TimeBasedOtpAuthn

e0454dee · MaxKey · 7d5ad8ba · e0454dee · e0454dee · e0454dee
3 changed file
--- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java
+++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java
@@ -25,7 +25,6 @@ import org.maxkey.authn.realm.AbstractAuthenticationRealm;
 import org.maxkey.authn.support.rememberme.AbstractRemeberMeService;
 import org.maxkey.configuration.ApplicationConfig;
 import org.maxkey.constants.ConstantsLoginType;
-import org.maxkey.crypto.password.PasswordReciprocal;
 import org.maxkey.domain.UserInfo;
 import org.maxkey.password.onetimepwd.AbstractOtpAuthn;
 import org.maxkey.web.WebConstants;
@@ -222,9 +221,7 @@ public abstract class AbstractAuthenticationProvider {
        if (applicationConfig.getLoginConfig().isMfa() && authType.equalsIgnoreCase("tfa")) {
            UserInfo validUserInfo = new UserInfo();
            validUserInfo.setUsername(userInfo.getUsername());
-            String sharedSecret = 
-                    PasswordReciprocal.getInstance().decoder(userInfo.getSharedSecret());
-            validUserInfo.setSharedSecret(sharedSecret);
+            validUserInfo.setSharedSecret(userInfo.getSharedSecret());
            validUserInfo.setSharedCounter(userInfo.getSharedCounter());
            validUserInfo.setId(userInfo.getId());
            if (otpCaptcha == null || !tfaOtpAuthn.validate(validUserInfo, otpCaptcha)) {

--- a/maxkey-authentications/maxkey-authentication-otp/src/main/java/org/maxkey/password/onetimepwd/impl/TimeBasedOtpAuthn.java
+++ b/maxkey-authentications/maxkey-authentication-otp/src/main/java/org/maxkey/password/onetimepwd/impl/TimeBasedOtpAuthn.java
@@ -23,6 +23,7 @@ import java.util.Date;
 import java.util.TimeZone;
 import org.apache.commons.codec.binary.Hex;
 import org.maxkey.crypto.Base32Utils;
+import org.maxkey.crypto.password.PasswordReciprocal;
 import org.maxkey.domain.UserInfo;
 import org.maxkey.password.onetimepwd.AbstractOtpAuthn;
 import org.maxkey.password.onetimepwd.algorithm.TimeBasedOTP;
@@ -46,7 +47,9 @@ public class TimeBasedOtpAuthn extends AbstractOtpAuthn {
    public boolean validate(UserInfo userInfo, String token) {
        _logger.debug("utcTime : " + dateFormat.format(new Date()));
        long currentTimeSeconds = System.currentTimeMillis() / 1000;
-        byte[] byteSharedSecret = Base32Utils.decode(userInfo.getSharedSecret());
+        String sharedSecret = 
+                PasswordReciprocal.getInstance().decoder(userInfo.getSharedSecret());
+        byte[] byteSharedSecret = Base32Utils.decode(sharedSecret);
        String hexSharedSecret = Hex.encodeHexString(byteSharedSecret);
        String timeBasedToken = "";
        if (crypto.equalsIgnoreCase("HmacSHA1")) {

--- a/maxkey-web-manage/src/main/java/org/maxkey/web/api/endpoint/RestTimeBasedOtpController.java
+++ b/maxkey-web-manage/src/main/java/org/maxkey/web/api/endpoint/RestTimeBasedOtpController.java
@@ -52,10 +52,6 @@ public class RestTimeBasedOtpController {
    	
    	UserInfo validUserInfo = userInfoService.loadByUsername(username);
    	if(validUserInfo != null) {
-    		 String sharedSecret = 
-                     PasswordReciprocal.getInstance().decoder(validUserInfo.getSharedSecret());
-             validUserInfo.setSharedSecret(sharedSecret);
-             validUserInfo.setSharedCounter(validUserInfo.getSharedCounter());
    		if(timeBasedOtpAuthn.validate(validUserInfo, token)) {
    			return true;
    		}