=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP 132 | 133 | Now run the following and compare the output:: 134 | 135 | import pyotp 136 | totp = pyotp.TOTP("JBSWY3DPEHPK3PXP") 137 | print("Current OTP:", totp.now()) 138 | 139 | Third-party contributions 140 | ~~~~~~~~~~~~~~~~~~~~~~~~~ 141 | The following third-party contributions are not described by a standard, not officially supported, and provided for 142 | reference only: 143 | 144 | * ``pyotp.contrib.Steam()``: An implementation of Steam TOTP. Uses the same API as `pyotp.TOTP()`. 145 | 146 | Links 147 | ~~~~~ 148 | 149 | * `Project home page (GitHub) `_ 150 | * `Documentation `_ 151 | * `Package distribution (PyPI) `_ 152 | * `Change log `_ 153 | * `RFC 4226: HOTP: An HMAC-Based One-Time Password `_ 154 | * `RFC 6238: TOTP: Time-Based One-Time Password Algorithm `_ 155 | * `ROTP `_ - Original Ruby OTP library by `Mark Percival `_ 156 | * `OTPHP `_ - PHP port of ROTP by `Le Lag `_ 157 | * `OWASP Authentication Cheat Sheet `_ 158 | * `NIST SP 800-63-3: Digital Authentication Guideline `_ 159 | 160 | For new applications: 161 | 162 | * `WebAuthn `_ 163 | * `PyWARP `_ 164 | 165 | Versioning 166 | ~~~~~~~~~~ 167 | This package follows the `Semantic Versioning 2.0.0 `_ standard. To control changes, it is 168 | recommended that application developers pin the package version and manage it using `pip-tools 169 | `_ or similar. For library developers, pinning the major version is 170 | recommended. 171 | 172 | .. image:: https://github.com/pyauth/pyotp/workflows/Python%20package/badge.svg 173 | :target: https://github.com/pyauth/pyotp/actions 174 | .. image:: https://img.shields.io/codecov/c/github/pyauth/pyotp/master.svg 175 | :target: https://codecov.io/github/pyauth/pyotp?branch=master 176 | .. image:: https://img.shields.io/pypi/v/pyotp.svg 177 | :target: https://pypi.python.org/pypi/pyotp 178 | .. image:: https://img.shields.io/pypi/l/pyotp.svg 179 | :target: https://pypi.python.org/pypi/pyotp 180 | .. image:: https://readthedocs.org/projects/pyotp/badge/?version=latest 181 | :target: https://pyotp.readthedocs.io/ 182 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Reporting a Vulnerability 4 | 5 | If you believe you have found a security vulnerability in this project, please report it to us by submitting a security advisory at https://github.com/pyauth/pyotp/security/advisories. You can expect an initial response within 14 days. 6 | 7 | ## Supported Versions 8 | 9 | In general, the maintainers of this project provide security updates only for the most recent published release. If you need support for prior versions, please open an issue and describe your situation. Requests for updates to prior releases will be considered on a case-by-case basis, and will generally be accommodated only for the latest releases in prior major version release series. 10 | -------------------------------------------------------------------------------- /common.mk: -------------------------------------------------------------------------------- 1 | SHELL=/bin/bash -eo pipefail 2 | 3 | release-major: 4 | $(eval export TAG=$(shell git describe --tags --match 'v*.*.*' | perl -ne '/^v(\d+)\.(\d+)\.(\d+)/; print "v@{[$$1+1]}.0.0"')) 5 | $(MAKE) release 6 | 7 | release-minor: 8 | $(eval export TAG=$(shell git describe --tags --match 'v*.*.*' | perl -ne '/^v(\d+)\.(\d+)\.(\d+)/; print "v$$1.@{[$$2+1]}.0"')) 9 | $(MAKE) release 10 | 11 | release-patch: 12 | $(eval export TAG=$(shell git describe --tags --match 'v*.*.*' | perl -ne '/^v(\d+)\.(\d+)\.(\d+)/; print "v$$1.$$2.@{[$$3+1]}"')) 13 | $(MAKE) release 14 | 15 | release: 16 | @if ! git diff --cached --exit-code; then echo "Commit staged files before proceeding"; exit 1; fi 17 | @if [[ -z $$TAG ]]; then echo "Use release-{major,minor,patch}"; exit 1; fi 18 | @if ! type -P pandoc; then echo "Please install pandoc"; exit 1; fi 19 | @if ! type -P sponge; then echo "Please install moreutils"; exit 1; fi 20 | @if ! type -P gh; then echo "Please install gh"; exit 1; fi 21 | git pull 22 | TAG_MSG=$$(mktemp); \ 23 | echo "# Changes for ${TAG} ($$(date +%Y-%m-%d))" > $$TAG_MSG; \ 24 | git log --pretty=format:%s $$(git describe --abbrev=0)..HEAD >> $$TAG_MSG; \ 25 | $${EDITOR:-emacs} $$TAG_MSG; \ 26 | if [[ -f Changes.md ]]; then cat $$TAG_MSG <(echo) Changes.md | sponge Changes.md; git add Changes.md; fi; \ 27 | if [[ -f Changes.rst ]]; then cat <(pandoc --from markdown --to rst $$TAG_MSG) <(echo) Changes.rst | sponge Changes.rst; git add Changes.rst; fi; \ 28 | git commit -m ${TAG}; \ 29 | git tag --annotate --file $$TAG_MSG ${TAG} 30 | git push --follow-tags 31 | $(MAKE) install 32 | gh release create ${TAG} dist/*.whl --notes="$$(git tag --list ${TAG} -n99 | perl -pe 's/^\S+\s*// if $$. == 1' | sed 's/^\s\s\s\s//')" 33 | $(MAKE) release-docs 34 | 35 | release-docs: 36 | $(MAKE) docs 37 | -git branch -D gh-pages 38 | git checkout -B gh-pages-stage 39 | touch docs/html/.nojekyll 40 | git add --force docs/html 41 | git commit -m "Docs for ${TAG}" 42 | git push --force origin $$(git subtree split --prefix docs/html --branch gh-pages):refs/heads/gh-pages 43 | git checkout - 44 | 45 | .PHONY: release 46 | -------------------------------------------------------------------------------- /docs/changelog.rst: -------------------------------------------------------------------------------- 1 | Release Notes 2 | ============= 3 | .. include:: ../Changes.rst 4 | -------------------------------------------------------------------------------- /docs/conf.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | 4 | sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "src")) 5 | 6 | project = "PyOTP" 7 | copyright = "PyOTP contributors" 8 | author = "PyOTP contributors" 9 | version = "" 10 | release = "" 11 | language = "en" 12 | master_doc = "index" 13 | extensions = ["sphinx.ext.autodoc", "sphinx.ext.viewcode", "sphinx.ext.intersphinx", "sphinxext.opengraph"] 14 | source_suffix = [".rst", ".md"] 15 | exclude_patterns = ["_build", "Thumbs.db", ".DS_Store"] 16 | pygments_style = "sphinx" 17 | intersphinx_mapping = { 18 | "python": ("https://docs.python.org/3", None), 19 | } 20 | templates_path = [""] 21 | ogp_site_url = "https://pyauth.github.io/pyotp/" 22 | 23 | if "readthedocs.org" in os.getcwd().split("/"): 24 | with open("index.rst", "w") as fh: 25 | fh.write("Documentation for this project has moved to https://pyauth.github.io/pyotp") 26 | else: 27 | html_theme = "furo" 28 | html_sidebars = { 29 | "**": [ 30 | "sidebar/brand.html", 31 | "sidebar/search.html", 32 | "sidebar/scroll-start.html", 33 | "toc.html", 34 | "sidebar/scroll-end.html", 35 | ] 36 | } 37 | -------------------------------------------------------------------------------- /docs/index.rst: -------------------------------------------------------------------------------- 1 | .. include:: ../README.rst 2 | 3 | API documentation 4 | ================= 5 | 6 | .. automodule:: pyotp 7 | :members: 8 | 9 | .. automodule:: pyotp.totp 10 | :members: 11 | 12 | .. automodule:: pyotp.hotp 13 | :members: 14 | 15 | .. automodule:: pyotp.utils 16 | :members: 17 | 18 | .. automodule:: pyotp.contrib.steam 19 | :members: 20 | 21 | Change log 22 | ========== 23 | 24 | .. toctree:: 25 | :maxdepth: 5 26 | 27 | changelog 28 | -------------------------------------------------------------------------------- /docs/toc.html: -------------------------------------------------------------------------------- 1 | {{toc}} 2 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [project] 2 | name = "PyOTP" 3 | description = "Python One Time Password Library" 4 | readme = "README.rst" 5 | requires-python = ">=3.8" 6 | license = "MIT" 7 | license-files = ["LICENSE"] 8 | authors = [{ name = "Andrey Kislyuk"}, {email = "kislyuk@gmail.com" }] 9 | maintainers = [{ name = "Andrey Kislyuk"}, {email = "kislyuk@gmail.com" }] 10 | dynamic = ["version"] 11 | classifiers = [ 12 | "Intended Audience :: Developers", 13 | "Operating System :: MacOS :: MacOS X", 14 | "Operating System :: POSIX", 15 | "Programming Language :: Python", 16 | "Programming Language :: Python :: 3", 17 | "Programming Language :: Python :: 3.8", 18 | "Programming Language :: Python :: 3.9", 19 | "Programming Language :: Python :: 3.10", 20 | "Programming Language :: Python :: 3.11", 21 | "Programming Language :: Python :: 3.12", 22 | "Programming Language :: Python :: 3.13", 23 | "Programming Language :: Python :: Implementation :: CPython", 24 | "Programming Language :: Python :: Implementation :: PyPy", 25 | "Development Status :: 5 - Production/Stable", 26 | "Topic :: Software Development", 27 | "Topic :: Software Development :: Libraries :: Python Modules", 28 | ] 29 | 30 | [project.optional-dependencies] 31 | test = ["coverage", "wheel", "ruff", "mypy"] 32 | 33 | [project.urls] 34 | "Homepage"= "https://github.com/pyauth/pyotp" 35 | "Documentation"= "https://github.com/pyauth/pyotp" 36 | "Source Code"= "https://github.com/pyauth/pyotp" 37 | "Issue Tracker"= "https://github.com/pyauth/pyotp/issues" 38 | "Change Log"= "https://github.com/pyauth/pyotp/blob/main/Changes.rst" 39 | 40 | [build-system] 41 | requires = ["hatchling", "hatch-vcs"] 42 | build-backend = "hatchling.build" 43 | 44 | [tool.hatch.version] 45 | source = "vcs" 46 | 47 | [tool.black] 48 | line-length = 120 49 | 50 | [tool.isort] 51 | profile = "black" 52 | line_length = 120 53 | 54 | [tool.ruff] 55 | line-length = 120 56 | -------------------------------------------------------------------------------- /src/pyotp/__init__.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | from re import split 3 | from typing import Any, Dict, Sequence 4 | from urllib.parse import parse_qsl, unquote, urlparse 5 | 6 | from . import contrib # noqa:F401 7 | from .compat import random 8 | from .hotp import HOTP as HOTP 9 | from .otp import OTP as OTP 10 | from .totp import TOTP as TOTP 11 | 12 | 13 | def random_base32(length: int = 32, chars: Sequence[str] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567") -> str: 14 | # Note: the otpauth scheme DOES NOT use base32 padding for secret lengths not divisible by 8. 15 | # Some third-party tools have bugs when dealing with such secrets. 16 | # We might consider warning the user when generating a secret of length not divisible by 8. 17 | if length < 32: 18 | raise ValueError("Secrets should be at least 160 bits") 19 | 20 | return "".join(random.choice(chars) for _ in range(length)) 21 | 22 | 23 | def random_hex(length: int = 40, chars: Sequence[str] = "ABCDEF0123456789") -> str: 24 | if length < 40: 25 | raise ValueError("Secrets should be at least 160 bits") 26 | return random_base32(length=length, chars=chars) 27 | 28 | 29 | def parse_uri(uri: str) -> OTP: 30 | """ 31 | Parses the provisioning URI for the OTP; works for either TOTP or HOTP. 32 | 33 | See also: 34 | https://github.com/google/google-authenticator/wiki/Key-Uri-Format 35 | 36 | :param uri: the hotp/totp URI to parse 37 | :returns: OTP object 38 | """ 39 | 40 | # Secret (to be filled in later) 41 | secret = None 42 | 43 | # Encoder (to be filled in later) 44 | encoder = None 45 | 46 | # Digits (to be filled in later) 47 | digits = None 48 | 49 | # Data we'll parse to the correct constructor 50 | otp_data: Dict[str, Any] = {} 51 | 52 | # Parse with URLlib 53 | parsed_uri = urlparse(unquote(uri)) 54 | 55 | if parsed_uri.scheme != "otpauth": 56 | raise ValueError("Not an otpauth URI") 57 | 58 | # Parse issuer/accountname info 59 | accountinfo_parts = split(":|%3A", parsed_uri.path[1:], maxsplit=1) 60 | if len(accountinfo_parts) == 1: 61 | otp_data["name"] = accountinfo_parts[0] 62 | else: 63 | otp_data["issuer"] = accountinfo_parts[0] 64 | otp_data["name"] = accountinfo_parts[1] 65 | 66 | # Parse values 67 | for key, value in parse_qsl(parsed_uri.query): 68 | if key == "secret": 69 | secret = value 70 | elif key == "issuer": 71 | if "issuer" in otp_data and otp_data["issuer"] is not None and otp_data["issuer"] != value: 72 | raise ValueError("If issuer is specified in both label and parameters, it should be equal.") 73 | otp_data["issuer"] = value 74 | elif key == "algorithm": 75 | if value == "SHA1": 76 | otp_data["digest"] = hashlib.sha1 77 | elif value == "SHA256": 78 | otp_data["digest"] = hashlib.sha256 79 | elif value == "SHA512": 80 | otp_data["digest"] = hashlib.sha512 81 | else: 82 | raise ValueError("Invalid value for algorithm, must be SHA1, SHA256 or SHA512") 83 | elif key == "encoder": 84 | encoder = value 85 | elif key == "digits": 86 | digits = int(value) 87 | otp_data["digits"] = digits 88 | elif key == "period": 89 | otp_data["interval"] = int(value) 90 | elif key == "counter": 91 | otp_data["initial_count"] = int(value) 92 | 93 | if encoder != "steam": 94 | if digits is not None and digits not in [6, 7, 8]: 95 | raise ValueError("Digits may only be 6, 7, or 8") 96 | 97 | if not secret: 98 | raise ValueError("No secret found in URI") 99 | 100 | # Create objects 101 | if encoder == "steam": 102 | return contrib.Steam(secret, **otp_data) 103 | if parsed_uri.netloc == "totp": 104 | return TOTP(secret, **otp_data) 105 | elif parsed_uri.netloc == "hotp": 106 | return HOTP(secret, **otp_data) 107 | 108 | raise ValueError("Not a supported OTP type") 109 | -------------------------------------------------------------------------------- /src/pyotp/compat.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | # Use secrets module if available (Python version >= 3.6) per PEP 506 4 | if sys.version_info >= (3, 6): 5 | from secrets import SystemRandom 6 | else: 7 | from random import SystemRandom 8 | 9 | random = SystemRandom() 10 | -------------------------------------------------------------------------------- /src/pyotp/contrib/__init__.py: -------------------------------------------------------------------------------- 1 | from .steam import Steam # noqa:F401 2 | -------------------------------------------------------------------------------- /src/pyotp/contrib/steam.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | from typing import Optional 3 | 4 | from ..totp import TOTP 5 | 6 | STEAM_CHARS = "23456789BCDFGHJKMNPQRTVWXY" # steam's custom alphabet 7 | STEAM_DEFAULT_DIGITS = 5 # Steam TOTP code length 8 | 9 | 10 | class Steam(TOTP): 11 | """ 12 | Steam's custom TOTP. Subclass of `pyotp.totp.TOTP`. 13 | """ 14 | 15 | def __init__( 16 | self, s: str, name: Optional[str] = None, issuer: Optional[str] = None, interval: int = 30, digits: int = 5 17 | ) -> None: 18 | """ 19 | :param s: secret in base32 format 20 | :param interval: the time interval in seconds for OTP. This defaults to 30. 21 | :param name: account name 22 | :param issuer: issuer 23 | """ 24 | self.interval = interval 25 | super().__init__(s=s, digits=10, digest=hashlib.sha1, name=name, issuer=issuer) 26 | 27 | def generate_otp(self, input: int) -> str: 28 | """ 29 | :param input: the HMAC counter value to use as the OTP input. 30 | Usually either the counter, or the computed integer based on the Unix timestamp 31 | """ 32 | str_code = super().generate_otp(input) 33 | int_code = int(str_code) 34 | 35 | steam_code = "" 36 | total_chars = len(STEAM_CHARS) 37 | 38 | for _ in range(STEAM_DEFAULT_DIGITS): 39 | pos = int_code % total_chars 40 | char = STEAM_CHARS[int(pos)] 41 | steam_code += char 42 | int_code //= total_chars 43 | 44 | return steam_code 45 | -------------------------------------------------------------------------------- /src/pyotp/hotp.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | from typing import Any, Optional 3 | 4 | from . import utils 5 | from .otp import OTP 6 | 7 | 8 | class HOTP(OTP): 9 | """ 10 | Handler for HMAC-based OTP counters. 11 | """ 12 | 13 | def __init__( 14 | self, 15 | s: str, 16 | digits: int = 6, 17 | digest: Any = None, 18 | name: Optional[str] = None, 19 | issuer: Optional[str] = None, 20 | initial_count: int = 0, 21 | ) -> None: 22 | """ 23 | :param s: secret in base32 format 24 | :param initial_count: starting HMAC counter value, defaults to 0 25 | :param digits: number of integers in the OTP. Some apps expect this to be 6 digits, others support more. 26 | :param digest: digest function to use in the HMAC (expected to be SHA1) 27 | :param name: account name 28 | :param issuer: issuer 29 | """ 30 | if digest is None: 31 | digest = hashlib.sha1 32 | elif digest in [hashlib.md5, hashlib.shake_128]: 33 | raise ValueError("selected digest function must generate digest size greater than or equals to 18 bytes") 34 | 35 | self.initial_count = initial_count 36 | super().__init__(s=s, digits=digits, digest=digest, name=name, issuer=issuer) 37 | 38 | def at(self, count: int) -> str: 39 | """ 40 | Generates the OTP for the given count. 41 | 42 | :param count: the OTP HMAC counter 43 | :returns: OTP 44 | """ 45 | return self.generate_otp(self.initial_count + count) 46 | 47 | def verify(self, otp: str, counter: int) -> bool: 48 | """ 49 | Verifies the OTP passed in against the current counter OTP. 50 | 51 | :param otp: the OTP to check against 52 | :param counter: the OTP HMAC counter 53 | """ 54 | return utils.strings_equal(str(otp), str(self.at(counter))) 55 | 56 | def provisioning_uri( 57 | self, 58 | name: Optional[str] = None, 59 | initial_count: Optional[int] = None, 60 | issuer_name: Optional[str] = None, 61 | **kwargs, 62 | ) -> str: 63 | """ 64 | Returns the provisioning URI for the OTP. This can then be 65 | encoded in a QR Code and used to provision an OTP app like 66 | Google Authenticator. 67 | 68 | See also: 69 | https://github.com/google/google-authenticator/wiki/Key-Uri-Format 70 | 71 | :param name: name of the user account 72 | :param initial_count: starting HMAC counter value, defaults to 0 73 | :param issuer_name: the name of the OTP issuer; this will be the 74 | organization title of the OTP entry in Authenticator 75 | :returns: provisioning URI 76 | """ 77 | return utils.build_uri( 78 | self.secret, 79 | name=name if name else self.name, 80 | initial_count=initial_count if initial_count else self.initial_count, 81 | issuer=issuer_name if issuer_name else self.issuer, 82 | algorithm=self.digest().name, 83 | digits=self.digits, 84 | **kwargs, 85 | ) 86 | -------------------------------------------------------------------------------- /src/pyotp/otp.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import hashlib 3 | import hmac 4 | from typing import Any, Optional 5 | 6 | 7 | class OTP(object): 8 | """ 9 | Base class for OTP handlers. 10 | """ 11 | 12 | def __init__( 13 | self, 14 | s: str, 15 | digits: int = 6, 16 | digest: Any = hashlib.sha1, 17 | name: Optional[str] = None, 18 | issuer: Optional[str] = None, 19 | ) -> None: 20 | self.digits = digits 21 | if digits > 10: 22 | raise ValueError("digits must be no greater than 10") 23 | self.digest = digest 24 | if digest in [hashlib.md5, hashlib.shake_128]: 25 | raise ValueError("selected digest function must generate digest size greater than or equals to 18 bytes") 26 | self.secret = s 27 | self.name = name or "Secret" 28 | self.issuer = issuer 29 | 30 | def generate_otp(self, input: int) -> str: 31 | """ 32 | :param input: the HMAC counter value to use as the OTP input. 33 | Usually either the counter, or the computed integer based on the Unix timestamp 34 | """ 35 | if input < 0: 36 | raise ValueError("input must be positive integer") 37 | hasher = hmac.new(self.byte_secret(), self.int_to_bytestring(input), self.digest) 38 | if hasher.digest_size < 18: 39 | raise ValueError("digest size is lower than 18 bytes, which will trigger error on otp generation") 40 | hmac_hash = bytearray(hasher.digest()) 41 | offset = hmac_hash[-1] & 0xF 42 | code = ( 43 | (hmac_hash[offset] & 0x7F) << 24 44 | | (hmac_hash[offset + 1] & 0xFF) << 16 45 | | (hmac_hash[offset + 2] & 0xFF) << 8 46 | | (hmac_hash[offset + 3] & 0xFF) 47 | ) 48 | str_code = str(10_000_000_000 + (code % 10**self.digits)) 49 | return str_code[-self.digits :] 50 | 51 | def byte_secret(self) -> bytes: 52 | secret = self.secret 53 | missing_padding = len(secret) % 8 54 | if missing_padding != 0: 55 | secret += "=" * (8 - missing_padding) 56 | return base64.b32decode(secret, casefold=True) 57 | 58 | @staticmethod 59 | def int_to_bytestring(i: int, padding: int = 8) -> bytes: 60 | """ 61 | Turns an integer to the OATH specified 62 | bytestring, which is fed to the HMAC 63 | along with the secret 64 | """ 65 | result = bytearray() 66 | while i != 0: 67 | result.append(i & 0xFF) 68 | i >>= 8 69 | # It's necessary to convert the final result from bytearray to bytes 70 | # because the hmac functions in python 2.6 and 3.3 don't work with 71 | # bytearray 72 | return bytes(bytearray(reversed(result)).rjust(padding, b"\0")) 73 | -------------------------------------------------------------------------------- /src/pyotp/py.typed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pyauth/pyotp/2c152d4c695f5b19c23f22159852f8f0ab8576db/src/pyotp/py.typed -------------------------------------------------------------------------------- /src/pyotp/totp.py: -------------------------------------------------------------------------------- 1 | import calendar 2 | import datetime 3 | import hashlib 4 | import time 5 | from typing import Any, Optional, Union 6 | 7 | from . import utils 8 | from .otp import OTP 9 | 10 | 11 | class TOTP(OTP): 12 | """ 13 | Handler for time-based OTP counters. 14 | """ 15 | 16 | def __init__( 17 | self, 18 | s: str, 19 | digits: int = 6, 20 | digest: Any = None, 21 | name: Optional[str] = None, 22 | issuer: Optional[str] = None, 23 | interval: int = 30, 24 | ) -> None: 25 | """ 26 | :param s: secret in base32 format 27 | :param digits: number of integers in the OTP. Some apps expect this to be 6 digits, others support more. 28 | :param digest: digest function to use in the HMAC (expected to be SHA1) 29 | :param name: account name 30 | :param issuer: issuer 31 | :param interval: the time interval in seconds for OTP. This defaults to 30. 32 | """ 33 | if digest is None: 34 | digest = hashlib.sha1 35 | elif digest in [hashlib.md5, hashlib.shake_128]: 36 | raise ValueError("selected digest function must generate digest size greater than or equals to 18 bytes") 37 | 38 | self.interval = interval 39 | super().__init__(s=s, digits=digits, digest=digest, name=name, issuer=issuer) 40 | 41 | def at(self, for_time: Union[int, datetime.datetime], counter_offset: int = 0) -> str: 42 | """ 43 | Accepts either a Unix timestamp integer or a datetime object. 44 | 45 | To get the time until the next timecode change (seconds until the current OTP expires), use this instead: 46 | 47 | .. code:: python 48 | 49 | totp = pyotp.TOTP(...) 50 | time_remaining = totp.interval - datetime.datetime.now().timestamp() % totp.interval 51 | 52 | :param for_time: the time to generate an OTP for 53 | :param counter_offset: the amount of ticks to add to the time counter 54 | :returns: OTP value 55 | """ 56 | if not isinstance(for_time, datetime.datetime): 57 | for_time = datetime.datetime.fromtimestamp(int(for_time)) 58 | return self.generate_otp(self.timecode(for_time) + counter_offset) 59 | 60 | def now(self) -> str: 61 | """ 62 | Generate the current time OTP 63 | 64 | :returns: OTP value 65 | """ 66 | return self.generate_otp(self.timecode(datetime.datetime.now())) 67 | 68 | def verify(self, otp: str, for_time: Optional[datetime.datetime] = None, valid_window: int = 0) -> bool: 69 | """ 70 | Verifies the OTP passed in against the current time OTP. 71 | 72 | :param otp: the OTP to check against 73 | :param for_time: Time to check OTP at (defaults to now) 74 | :param valid_window: extends the validity to this many counter ticks before and after the current one 75 | :returns: True if verification succeeded, False otherwise 76 | """ 77 | if for_time is None: 78 | for_time = datetime.datetime.now() 79 | 80 | if valid_window: 81 | for i in range(-valid_window, valid_window + 1): 82 | if utils.strings_equal(str(otp), str(self.at(for_time, i))): 83 | return True 84 | return False 85 | 86 | return utils.strings_equal(str(otp), str(self.at(for_time))) 87 | 88 | def provisioning_uri(self, name: Optional[str] = None, issuer_name: Optional[str] = None, **kwargs) -> str: 89 | """ 90 | Returns the provisioning URI for the OTP. This can then be 91 | encoded in a QR Code and used to provision an OTP app like 92 | Google Authenticator. 93 | 94 | See also: 95 | https://github.com/google/google-authenticator/wiki/Key-Uri-Format 96 | 97 | """ 98 | return utils.build_uri( 99 | self.secret, 100 | name if name else self.name, 101 | issuer=issuer_name if issuer_name else self.issuer, 102 | algorithm=self.digest().name, 103 | digits=self.digits, 104 | period=self.interval, 105 | **kwargs, 106 | ) 107 | 108 | def timecode(self, for_time: datetime.datetime) -> int: 109 | """ 110 | Accepts either a timezone naive (`for_time.tzinfo is None`) or 111 | a timezone aware datetime as argument and returns the 112 | corresponding counter value (timecode). 113 | 114 | """ 115 | if for_time.tzinfo: 116 | return int(calendar.timegm(for_time.utctimetuple()) / self.interval) 117 | else: 118 | return int(time.mktime(for_time.timetuple()) / self.interval) 119 | -------------------------------------------------------------------------------- /src/pyotp/utils.py: -------------------------------------------------------------------------------- 1 | import unicodedata 2 | from hmac import compare_digest 3 | from typing import Dict, Optional, Union 4 | from urllib.parse import quote, urlencode, urlparse 5 | 6 | 7 | def build_uri( 8 | secret: str, 9 | name: str, 10 | initial_count: Optional[int] = None, 11 | issuer: Optional[str] = None, 12 | algorithm: Optional[str] = None, 13 | digits: Optional[int] = None, 14 | period: Optional[int] = None, 15 | **kwargs, 16 | ) -> str: 17 | """ 18 | Returns the provisioning URI for the OTP; works for either TOTP or HOTP. 19 | 20 | This can then be encoded in a QR Code and used to provision the Google 21 | Authenticator app. 22 | 23 | For module-internal use. 24 | 25 | See also: 26 | https://github.com/google/google-authenticator/wiki/Key-Uri-Format 27 | 28 | :param secret: the hotp/totp secret used to generate the URI 29 | :param name: name of the account 30 | :param initial_count: starting counter value, defaults to None. 31 | If none, the OTP type will be assumed as TOTP. 32 | :param issuer: the name of the OTP issuer; this will be the 33 | organization title of the OTP entry in Authenticator 34 | :param algorithm: the algorithm used in the OTP generation. 35 | :param digits: the length of the OTP generated code. 36 | :param period: the number of seconds the OTP generator is set to 37 | expire every code. 38 | :param kwargs: other query string parameters to include in the URI 39 | :returns: provisioning uri 40 | """ 41 | # initial_count may be 0 as a valid param 42 | is_initial_count_present = initial_count is not None 43 | 44 | # Handling values different from defaults 45 | is_algorithm_set = algorithm is not None and algorithm != "sha1" 46 | is_digits_set = digits is not None and digits != 6 47 | is_period_set = period is not None and period != 30 48 | 49 | otp_type = "hotp" if is_initial_count_present else "totp" 50 | base_uri = "otpauth://{0}/{1}?{2}" 51 | 52 | url_args: Dict[str, Union[None, int, str]] = {"secret": secret} 53 | 54 | label = quote(name) 55 | if issuer is not None: 56 | label = quote(issuer) + ":" + label 57 | url_args["issuer"] = issuer 58 | 59 | if is_initial_count_present: 60 | url_args["counter"] = initial_count 61 | if is_algorithm_set: 62 | url_args["algorithm"] = algorithm.upper() # type: ignore 63 | if is_digits_set: 64 | url_args["digits"] = digits 65 | if is_period_set: 66 | url_args["period"] = period 67 | for k, v in kwargs.items(): 68 | if not isinstance(v, str): 69 | raise ValueError("All otpauth uri parameters must be strings") 70 | if k == "image": 71 | image_uri = urlparse(v) 72 | if image_uri.scheme != "https" or not image_uri.netloc or not image_uri.path: 73 | raise ValueError("{} is not a valid url".format(image_uri)) 74 | url_args[k] = v 75 | 76 | uri = base_uri.format(otp_type, label, urlencode(url_args).replace("+", "%20")) 77 | return uri 78 | 79 | 80 | def strings_equal(s1: str, s2: str) -> bool: 81 | """ 82 | Timing-attack resistant string comparison. 83 | 84 | Normal comparison using == will short-circuit on the first mismatching 85 | character. This avoids that by scanning the whole string, though we 86 | still reveal to a timing attack whether the strings are the same 87 | length. 88 | """ 89 | s1 = unicodedata.normalize("NFKC", s1) 90 | s2 = unicodedata.normalize("NFKC", s2) 91 | return compare_digest(s1.encode("utf-8"), s2.encode("utf-8")) 92 | -------------------------------------------------------------------------------- /test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import base64 4 | import datetime 5 | import hashlib 6 | import os 7 | import sys 8 | import unittest 9 | from urllib.parse import parse_qsl, urlparse 10 | from warnings import warn 11 | 12 | sys.path.insert(0, os.path.join(os.path.dirname(__file__), "src")) 13 | import pyotp # noqa 14 | 15 | 16 | class HOTPExampleValuesFromTheRFC(unittest.TestCase): 17 | def test_match_rfc(self): 18 | # 12345678901234567890 in Bas32 19 | # GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ 20 | hotp = pyotp.HOTP("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ") 21 | self.assertEqual(hotp.at(0), "755224") 22 | self.assertEqual(hotp.at(1), "287082") 23 | self.assertEqual(hotp.at(2), "359152") 24 | self.assertEqual(hotp.at(3), "969429") 25 | self.assertEqual(hotp.at(4), "338314") 26 | self.assertEqual(hotp.at(5), "254676") 27 | self.assertEqual(hotp.at(6), "287922") 28 | self.assertEqual(hotp.at(7), "162583") 29 | self.assertEqual(hotp.at(8), "399871") 30 | self.assertEqual(hotp.at(9), "520489") 31 | 32 | def test_invalid_input(self): 33 | hotp = pyotp.HOTP("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ") 34 | with self.assertRaises(ValueError): 35 | hotp.at(-1) 36 | 37 | def test_verify_otp_reuse(self): 38 | hotp = pyotp.HOTP("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ") 39 | self.assertTrue(hotp.verify("520489", 9)) 40 | self.assertFalse(hotp.verify("520489", 10)) 41 | self.assertFalse(hotp.verify("520489", 10)) 42 | 43 | def test_provisioning_uri(self): 44 | hotp = pyotp.HOTP("wrn3pqx5uqxqvnqr", name="mark@percival") 45 | 46 | url = urlparse(hotp.provisioning_uri()) 47 | self.assertEqual(url.scheme, "otpauth") 48 | self.assertEqual(url.netloc, "hotp") 49 | self.assertEqual(url.path, "/mark%40percival") 50 | self.assertEqual(dict(parse_qsl(url.query)), {"secret": "wrn3pqx5uqxqvnqr", "counter": "0"}) 51 | self.assertEqual(hotp.provisioning_uri(), pyotp.parse_uri(hotp.provisioning_uri()).provisioning_uri()) 52 | 53 | hotp = pyotp.HOTP("wrn3pqx5uqxqvnqr", name="mark@percival", initial_count=12) 54 | url = urlparse(hotp.provisioning_uri()) 55 | self.assertEqual(url.scheme, "otpauth") 56 | self.assertEqual(url.netloc, "hotp") 57 | self.assertEqual(url.path, "/mark%40percival") 58 | self.assertEqual(dict(parse_qsl(url.query)), {"secret": "wrn3pqx5uqxqvnqr", "counter": "12"}) 59 | self.assertEqual(hotp.provisioning_uri(), pyotp.parse_uri(hotp.provisioning_uri()).provisioning_uri()) 60 | 61 | hotp = pyotp.HOTP("wrn3pqx5uqxqvnqr", name="mark@percival", issuer="FooCorp!") 62 | url = urlparse(hotp.provisioning_uri()) 63 | self.assertEqual(url.scheme, "otpauth") 64 | self.assertEqual(url.netloc, "hotp") 65 | self.assertEqual(url.path, "/FooCorp%21:mark%40percival") 66 | self.assertEqual( 67 | dict(parse_qsl(url.query)), {"secret": "wrn3pqx5uqxqvnqr", "counter": "0", "issuer": "FooCorp!"} 68 | ) 69 | self.assertEqual(hotp.provisioning_uri(), pyotp.parse_uri(hotp.provisioning_uri()).provisioning_uri()) 70 | 71 | key = "c7uxuqhgflpw7oruedmglbrk7u6242vb" 72 | hotp = pyotp.HOTP(key, digits=8, digest=hashlib.sha256, name="baco@peperina", issuer="FooCorp") 73 | url = urlparse(hotp.provisioning_uri()) 74 | self.assertEqual(url.scheme, "otpauth") 75 | self.assertEqual(url.netloc, "hotp") 76 | self.assertEqual(url.path, "/FooCorp:baco%40peperina") 77 | self.assertEqual( 78 | dict(parse_qsl(url.query)), 79 | { 80 | "secret": "c7uxuqhgflpw7oruedmglbrk7u6242vb", 81 | "counter": "0", 82 | "issuer": "FooCorp", 83 | "digits": "8", 84 | "algorithm": "SHA256", 85 | }, 86 | ) 87 | self.assertEqual(hotp.provisioning_uri(), pyotp.parse_uri(hotp.provisioning_uri()).provisioning_uri()) 88 | 89 | hotp = pyotp.HOTP(key, digits=8, name="baco@peperina", issuer="Foo Corp", initial_count=10) 90 | url = urlparse(hotp.provisioning_uri()) 91 | self.assertEqual(url.scheme, "otpauth") 92 | self.assertEqual(url.netloc, "hotp") 93 | self.assertEqual(url.path, "/Foo%20Corp:baco%40peperina") 94 | self.assertEqual( 95 | dict(parse_qsl(url.query)), 96 | {"secret": "c7uxuqhgflpw7oruedmglbrk7u6242vb", "counter": "10", "issuer": "Foo Corp", "digits": "8"}, 97 | ) 98 | self.assertEqual(hotp.provisioning_uri(), pyotp.parse_uri(hotp.provisioning_uri()).provisioning_uri()) 99 | 100 | code = pyotp.totp.TOTP("S46SQCPPTCNPROMHWYBDCTBZXV") 101 | self.assertEqual(code.provisioning_uri(), "otpauth://totp/Secret?secret=S46SQCPPTCNPROMHWYBDCTBZXV") 102 | code.verify("123456") 103 | self.assertEqual(code.provisioning_uri(), "otpauth://totp/Secret?secret=S46SQCPPTCNPROMHWYBDCTBZXV") 104 | 105 | def test_other_secret(self): 106 | hotp = pyotp.HOTP("N3OVNIBRERIO5OHGVCMDGS4V4RJ3AUZOUN34J6FRM4P6JIFCG3ZA") 107 | self.assertEqual(hotp.at(0), "737863") 108 | self.assertEqual(hotp.at(1), "390601") 109 | self.assertEqual(hotp.at(2), "363354") 110 | self.assertEqual(hotp.at(3), "936780") 111 | self.assertEqual(hotp.at(4), "654019") 112 | 113 | 114 | class TOTPExampleValuesFromTheRFC(unittest.TestCase): 115 | RFC_VALUES = { 116 | (hashlib.sha1, b"12345678901234567890"): ( 117 | (59, "94287082"), 118 | (1111111109, "07081804"), 119 | (1111111111, "14050471"), 120 | (1234567890, "89005924"), 121 | (2000000000, "69279037"), 122 | (20000000000, "65353130"), 123 | ), 124 | (hashlib.sha256, b"12345678901234567890123456789012"): ( 125 | (59, 46119246), 126 | (1111111109, "68084774"), 127 | (1111111111, "67062674"), 128 | (1234567890, "91819424"), 129 | (2000000000, "90698825"), 130 | (20000000000, "77737706"), 131 | ), 132 | (hashlib.sha512, b"1234567890123456789012345678901234567890123456789012345678901234"): ( 133 | (59, 90693936), 134 | (1111111109, "25091201"), 135 | (1111111111, "99943326"), 136 | (1234567890, "93441116"), 137 | (2000000000, "38618901"), 138 | (20000000000, "47863826"), 139 | ), 140 | } 141 | 142 | def test_match_rfc(self): 143 | for digest, secret in self.RFC_VALUES: 144 | totp = pyotp.TOTP(base64.b32encode(secret), 8, digest) 145 | for utime, code in self.RFC_VALUES[(digest, secret)]: 146 | if utime > sys.maxsize: 147 | warn( 148 | "32-bit platforms use native functions to handle timestamps, so they fail this test" 149 | + " (and will fail after 19 January 2038)" 150 | ) 151 | continue 152 | value = totp.at(utime) 153 | msg = "%s != %s (%s, time=%d)" 154 | msg %= (value, code, digest().name, utime) 155 | self.assertEqual(value, str(code), msg) 156 | 157 | def test_match_rfc_digit_length(self): 158 | totp = pyotp.TOTP("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ") 159 | self.assertEqual(totp.at(1111111111), "050471") 160 | self.assertEqual(totp.at(1234567890), "005924") 161 | self.assertEqual(totp.at(2000000000), "279037") 162 | 163 | def test_match_google_authenticator_output(self): 164 | totp = pyotp.TOTP("wrn3pqx5uqxqvnqr") 165 | with Timecop(1297553958): 166 | self.assertEqual(totp.now(), "102705") 167 | 168 | def test_validate_totp(self): 169 | totp = pyotp.TOTP("wrn3pqx5uqxqvnqr") 170 | with Timecop(1297553958): 171 | self.assertTrue(totp.verify("102705")) 172 | self.assertTrue(totp.verify("102705")) 173 | with Timecop(1297553958 + 30): 174 | self.assertFalse(totp.verify("102705")) 175 | 176 | def test_input_before_epoch(self): 177 | totp = pyotp.TOTP("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ") 178 | # -1 and -29.5 round down to 0 (epoch) 179 | self.assertEqual(totp.at(-1), "755224") 180 | self.assertEqual(totp.at(-29.5), "755224") 181 | with self.assertRaises(ValueError): 182 | totp.at(-30) 183 | 184 | def test_validate_totp_with_digit_length(self): 185 | totp = pyotp.TOTP("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ") 186 | with Timecop(1111111111): 187 | self.assertTrue(totp.verify("050471")) 188 | with Timecop(1297553958 + 30): 189 | self.assertFalse(totp.verify("050471")) 190 | 191 | def test_provisioning_uri(self): 192 | totp = pyotp.TOTP("wrn3pqx5uqxqvnqr", name="mark@percival") 193 | url = urlparse(totp.provisioning_uri()) 194 | self.assertEqual(url.scheme, "otpauth") 195 | self.assertEqual(url.netloc, "totp") 196 | self.assertEqual(url.path, "/mark%40percival") 197 | self.assertEqual(dict(parse_qsl(url.query)), {"secret": "wrn3pqx5uqxqvnqr"}) 198 | self.assertEqual(totp.provisioning_uri(), pyotp.parse_uri(totp.provisioning_uri()).provisioning_uri()) 199 | 200 | totp = pyotp.TOTP("wrn3pqx5uqxqvnqr", name="mark@percival", issuer="FooCorp!") 201 | url = urlparse(totp.provisioning_uri()) 202 | self.assertEqual(url.scheme, "otpauth") 203 | self.assertEqual(url.netloc, "totp") 204 | self.assertEqual(url.path, "/FooCorp%21:mark%40percival") 205 | self.assertEqual(dict(parse_qsl(url.query)), {"secret": "wrn3pqx5uqxqvnqr", "issuer": "FooCorp!"}) 206 | self.assertEqual(totp.provisioning_uri(), pyotp.parse_uri(totp.provisioning_uri()).provisioning_uri()) 207 | 208 | key = "c7uxuqhgflpw7oruedmglbrk7u6242vb" 209 | totp = pyotp.TOTP(key, digits=8, interval=60, digest=hashlib.sha256, name="baco@peperina", issuer="FooCorp") 210 | url = urlparse(totp.provisioning_uri()) 211 | self.assertEqual(url.scheme, "otpauth") 212 | self.assertEqual(url.netloc, "totp") 213 | self.assertEqual(url.path, "/FooCorp:baco%40peperina") 214 | self.assertEqual( 215 | dict(parse_qsl(url.query)), 216 | { 217 | "secret": "c7uxuqhgflpw7oruedmglbrk7u6242vb", 218 | "issuer": "FooCorp", 219 | "digits": "8", 220 | "period": "60", 221 | "algorithm": "SHA256", 222 | }, 223 | ) 224 | self.assertEqual(totp.provisioning_uri(), pyotp.parse_uri(totp.provisioning_uri()).provisioning_uri()) 225 | 226 | totp = pyotp.TOTP(key, digits=8, interval=60, name="baco@peperina", issuer="FooCorp") 227 | url = urlparse(totp.provisioning_uri()) 228 | self.assertEqual(url.scheme, "otpauth") 229 | self.assertEqual(url.netloc, "totp") 230 | self.assertEqual(url.path, "/FooCorp:baco%40peperina") 231 | self.assertEqual( 232 | dict(parse_qsl(url.query)), 233 | {"secret": "c7uxuqhgflpw7oruedmglbrk7u6242vb", "issuer": "FooCorp", "digits": "8", "period": "60"}, 234 | ) 235 | self.assertEqual(totp.provisioning_uri(), pyotp.parse_uri(totp.provisioning_uri()).provisioning_uri()) 236 | 237 | totp = pyotp.TOTP(key, digits=8, name="baco@peperina", issuer="FooCorp") 238 | url = urlparse(totp.provisioning_uri()) 239 | self.assertEqual(url.scheme, "otpauth") 240 | self.assertEqual(url.netloc, "totp") 241 | self.assertEqual(url.path, "/FooCorp:baco%40peperina") 242 | self.assertEqual( 243 | dict(parse_qsl(url.query)), 244 | {"secret": "c7uxuqhgflpw7oruedmglbrk7u6242vb", "issuer": "FooCorp", "digits": "8"}, 245 | ) 246 | self.assertEqual(totp.provisioning_uri(), pyotp.parse_uri(totp.provisioning_uri()).provisioning_uri()) 247 | 248 | def test_random_key_generation(self): 249 | self.assertEqual(len(pyotp.random_base32()), 32) 250 | self.assertEqual(len(pyotp.random_base32(length=34)), 34) 251 | self.assertEqual(len(pyotp.random_hex()), 40) 252 | self.assertEqual(len(pyotp.random_hex(length=42)), 42) 253 | with self.assertRaises(ValueError): 254 | pyotp.random_base32(length=31) 255 | with self.assertRaises(ValueError): 256 | pyotp.random_hex(length=39) 257 | 258 | 259 | class SteamTOTP(unittest.TestCase): 260 | def test_match_examples(self): 261 | steam = pyotp.contrib.Steam("BASE32SECRET3232") 262 | 263 | self.assertEqual(steam.at(0), "2TC8B") 264 | self.assertEqual(steam.at(30), "YKKK4") 265 | self.assertEqual(steam.at(60), "M4HQB") 266 | self.assertEqual(steam.at(90), "DTVB3") 267 | 268 | steam = pyotp.contrib.Steam("FMXNK4QEGKVPULRTADY6JIDK5VHUBGZW") 269 | 270 | self.assertEqual(steam.at(0), "C5V56") 271 | self.assertEqual(steam.at(30), "QJY8Y") 272 | self.assertEqual(steam.at(60), "R3WQY") 273 | self.assertEqual(steam.at(90), "JG3T3") 274 | 275 | def test_verify(self): 276 | steam = pyotp.contrib.Steam("BASE32SECRET3232") 277 | with Timecop(1662883100): 278 | self.assertTrue(steam.verify("N3G63")) 279 | with Timecop(1662883100 + 30): 280 | self.assertFalse(steam.verify("N3G63")) 281 | 282 | with Timecop(946681223): 283 | self.assertTrue(steam.verify("7VP3X")) 284 | with Timecop(946681223 + 30): 285 | self.assertFalse(steam.verify("7VP3X")) 286 | 287 | steam = pyotp.contrib.Steam("FMXNK4QEGKVPULRTADY6JIDK5VHUBGZW") 288 | with Timecop(1662884261): 289 | self.assertTrue(steam.verify("V6WKJ")) 290 | with Timecop(1662884261 + 30): 291 | self.assertFalse(steam.verify("V6WKJ")) 292 | 293 | with Timecop(946681223): 294 | self.assertTrue(steam.verify("4MK54")) 295 | with Timecop(946681223 + 30): 296 | self.assertFalse(steam.verify("4MK54")) 297 | 298 | 299 | class CompareDigestTest(unittest.TestCase): 300 | method = staticmethod(pyotp.utils.compare_digest) 301 | 302 | def test_comparisons(self): 303 | self.assertTrue(self.method("", "")) 304 | self.assertTrue(self.method("a", "a")) 305 | self.assertTrue(self.method("a" * 1000, "a" * 1000)) 306 | 307 | self.assertFalse(self.method("", "a")) 308 | self.assertFalse(self.method("a", "")) 309 | self.assertFalse(self.method("a" * 999 + "b", "a" * 1000)) 310 | 311 | 312 | class StringComparisonTest(CompareDigestTest): 313 | method = staticmethod(pyotp.utils.strings_equal) 314 | 315 | def test_fullwidth_input(self): 316 | self.assertTrue(self.method("xs12345", "xs12345")) 317 | 318 | def test_unicode_equal(self): 319 | self.assertTrue(self.method("ěšč45", "ěšč45")) 320 | 321 | 322 | class CounterOffsetTest(unittest.TestCase): 323 | def test_counter_offset(self): 324 | totp = pyotp.TOTP("ABCDEFGH") 325 | self.assertEqual(totp.at(200), "028307") 326 | self.assertTrue(totp.at(200, 1), "681610") 327 | 328 | 329 | class ValidWindowTest(unittest.TestCase): 330 | def test_valid_window(self): 331 | totp = pyotp.TOTP("ABCDEFGH") 332 | self.assertTrue(totp.verify("451564", 200, 1)) 333 | self.assertTrue(totp.verify("028307", 200, 1)) 334 | self.assertTrue(totp.verify("681610", 200, 1)) 335 | self.assertFalse(totp.verify("195979", 200, 1)) 336 | 337 | 338 | class DigestFunctionTest(unittest.TestCase): 339 | def test_md5(self): 340 | with self.assertRaises(ValueError) as cm: 341 | pyotp.OTP(s="secret", digest=hashlib.md5) 342 | self.assertEqual( 343 | "selected digest function must generate digest size greater than or equals to 18 bytes", str(cm.exception) 344 | ) 345 | 346 | def test_shake128(self): 347 | with self.assertRaises(ValueError) as cm: 348 | pyotp.OTP(s="secret", digest=hashlib.shake_128) 349 | self.assertEqual( 350 | "selected digest function must generate digest size greater than or equals to 18 bytes", str(cm.exception) 351 | ) 352 | 353 | 354 | class ParseUriTest(unittest.TestCase): 355 | def test_invalids(self): 356 | with self.assertRaises(ValueError) as cm: 357 | pyotp.parse_uri("http://hello.com") 358 | self.assertEqual("Not an otpauth URI", str(cm.exception)) 359 | 360 | with self.assertRaises(ValueError) as cm: 361 | pyotp.parse_uri("otpauth://totp") 362 | self.assertEqual("No secret found in URI", str(cm.exception)) 363 | 364 | with self.assertRaises(ValueError) as cm: 365 | pyotp.parse_uri("otpauth://derp?secret=foo") 366 | self.assertEqual("Not a supported OTP type", str(cm.exception)) 367 | 368 | with self.assertRaises(ValueError) as cm: 369 | pyotp.parse_uri("otpauth://totp?digits=-1") 370 | self.assertEqual("Digits may only be 6, 7, or 8", str(cm.exception)) 371 | 372 | with self.assertRaises(ValueError) as cm: 373 | pyotp.parse_uri("otpauth://totp/SomeIssuer:?issuer=AnotherIssuer") 374 | self.assertEqual("If issuer is specified in both label and parameters, it should be equal.", str(cm.exception)) 375 | 376 | with self.assertRaises(ValueError) as cm: 377 | pyotp.parse_uri("otpauth://totp?algorithm=aes") 378 | self.assertEqual("Invalid value for algorithm, must be SHA1, SHA256 or SHA512", str(cm.exception)) 379 | 380 | def test_parse_steam(self): 381 | otp = pyotp.parse_uri("otpauth://totp/Steam:?secret=SOME_SECRET&encoder=steam") 382 | self.assertEqual(type(otp), pyotp.contrib.Steam) 383 | 384 | otp = pyotp.parse_uri("otpauth://totp/Steam:?secret=SOME_SECRET") 385 | self.assertNotEqual(type(otp), pyotp.contrib.Steam) 386 | 387 | @unittest.skipIf(sys.version_info < (3, 6), "Skipping test that requires deterministic dict key enumeration") 388 | def test_algorithms(self): 389 | otp = pyotp.parse_uri("otpauth://totp?algorithm=SHA1&secret=GEZDGNBV&algorithm=SHA1") 390 | self.assertEqual(hashlib.sha1, otp.digest) 391 | self.assertEqual(otp.at(0), "734055") 392 | self.assertEqual(otp.at(30), "662488") 393 | self.assertEqual(otp.at(60), "289363") 394 | self.assertEqual(otp.provisioning_uri(), "otpauth://totp/Secret?secret=GEZDGNBV") 395 | self.assertEqual(otp.provisioning_uri(name="n", issuer_name="i"), "otpauth://totp/i:n?secret=GEZDGNBV&issuer=i") 396 | 397 | otp = pyotp.parse_uri("otpauth://totp?algorithm=SHA1&secret=GEZDGNBV&algorithm=SHA1&period=60") 398 | self.assertEqual(hashlib.sha1, otp.digest) 399 | self.assertEqual(otp.at(30), "734055") 400 | self.assertEqual(otp.at(60), "662488") 401 | self.assertEqual( 402 | otp.provisioning_uri(name="n", issuer_name="i"), "otpauth://totp/i:n?secret=GEZDGNBV&issuer=i&period=60" 403 | ) 404 | 405 | otp = pyotp.parse_uri("otpauth://hotp?algorithm=SHA1&secret=GEZDGNBV&algorithm=SHA1") 406 | self.assertEqual(hashlib.sha1, otp.digest) 407 | self.assertEqual(otp.at(0), "734055") 408 | self.assertEqual(otp.at(1), "662488") 409 | self.assertEqual(otp.at(2), "289363") 410 | self.assertEqual( 411 | otp.provisioning_uri(name="n", issuer_name="i"), "otpauth://hotp/i:n?secret=GEZDGNBV&issuer=i&counter=0" 412 | ) 413 | 414 | otp = pyotp.parse_uri("otpauth://hotp?algorithm=SHA1&secret=GEZDGNBV&algorithm=SHA1&counter=1") 415 | self.assertEqual(hashlib.sha1, otp.digest) 416 | self.assertEqual(otp.at(0), "662488") 417 | self.assertEqual(otp.at(1), "289363") 418 | self.assertEqual( 419 | otp.provisioning_uri(name="n", issuer_name="i"), "otpauth://hotp/i:n?secret=GEZDGNBV&issuer=i&counter=1" 420 | ) 421 | 422 | otp = pyotp.parse_uri("otpauth://totp?algorithm=SHA1&secret=GEZDGNBV&algorithm=SHA256") 423 | self.assertEqual(hashlib.sha256, otp.digest) 424 | self.assertEqual(otp.at(0), "918961") 425 | self.assertEqual(otp.at(9000), "934470") 426 | 427 | otp = pyotp.parse_uri("otpauth://totp?algorithm=SHA1&secret=GEZDGNBV&algorithm=SHA512") 428 | self.assertEqual(hashlib.sha512, otp.digest) 429 | self.assertEqual(otp.at(0), "816660") 430 | self.assertEqual(otp.at(9000), "524153") 431 | 432 | self.assertEqual( 433 | otp.provisioning_uri(name="n", issuer_name="i", image="https://test.net/test.png"), 434 | "otpauth://totp/i:n?secret=GEZDGNBV&issuer=i&algorithm=SHA512&image=https%3A%2F%2Ftest.net%2Ftest.png", 435 | ) 436 | with self.assertRaises(ValueError): 437 | otp.provisioning_uri(name="n", issuer_name="i", image="nourl") 438 | 439 | otp = pyotp.parse_uri(otp.provisioning_uri(name="n", issuer_name="i", image="https://test.net/test.png")) 440 | self.assertEqual(hashlib.sha512, otp.digest) 441 | 442 | otp = pyotp.parse_uri("otpauth://totp/Steam:?secret=FMXNK4QEGKVPULRTADY6JIDK5VHUBGZW&encoder=steam") 443 | self.assertEqual(type(otp), pyotp.contrib.Steam) 444 | self.assertEqual(otp.at(0), "C5V56") 445 | self.assertEqual(otp.at(30), "QJY8Y") 446 | self.assertEqual(otp.at(60), "R3WQY") 447 | self.assertEqual(otp.at(90), "JG3T3") 448 | 449 | # period and digits should be ignored 450 | otp = pyotp.parse_uri( 451 | "otpauth://totp/Steam:?secret=FMXNK4QEGKVPULRTADY6JIDK5VHUBGZW&period=15&digits=7&encoder=steam" 452 | ) 453 | self.assertEqual(type(otp), pyotp.contrib.Steam) 454 | self.assertEqual(otp.at(0), "C5V56") 455 | self.assertEqual(otp.at(30), "QJY8Y") 456 | self.assertEqual(otp.at(60), "R3WQY") 457 | self.assertEqual(otp.at(90), "JG3T3") 458 | 459 | pyotp.parse_uri("otpauth://totp?secret=abc&image=foobar") 460 | 461 | 462 | class Timecop(object): 463 | """ 464 | Half-assed clone of timecop.rb, just enough to pass our tests. 465 | """ 466 | 467 | def __init__(self, freeze_timestamp): 468 | self.freeze_timestamp = freeze_timestamp 469 | 470 | def __enter__(self): 471 | self.real_datetime = datetime.datetime 472 | datetime.datetime = self.frozen_datetime() 473 | 474 | def __exit__(self, type, value, traceback): 475 | datetime.datetime = self.real_datetime 476 | 477 | def frozen_datetime(self): 478 | class FrozenDateTime(datetime.datetime): 479 | @classmethod 480 | def now(cls, **kwargs): 481 | return cls.fromtimestamp(timecop.freeze_timestamp) 482 | 483 | timecop = self 484 | return FrozenDateTime 485 | 486 | 487 | if __name__ == "__main__": 488 | unittest.main() 489 | --------------------------------------------------------------------------------