Tolerate OTP that are slighlty early or late #9677

PowerKiKi · PowerKiKi · commit 60565188c8d6 · 2023-05-24T21:58:44.000+07:00
Because some clients have mobile devices with a poorly synced time, we
must be tolerant and allow them to be either a bit early or a bit late.

Now the total window to accept an OTP is of 87 seconds.
diff --git a/src/Model/Traits/HasOtp.php b/src/Model/Traits/HasOtp.php
@@ -99,6 +99,6 @@ public function verifyOtp(string $received): bool
         }
         $otp = OTPHP\Factory::loadFromProvisioningUri($this->otpUri);
 
-        return $otp->verify($received);
+        return $otp->verify($received, null, 29);
     }
 }
diff --git a/tests/Model/Traits/HasOtpTest.php b/tests/Model/Traits/HasOtpTest.php
@@ -89,6 +89,12 @@ public function testVerifySecret(): void
 
         $otp = Factory::loadFromProvisioningUri($uri);
         self::assertInstanceOf(TOTPInterface::class, $otp);
-        self::assertTrue($this->user->verifyOtp($otp->now()), 'Correct OTP given');
+
+        // This is very time sensitive, and test might be flaky if the generated OTP is on the last
+        // millisecond of a second, and the verification happens on the first millisecond of the next second.
+        // To limit flakiness, we test with a slightly shorter time period than what is actually allowed.
+        self::assertTrue($this->user->verifyOtp($otp->at(time())), 'Correct OTP given');
+        self::assertTrue($this->user->verifyOtp($otp->at(time() - 27)), 'Even accept correct past OTP, in case of mobile device clock sync failure');
+        self::assertTrue($this->user->verifyOtp($otp->at(time() + 27)), 'Even accept correct future OTP, in case of mobile device clock sync failure');
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,6 @@ public function verifyOtp(string $received): bool`
`99`	`99`	`}`
`100`	`100`	`$otp = OTPHP\Factory::loadFromProvisioningUri($this->otpUri);`
`101`	`101`
`102`		`- return $otp->verify($received);`
	`102`	`+ return $otp->verify($received, null, 29);`
`103`	`103`	`}`
`104`	`104`	`}`
Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,12 @@ public function testVerifySecret(): void`
`89`	`89`
`90`	`90`	`$otp = Factory::loadFromProvisioningUri($uri);`
`91`	`91`	`self::assertInstanceOf(TOTPInterface::class, $otp);`
`92`		`- self::assertTrue($this->user->verifyOtp($otp->now()), 'Correct OTP given');`
	`92`	`+`
	`93`	`+ // This is very time sensitive, and test might be flaky if the generated OTP is on the last`
	`94`	`+ // millisecond of a second, and the verification happens on the first millisecond of the next second.`
	`95`	`+ // To limit flakiness, we test with a slightly shorter time period than what is actually allowed.`
	`96`	`+ self::assertTrue($this->user->verifyOtp($otp->at(time())), 'Correct OTP given');`
	`97`	`+ self::assertTrue($this->user->verifyOtp($otp->at(time() - 27)), 'Even accept correct past OTP, in case of mobile device clock sync failure');`
	`98`	`+ self::assertTrue($this->user->verifyOtp($otp->at(time() + 27)), 'Even accept correct future OTP, in case of mobile device clock sync failure');`
`93`	`99`	`}`
`94`	`100`	`}`