如何使用具有正确 Headers 和 SHA512 哈希令牌的节点生成正确的 TOTP?
How do I generate the correct TOTP with Node with correct Headers and SHA512 hashed Token?
我最近分配的一个学校项目有一个编码挑战,我们必须完成。挑战有多个部分,最后一部分是上传到私有 GitHub 存储库并通过在特定条件下发出 POST 请求来提交完成请求。
我已成功完成挑战的其他部分,但无法提交请求。提交必须遵循以下规则:
Build your solution request
First, construct a JSON string like below:
{
"github_url": "https://github.com/YOUR_ACCOUNT/GITHUB_REPOSITORY",
"contact_email": "YOUR_EMAIL"
}
Fill in your email address for YOUR_EMAIL, and the private Github repository with your solution in YOUR_ACCOUNT/GITHUB_REPOSITORY.
Then, make an HTTP POST request to the following URL with the JSON string as the body part.
CHALLENGE_URL
Content type
The Content-Type: of the request must be application/json.
Authorization
The URL is protected by HTTP Basic Authentication, which is explained on Chapter 2 of RFC2617, so you have to provide an Authorization: header field in your POST request.
- For the userid of HTTP Basic Authentication, use the same email address you put in the JSON string.
- For the password , provide a 10-digit time-based one time password conforming to RFC6238
TOTP.
Authorization password
For generating the TOTP password, you will need to use the following setup:
- You have to generate a correct TOTP password according to RFC6238
- TOTP's
Time Step X is 30 seconds. T0 is 0.
- Use
HMAC-SHA-512 for the hash function, instead of the default HMAC-SHA-1.
- Token shared secret is the userid followed by ASCII string value
"APICHALLENGE" (not including double quotations).
Shared secret examples
For example, if the userid is "email@example.com", the token shared secret is "email@example.comAPICHALLENGE" (without quotes).
If your POST request succeeds, the server returns HTTP status code 200 .
我已经尝试非常仔细地遵循这个大纲,并以不同的方式测试我的工作。但是,似乎我做对了。我们应该从 Node 服务器后端发出请求。这是我到目前为止所做的。我使用 npm init 创建了一个新的 npm 项目并安装了您将在下面的代码中看到的依赖项:
const axios = require('axios');
const base64 = require('base-64');
const utf8 = require('utf8');
const { totp } = require('otplib');
const reqJSON =
{
github_url: GITHUB_URL,
contact_email: MY_EMAIL
}
const stringData = JSON.stringify(reqJSON);
const URL = CHALLENGE_URL;
const sharedSecret = reqJSON.contact_email + "APICHALLENGE";
totp.options = { digits: 10, algorithm: "sha512" }
const myTotp = totp.generate(sharedSecret);
const isValid = totp.check(myTotp, sharedSecret);
console.log("Token Info:", {myTotp, isValid});
const authStringUTF = reqJSON.contact_email + ":" + myTotp;
const bytes = utf8.encode(authStringUTF);
const encoded = base64.encode(bytes);
const createReq = async () =>
{
try
{
// set the headers
const config = {
headers: {
'Content-Type': 'application/json',
"Authorization": "Basic " + encoded
}
};
console.log("Making req", {URL, reqJSON, config});
const res = await axios.post(URL, stringData, config);
console.log(res.data);
}
catch (err)
{
console.error(err.response.data);
}
};
createReq();
据我了解,我不确定我在哪里犯了错误。在理解这些要求时,我已尽力做到非常小心。我已经简要查看了挑战概述的所有文档,并收集了在给定条件下正确生成 TOTP 所需的必要要求。
我发现 npm 包 otplib 可以通过我传入的选项满足这些要求。
但是,我的解决方案是不正确的。当我尝试提交解决方案时,收到错误消息 "Invalid token, wrong code"。有人可以帮我看看我做错了什么吗?
我真的不希望我所有的努力都白费,因为这是一个漫长的项目。
非常感谢您抽出宝贵时间来帮助解决这个问题。非常感谢。
软件包 otplib 的自述文件指出:
// TOTP defaults
{
// ...includes all HOTP defaults
createHmacKey: totpCreateHmacKey,
epoch: Date.now(),
step: 30,
window: 0,
}
所以 epoch (T0) 的默认值是 Date.now(),这是 RFC 标准。任务描述定义 T0 是 0.
您需要将 epoch 的默认值更改为 0:
totp.options = { digits: 10, algorithm: "sha512", epoch: 0 }
我最近分配的一个学校项目有一个编码挑战,我们必须完成。挑战有多个部分,最后一部分是上传到私有 GitHub 存储库并通过在特定条件下发出 POST 请求来提交完成请求。
我已成功完成挑战的其他部分,但无法提交请求。提交必须遵循以下规则:
Build your solution request
First, construct a JSON string like below:
{
"github_url": "https://github.com/YOUR_ACCOUNT/GITHUB_REPOSITORY",
"contact_email": "YOUR_EMAIL"
}Fill in your email address for
YOUR_EMAIL, and the private Github repository with your solution inYOUR_ACCOUNT/GITHUB_REPOSITORY. Then, make an HTTP POST request to the following URL with the JSON string as the body part.
CHALLENGE_URLContent type
The Content-Type: of the request must be
application/json.Authorization
The URL is protected by HTTP Basic Authentication, which is explained on Chapter 2 of RFC2617, so you have to provide an Authorization: header field in your POST request.
- For the userid of HTTP Basic Authentication, use the same email address you put in the JSON string.
- For the password , provide a 10-digit time-based one time password conforming to RFC6238 TOTP.
Authorization password
For generating the TOTP password, you will need to use the following setup:
- You have to generate a correct TOTP password according to RFC6238
- TOTP's
Time Step Xis 30 seconds.T0is 0.- Use
HMAC-SHA-512for the hash function, instead of the defaultHMAC-SHA-1.- Token shared secret is the userid followed by ASCII string value
"APICHALLENGE"(not including double quotations).Shared secret examples
For example, if the userid is
"email@example.com", the token shared secret is"email@example.comAPICHALLENGE"(without quotes).If your POST request succeeds, the server returns HTTP status code 200 .
我已经尝试非常仔细地遵循这个大纲,并以不同的方式测试我的工作。但是,似乎我做对了。我们应该从 Node 服务器后端发出请求。这是我到目前为止所做的。我使用 npm init 创建了一个新的 npm 项目并安装了您将在下面的代码中看到的依赖项:
const axios = require('axios');
const base64 = require('base-64');
const utf8 = require('utf8');
const { totp } = require('otplib');
const reqJSON =
{
github_url: GITHUB_URL,
contact_email: MY_EMAIL
}
const stringData = JSON.stringify(reqJSON);
const URL = CHALLENGE_URL;
const sharedSecret = reqJSON.contact_email + "APICHALLENGE";
totp.options = { digits: 10, algorithm: "sha512" }
const myTotp = totp.generate(sharedSecret);
const isValid = totp.check(myTotp, sharedSecret);
console.log("Token Info:", {myTotp, isValid});
const authStringUTF = reqJSON.contact_email + ":" + myTotp;
const bytes = utf8.encode(authStringUTF);
const encoded = base64.encode(bytes);
const createReq = async () =>
{
try
{
// set the headers
const config = {
headers: {
'Content-Type': 'application/json',
"Authorization": "Basic " + encoded
}
};
console.log("Making req", {URL, reqJSON, config});
const res = await axios.post(URL, stringData, config);
console.log(res.data);
}
catch (err)
{
console.error(err.response.data);
}
};
createReq();
据我了解,我不确定我在哪里犯了错误。在理解这些要求时,我已尽力做到非常小心。我已经简要查看了挑战概述的所有文档,并收集了在给定条件下正确生成 TOTP 所需的必要要求。
我发现 npm 包 otplib 可以通过我传入的选项满足这些要求。
但是,我的解决方案是不正确的。当我尝试提交解决方案时,收到错误消息 "Invalid token, wrong code"。有人可以帮我看看我做错了什么吗?
我真的不希望我所有的努力都白费,因为这是一个漫长的项目。
非常感谢您抽出宝贵时间来帮助解决这个问题。非常感谢。
软件包 otplib 的自述文件指出:
// TOTP defaults
{
// ...includes all HOTP defaults
createHmacKey: totpCreateHmacKey,
epoch: Date.now(),
step: 30,
window: 0,
}
所以 epoch (T0) 的默认值是 Date.now(),这是 RFC 标准。任务描述定义 T0 是 0.
您需要将 epoch 的默认值更改为 0:
totp.options = { digits: 10, algorithm: "sha512", epoch: 0 }