View Full Version : Trying to setup TOTP in a webapp

5-Dec-2018, 09:51 AM

I am trying to setup one time passwords for a webapp and have downloaded and installed the dataflex security libraries in order to do so.
Then I read the part about TOTP/HOTP in the accompanied PDF and also looked at the Authenticator demo application.

It looks like that the authenticator demo is from an earlier codebase as it does not depend on the security library at all and has different code to showcase what can be done. So that one just mostly confuses what you have to do in order to use the security library.

In my webapp workspace for the libraries I added the
- DfSecurity
- DfSecurity-LibSodium
libraries as libraries to use.

So I followed the suggestion in the security library PDF and dragged both a c2FAWebGroup and a cWebQrCode to the login page and added the javascript lines for both controls to the index.html page.

Also set the following property:

Object oMyOtp is a cSecureTimeBasedOneTimePassword
Set piHashImplementation to C_SEC_HASH_LIBSODIUM_HMAC_SHA256
Set phoSecureOneTimePassword to oMyOtp

and removed the FIDO U2F stuff.

Then started to fill in the "To-Do's" and here's one that really puzzles me (well there's more as the documentation is minimal, there's no help and the pdf has no code examples.

// Return registered OTP secrets for the user. Make sure you verify password first!
// For security reasons, each user should have only one OTP key.
Function RegisteredOtpSecrets Returns UChar[][]
UChar[][] ucaSecrets

// ToDo: override this method.

Function_Return ucaSecrets

Yes I understand what it is saying, but this whole method never gets called from what I can see.
If I search the libraries then the function does not exist?
How can you override a function that does not exist?

The only similar function I found in the c2FAWebGroup class is this one:

// Return the specification of the registered OTP for the _authenticated_ user.
// There MUST be zero or one.
Function RegisteredOtp Returns String
Function_Return ""

Is that what was meant by it?

Also if I try to compile then I get a bunch of compiler errors.
For example the class cSecureTimeBasedOneTimePassword doesn't exist, but there is a cSecureOneTimePassword class, is that the one?
But there's also cSecureTimeBasedOneTimePassword_Impl ??

Another edit.. and then there's these errors:
----Compiler Error Summary----
- Error 4345: ..\DFSecurity\AppSrc\cSecureOneTimePassword.pkg (ln 156) Type check error CASE$IF$2720, MUST BE DEFINED
- Error 4345: ..\DFSecurity\AppSrc\cSecureOneTimePassword.pkg (ln 159) Type check error CASE$IF$2720, MUST BE DEFINED
- Error 4348: ..\DFSecurity\AppSrc\cSecureOneTimePassword.pkg (ln 180) Unresolved control block MISMATCH IN METHOD
- Error 4345: ..\DataFlex Projects\V-30-PS\AppSrc\Login.wo (ln 94) Type check error U_CSECURETIMEBASEDONETIMEPASSWORD, MUST BE DEFINED
-- Error 4328: Undefined symbol in argument U_CSECURETIMEBASEDONETIMEPASSWORD
- Error 4348: ..\dataflex projects\V-30-PS\AppSrc\WebApp.src (ln 254) Unresolved control block


5-Dec-2018, 10:54 AM
I can get rid of the above errors by including the libSodium package.

So I now have the following lines at the top of my login.wo page.

Use cLibsodiumHash_Impl.pkg
Use cSecureOneTimePassword.pkg
Use c2FAWebGroup.pkg
Use cWebQrCode.pkg

Also ended up using

Object oMyOtp is a cSecureTimeBasedOneTimePassword_Impl //cSecureTimeBasedOneTimePassword

for now. Added the CNG library to my workspace as well.