digitalpoint
Well-known member
- Affected version
- 2.2.9
When generating the url for Google Authenticator (or other TOTP apps), there's an extra space before $user.
In
should be:
It's not normally noticeable, because Google Authenticator app cleans it up and trims it before displaying. But have noticed other apps don't trim it... notably, Yubico's Authenticator app always ends up with a leading space on the account name when adding XenForo totp.
If you look at the example section for Google Authenticator, you can see the example does not include that space:
github.com
In
XF\Tfa\Totp.php:
PHP:
$otpUrl = GoogleAuthenticator::getKeyUri('totp', "$issuer: $user", $config['secret'], null, [
'issuer' => $issuer
]);should be:
PHP:
$otpUrl = GoogleAuthenticator::getKeyUri('totp', "$issuer:$user", $config['secret'], null, [
'issuer' => $issuer
]);It's not normally noticeable, because Google Authenticator app cleans it up and trims it before displaying. But have noticed other apps don't trim it... notably, Yubico's Authenticator app always ends up with a leading space on the account name when adding XenForo totp.
If you look at the example section for Google Authenticator, you can see the example does not include that space:
Code:
otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=ExampleKey Uri Format · google/google-authenticator Wiki
Open source version of Google Authenticator (except the Android app) - Key Uri Format · google/google-authenticator Wiki
github.com
