Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-pyotp for openSUSE:Factory checked in at 2026-06-17 16:22:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pyotp (Old) and /work/SRC/openSUSE:Factory/.python-pyotp.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyotp" Wed Jun 17 16:22:45 2026 rev:10 rq:1359920 version:2.10.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-pyotp/python-pyotp.changes 2025-06-11 16:23:38.025231994 +0200 +++ /work/SRC/openSUSE:Factory/.python-pyotp.new.1981/python-pyotp.changes 2026-06-17 16:23:30.948105866 +0200 @@ -1,0 +2,12 @@ +Sun Jun 14 17:21:34 UTC 2026 - Martin Hauke <[email protected]> + +- Update to version 2.10.0 + * Fix parse_uri mis-parsing of encoded colon in issuer/account + name. + * Simplified and improved generate_otp() performance in Steam + class. + * Check digest function to prevent error on OTP Generation. + * Ignore non-standard otpauth parameters. + * use strings as immutable default arguments. + +------------------------------------------------------------------- Old: ---- pyotp-2.9.0.tar.gz New: ---- pyotp-2.10.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pyotp.spec ++++++ --- /var/tmp/diff_new_pack.pzMfnU/_old 2026-06-17 16:23:31.820142342 +0200 +++ /var/tmp/diff_new_pack.pzMfnU/_new 2026-06-17 16:23:31.820142342 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-pyotp # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-pyotp -Version: 2.9.0 +Version: 2.10.0 Release: 0 Summary: Python One Time Password Library License: MIT @@ -27,8 +27,8 @@ Source: https://files.pythonhosted.org/packages/source/p/pyotp/pyotp-%{version}.tar.gz BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module devel} +BuildRequires: %{python_module hatchling} BuildRequires: %{python_module pip} -BuildRequires: %{python_module setuptools} BuildRequires: %{python_module wheel} BuildRequires: fdupes BuildRequires: python-rpm-macros ++++++ pyotp-2.9.0.tar.gz -> pyotp-2.10.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/.github/FUNDING.yml new/pyotp-2.10.0/.github/FUNDING.yml --- old/pyotp-2.9.0/.github/FUNDING.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/.github/FUNDING.yml 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,3 @@ +# These are supported funding model platforms + +github: kislyuk diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/.github/workflows/ci.yml new/pyotp-2.10.0/.github/workflows/ci.yml --- old/pyotp-2.9.0/.github/workflows/ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/.github/workflows/ci.yml 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,31 @@ +name: Python package + +on: [push, pull_request] + +jobs: + build: + runs-on: ${{ matrix.os }} + env: + PIP_DISABLE_PIP_VERSION_CHECK: 1 + strategy: + matrix: + os: [ubuntu-22.04, ubuntu-latest, macos-latest] + python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] + steps: + - uses: actions/checkout@v4 + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python-version }} + - run: make install + - run: make lint + - run: make test + - uses: codecov/codecov-action@v5 + ruff: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: astral-sh/ruff-action@v3 + - uses: astral-sh/ruff-action@v3 + with: + args: "format --check" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/.github/workflows/release.yml new/pyotp-2.10.0/.github/workflows/release.yml --- old/pyotp-2.9.0/.github/workflows/release.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/.github/workflows/release.yml 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,21 @@ +name: Publish release to PyPI + +on: + push: + tags: + - 'v[0-9]+.[0-9]+.[0-9]+' + +jobs: + pypi-publish: + name: Build and upload release to PyPI + runs-on: ubuntu-latest + environment: release + permissions: + id-token: write + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + - run: pip install build + - run: python -m build + - name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/.gitignore new/pyotp-2.10.0/.gitignore --- old/pyotp-2.9.0/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/.gitignore 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,42 @@ +# Reminder: +# - A leading slash means the pattern is anchored at the root. +# - No leading slash means the pattern matches at any depth. + +# Python files +*.pyc +__pycache__/ +.tox/ +*.egg-info/ +/build/ +/dist/ +/.eggs/ + +# Sphinx documentation +/docs/_build/ + +# IDE project files +/.pydevproject + +# vim python-mode plugin +/.ropeproject + +# IntelliJ IDEA / PyCharm project files +/.idea +/*.iml + +# JS/node/npm/web dev files +node_modules +npm-debug.log + +# OS X metadata files +.DS_Store + +# Python coverage +.coverage +htmlcov + +# Virtual environments +venv + +# Type checking +.mypy_cache diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/Changes.rst new/pyotp-2.10.0/Changes.rst --- old/pyotp-2.9.0/Changes.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/Changes.rst 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,187 @@ +Changes for v2.10.0 (2026-06-13) +================================ + +- Fix parse_uri mis-parsing of encoded colon in issuer/account name + (#187) + +- Simplified and improved generate_otp() performance in Steam class + (#179) + +- Check digest function to prevent error on OTP Generation (#170) + +- Ignore non-standard otpauth parameters + +- use strings as immutable default arguments (#162) + +Changes for v2.9.0 (2023-07-27) +=============================== + +- Add ``parse_uri()`` support for Steam TOTP (#153) + +- Test and documentation improvements + +Changes for v2.8.0 (2022-12-13) +=============================== + +- Modify OTP generation to run in constant time (#148) + +- Documentation improvements + +- Drop Python 3.6 support; introduce Python 3.11 support + +Changes for v2.7.0 (2022-09-11) +=============================== + +- Support Steam TOTP (#142) + +- Build, test, and documentation updates + +Changes for v2.6.0 (2021-02-04) +=============================== + +- Raise default and minimum base32 secret length to 32, and hex secret + length to 40 (160 bits as recommended by the RFC) (#115). + +- Fix issue where provisioning_uri would return invalid results after + calling verify() (#115). + +Changes for v2.5.1 (2021-01-29) +=============================== + +- parse_uri accepts and ignores optional image parameter (#114) + +Changes for v2.5.0 (2021-01-29) +=============================== + +- Add optional image parameter to provisioning_uri (#113) + +- Support for 7-digit codes in ‘parse_uri’ (#111) + +- Raise default and minimum base32 secret length to 26 + +Changes for v2.4.1 (2020-10-16) +=============================== + +- parse_uri: Fix handling of period, counter (#108) + +- Add support for timezone aware datetime as argument to + ``TOTP.timecode()`` (#107) + +Changes for v2.4.0 (2020-07-29) +=============================== + +- Fix data type for at(for_time) (#85) + +- Add support for parsing provisioning URIs (#84) + +- Raise error when trying to generate secret that is too short (The + secret must be at least 128 bits) + +- Add random_hex function (#82) + +Changes for v2.3.0 (2019-07-26) +=============================== + +- Fix comparison behavior on Python 2.7 + +Changes for v2.2.8 (2019-07-26) +=============================== + +- Fix comparison of unicode chars (#78) + +- Minor documentation and test fixes + +Changes for v2.2.7 (2018-11-05) +=============================== + +- Have random_base32() use ‘secrets’ as rand source (#66) + +- Documentation: Add security considerations, minimal security + checklist, other improvements + +- Update setup.py to reference correct license + +Changes for v2.2.6 (2017-06-10) +=============================== + +- Fix tests wrt double-quoting in provisioning URIs + +Changes for v2.2.5 (2017-06-03) +=============================== + +- Quote issuer QS parameter in provisioning\_uri. Fixes #47. + +- Raise an exception if a negative integer is passed to at() (#41). + +- Documentation and release infrastructure improvements. + +Changes for v2.2.4 (2017-01-04) +=============================== + +- Restore Python 2.6 compatibility (however, Python 2.6 is not + supported) + +- Documentation and test improvements + +- Fix release infra script, part 2 + +Changes for v2.2.3 (2017-01-04) +=============================== + +- Restore Python 2.6 compatibility (however, Python 2.6 is not + supported) + +- Documentation and test improvements + +- Fix release infra script + +Changes for v2.2.2 (2017-01-04) +=============================== + +- Restore Python 2.6 compatibility (however, Python 2.6 is not + supported) + +- Documentation and test improvements + +Changes for v2.2.1 (2016-08-30) +=============================== + +- Avoid using python-future; it has subdependencies that limit + compatibility (#34) +- Make test suite pass on 32-bit platforms (#30) +- Timing attack resistance fix: don't reveal string length to attacker. + Thanks to Eeo Jun (#28). +- Support algorithm, digits, period parameters in provisioning\_uri. + Thanks to Dionisio E Alonso (#33). +- Minor style and packaging infrastructure fixes. + +Changes for v2.2.0 (2016-08-30) +=============================== + +- See v2.2.1 + +Version 2.1.0 (2016-05-02) +-------------------------- +- Add extended range support to TOTP.verify. Thanks to Zeev Rotshtein (PR #19). +- Handle missing padding of encoded secret. Thanks to Kun Yan (#20). +- Miscellaneous fixes. + +Version 2.0.1 (2015-09-28) +-------------------------- +- Fix packaging issue in v2.0.0 that prevented installation with easy_install. + +Version 2.0.0 (2015-08-22) +-------------------------- +- The ``pyotp.HOTP.at()``, ``pyotp.TOTP.at()``, and + ``pyotp.TOTP.now()`` methods now return strings instead of + integers. Thanks to Rohan Dhaimade (PR #16). + +Version 1.4.2 (2015-07-21) +-------------------------- +- Begin tracking changes in change log. +- Update documentation. +- Introduce Travis CI integration. + +Version 1.3.1 (2012-02-29) +-------------------------- +- Initial release. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/Makefile new/pyotp-2.10.0/Makefile --- old/pyotp-2.9.0/Makefile 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/Makefile 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,31 @@ +SHELL=/bin/bash + +test_deps: + python -m pip install .[test] + +lint: + ruff check src + mypy --install-types --non-interactive --check-untyped-defs src + +test: + coverage run --branch --include 'src/*' -m unittest discover -s test -v + +init_docs: + cd docs; sphinx-quickstart + +docs: + python -m pip install furo sphinx-copybutton sphinxext-opengraph + sphinx-build docs docs/html + +install: clean + python -m pip install build + python -m build + python -m pip install --upgrade $$(echo dist/*.whl)[test] + +clean: + -rm -rf build dist + -rm -rf *.egg-info + +.PHONY: test_deps lint test docs install clean + +include common.mk diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/PKG-INFO new/pyotp-2.10.0/PKG-INFO --- old/pyotp-2.9.0/PKG-INFO 2023-07-28 01:40:52.158836000 +0200 +++ new/pyotp-2.10.0/PKG-INFO 2020-02-02 01:00:00.000000000 +0100 @@ -1,32 +1,41 @@ -Metadata-Version: 2.1 -Name: pyotp -Version: 2.9.0 +Metadata-Version: 2.4 +Name: PyOTP +Version: 2.10.0 Summary: Python One Time Password Library -Home-page: https://github.com/pyotp/pyotp -Author: PyOTP contributors -Author-email: [email protected] -License: MIT License -Project-URL: Documentation, https://pyauth.github.io/pyotp +Project-URL: Homepage, https://github.com/pyauth/pyotp +Project-URL: Documentation, https://github.com/pyauth/pyotp Project-URL: Source Code, https://github.com/pyauth/pyotp Project-URL: Issue Tracker, https://github.com/pyauth/pyotp/issues -Project-URL: Change Log, https://github.com/pyauth/pyotp/blob/master/Changes.rst -Platform: MacOS X -Platform: Posix +Project-URL: Change Log, https://github.com/pyauth/pyotp/blob/main/Changes.rst +Author: Andrey Kislyuk +Author-email: [email protected] +Maintainer: Andrey Kislyuk +Maintainer-email: [email protected] +License-Expression: MIT +License-File: LICENSE +Classifier: Development Status :: 5 - Production/Stable Classifier: Intended Audience :: Developers -Classifier: License :: OSI Approved :: MIT License Classifier: Operating System :: MacOS :: MacOS X Classifier: Operating System :: POSIX Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 3 -Classifier: Programming Language :: Python :: 3.7 Classifier: Programming Language :: Python :: 3.8 Classifier: Programming Language :: Python :: 3.9 Classifier: Programming Language :: Python :: 3.10 Classifier: Programming Language :: Python :: 3.11 +Classifier: Programming Language :: Python :: 3.12 +Classifier: Programming Language :: Python :: 3.13 +Classifier: Programming Language :: Python :: Implementation :: CPython +Classifier: Programming Language :: Python :: Implementation :: PyPy +Classifier: Topic :: Software Development Classifier: Topic :: Software Development :: Libraries :: Python Modules -Requires-Python: >=3.7 +Requires-Python: >=3.8 Provides-Extra: test -License-File: LICENSE +Requires-Dist: coverage; extra == 'test' +Requires-Dist: mypy; extra == 'test' +Requires-Dist: ruff; extra == 'test' +Requires-Dist: wheel; extra == 'test' +Description-Content-Type: text/x-rst PyOTP - The Python One-Time Password Library ============================================ @@ -54,11 +63,11 @@ - Throttle (rate limit) brute-force attacks against your application's login functionality (see RFC 4226, section 7.3) - When implementing a "greenfield" application, consider supporting `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_/`WebAuthn <https://www.w3.org/TR/webauthn/>`_ in - addition to HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which strengthens your - MFA solution against server-side attacks. Hardware U2F also sequesters the client secret in a dedicated single-purpose - device, which strengthens your clients against client-side attacks. And by automating scoping of credentials to - relying party IDs (application origin/domain names), U2F adds protection against phishing attacks. One implementation - of FIDO U2F/WebAuthn is PyOTP's sister project, `PyWARP <https://github.com/pyauth/pywarp>`_. + addition to or instead of HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which + strengthens your MFA solution against server-side attacks. Hardware U2F also sequesters the client secret in a + dedicated single-purpose device, which strengthens your clients against client-side attacks. And by automating scoping + of credentials to relying party IDs (application origin/domain names), U2F adds protection against phishing attacks. + One implementation of FIDO U2F/WebAuthn is PyOTP's sister project, `PyWARP <https://github.com/pyauth/pywarp>`_. We also recommend that implementers read the `OWASP Authentication Cheat Sheet @@ -158,7 +167,7 @@ Scan the following barcode with your phone's OTP app (e.g. Google Authenticator): -.. image:: https://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP +.. image:: https://quickchart.io/qr?size=250&text=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP Now run the following and compare the output:: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/README.rst new/pyotp-2.10.0/README.rst --- old/pyotp-2.9.0/README.rst 2023-06-16 02:22:25.000000000 +0200 +++ new/pyotp-2.10.0/README.rst 2020-02-02 01:00:00.000000000 +0100 @@ -24,11 +24,11 @@ - Throttle (rate limit) brute-force attacks against your application's login functionality (see RFC 4226, section 7.3) - When implementing a "greenfield" application, consider supporting `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_/`WebAuthn <https://www.w3.org/TR/webauthn/>`_ in - addition to HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which strengthens your - MFA solution against server-side attacks. Hardware U2F also sequesters the client secret in a dedicated single-purpose - device, which strengthens your clients against client-side attacks. And by automating scoping of credentials to - relying party IDs (application origin/domain names), U2F adds protection against phishing attacks. One implementation - of FIDO U2F/WebAuthn is PyOTP's sister project, `PyWARP <https://github.com/pyauth/pywarp>`_. + addition to or instead of HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which + strengthens your MFA solution against server-side attacks. Hardware U2F also sequesters the client secret in a + dedicated single-purpose device, which strengthens your clients against client-side attacks. And by automating scoping + of credentials to relying party IDs (application origin/domain names), U2F adds protection against phishing attacks. + One implementation of FIDO U2F/WebAuthn is PyOTP's sister project, `PyWARP <https://github.com/pyauth/pywarp>`_. We also recommend that implementers read the `OWASP Authentication Cheat Sheet @@ -128,7 +128,7 @@ Scan the following barcode with your phone's OTP app (e.g. Google Authenticator): -.. image:: https://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP +.. image:: https://quickchart.io/qr?size=250&text=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP Now run the following and compare the output:: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/SECURITY.md new/pyotp-2.10.0/SECURITY.md --- old/pyotp-2.9.0/SECURITY.md 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/SECURITY.md 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,9 @@ +# Security Policy + +## Reporting a Vulnerability + +If you believe you have found a security vulnerability in this project, please report it to us by submitting a security advisory at https://github.com/pyauth/pyotp/security/advisories. You can expect an initial response within 14 days. + +## Supported Versions + +In general, the maintainers of this project provide security updates only for the most recent published release. If you need support for prior versions, please open an issue and describe your situation. Requests for updates to prior releases will be considered on a case-by-case basis, and will generally be accommodated only for the latest releases in prior major version release series. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/common.mk new/pyotp-2.10.0/common.mk --- old/pyotp-2.9.0/common.mk 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/common.mk 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,45 @@ +SHELL=/bin/bash -eo pipefail + +release-major: + $(eval export TAG=$(shell git describe --tags --match 'v*.*.*' | perl -ne '/^v(\d+)\.(\d+)\.(\d+)/; print "v@{[$$1+1]}.0.0"')) + $(MAKE) release + +release-minor: + $(eval export TAG=$(shell git describe --tags --match 'v*.*.*' | perl -ne '/^v(\d+)\.(\d+)\.(\d+)/; print "v$$1.@{[$$2+1]}.0"')) + $(MAKE) release + +release-patch: + $(eval export TAG=$(shell git describe --tags --match 'v*.*.*' | perl -ne '/^v(\d+)\.(\d+)\.(\d+)/; print "v$$1.$$2.@{[$$3+1]}"')) + $(MAKE) release + +release: + @if ! git diff --cached --exit-code; then echo "Commit staged files before proceeding"; exit 1; fi + @if [[ -z $$TAG ]]; then echo "Use release-{major,minor,patch}"; exit 1; fi + @if ! type -P pandoc; then echo "Please install pandoc"; exit 1; fi + @if ! type -P sponge; then echo "Please install moreutils"; exit 1; fi + @if ! type -P gh; then echo "Please install gh"; exit 1; fi + git pull + TAG_MSG=$$(mktemp); \ + echo "# Changes for ${TAG} ($$(date +%Y-%m-%d))" > $$TAG_MSG; \ + git log --pretty=format:%s $$(git describe --abbrev=0)..HEAD >> $$TAG_MSG; \ + $${EDITOR:-emacs} $$TAG_MSG; \ + if [[ -f Changes.md ]]; then cat $$TAG_MSG <(echo) Changes.md | sponge Changes.md; git add Changes.md; fi; \ + if [[ -f Changes.rst ]]; then cat <(pandoc --from markdown --to rst $$TAG_MSG) <(echo) Changes.rst | sponge Changes.rst; git add Changes.rst; fi; \ + git commit -m ${TAG}; \ + git tag --annotate --file $$TAG_MSG ${TAG} + git push --follow-tags + $(MAKE) install + gh release create ${TAG} dist/*.whl --notes="$$(git tag --list ${TAG} -n99 | perl -pe 's/^\S+\s*// if $$. == 1' | sed 's/^\s\s\s\s//')" + $(MAKE) release-docs + +release-docs: + $(MAKE) docs + -git branch -D gh-pages + git checkout -B gh-pages-stage + touch docs/html/.nojekyll + git add --force docs/html + git commit -m "Docs for ${TAG}" + git push --force origin $$(git subtree split --prefix docs/html --branch gh-pages):refs/heads/gh-pages + git checkout - + +.PHONY: release diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/docs/changelog.rst new/pyotp-2.10.0/docs/changelog.rst --- old/pyotp-2.9.0/docs/changelog.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/docs/changelog.rst 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,3 @@ +Release Notes +============= +.. include:: ../Changes.rst diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/docs/conf.py new/pyotp-2.10.0/docs/conf.py --- old/pyotp-2.9.0/docs/conf.py 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/docs/conf.py 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,36 @@ +import os +import sys + +sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "src")) + +project = "PyOTP" +copyright = "PyOTP contributors" +author = "PyOTP contributors" +version = "" +release = "" +language = "en" +master_doc = "index" +extensions = ["sphinx.ext.autodoc", "sphinx.ext.viewcode", "sphinx.ext.intersphinx", "sphinxext.opengraph"] +source_suffix = [".rst", ".md"] +exclude_patterns = ["_build", "Thumbs.db", ".DS_Store"] +pygments_style = "sphinx" +intersphinx_mapping = { + "python": ("https://docs.python.org/3";, None), +} +templates_path = [""] +ogp_site_url = "https://pyauth.github.io/pyotp/"; + +if "readthedocs.org" in os.getcwd().split("/"): + with open("index.rst", "w") as fh: + fh.write("Documentation for this project has moved to https://pyauth.github.io/pyotp";) +else: + html_theme = "furo" + html_sidebars = { + "**": [ + "sidebar/brand.html", + "sidebar/search.html", + "sidebar/scroll-start.html", + "toc.html", + "sidebar/scroll-end.html", + ] + } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/docs/index.rst new/pyotp-2.10.0/docs/index.rst --- old/pyotp-2.9.0/docs/index.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/docs/index.rst 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1,27 @@ +.. include:: ../README.rst + +API documentation +================= + +.. automodule:: pyotp + :members: + +.. automodule:: pyotp.totp + :members: + +.. automodule:: pyotp.hotp + :members: + +.. automodule:: pyotp.utils + :members: + +.. automodule:: pyotp.contrib.steam + :members: + +Change log +========== + +.. toctree:: + :maxdepth: 5 + + changelog diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/docs/toc.html new/pyotp-2.10.0/docs/toc.html --- old/pyotp-2.9.0/docs/toc.html 1970-01-01 01:00:00.000000000 +0100 +++ new/pyotp-2.10.0/docs/toc.html 2020-02-02 01:00:00.000000000 +0100 @@ -0,0 +1 @@ +{{toc}} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/pyproject.toml new/pyotp-2.10.0/pyproject.toml --- old/pyotp-2.9.0/pyproject.toml 2023-06-16 02:22:25.000000000 +0200 +++ new/pyotp-2.10.0/pyproject.toml 2020-02-02 01:00:00.000000000 +0100 @@ -1,3 +1,49 @@ +[project] +name = "PyOTP" +description = "Python One Time Password Library" +readme = "README.rst" +requires-python = ">=3.8" +license = "MIT" +license-files = ["LICENSE"] +authors = [{ name = "Andrey Kislyuk"}, {email = "[email protected]" }] +maintainers = [{ name = "Andrey Kislyuk"}, {email = "[email protected]" }] +dynamic = ["version"] +classifiers = [ + "Intended Audience :: Developers", + "Operating System :: MacOS :: MacOS X", + "Operating System :: POSIX", + "Programming Language :: Python", + "Programming Language :: Python :: 3", + "Programming Language :: Python :: 3.8", + "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", + "Programming Language :: Python :: 3.12", + "Programming Language :: Python :: 3.13", + "Programming Language :: Python :: Implementation :: CPython", + "Programming Language :: Python :: Implementation :: PyPy", + "Development Status :: 5 - Production/Stable", + "Topic :: Software Development", + "Topic :: Software Development :: Libraries :: Python Modules", +] + +[project.optional-dependencies] +test = ["coverage", "wheel", "ruff", "mypy"] + +[project.urls] +"Homepage"= "https://github.com/pyauth/pyotp"; +"Documentation"= "https://github.com/pyauth/pyotp"; +"Source Code"= "https://github.com/pyauth/pyotp"; +"Issue Tracker"= "https://github.com/pyauth/pyotp/issues"; +"Change Log"= "https://github.com/pyauth/pyotp/blob/main/Changes.rst"; + +[build-system] +requires = ["hatchling", "hatch-vcs"] +build-backend = "hatchling.build" + +[tool.hatch.version] +source = "vcs" + [tool.black] line-length = 120 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/setup.cfg new/pyotp-2.10.0/setup.cfg --- old/pyotp-2.9.0/setup.cfg 2023-07-28 01:40:52.160089700 +0200 +++ new/pyotp-2.10.0/setup.cfg 1970-01-01 01:00:00.000000000 +0100 @@ -1,4 +0,0 @@ -[egg_info] -tag_build = -tag_date = 0 - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/setup.py new/pyotp-2.10.0/setup.py --- old/pyotp-2.9.0/setup.py 2023-07-28 01:38:36.000000000 +0200 +++ new/pyotp-2.10.0/setup.py 1970-01-01 01:00:00.000000000 +0100 @@ -1,45 +0,0 @@ -#!/usr/bin/env python - -from setuptools import setup - -setup( - name="pyotp", - version="2.9.0", - url="https://github.com/pyotp/pyotp";, - project_urls={ - "Documentation": "https://pyauth.github.io/pyotp";, - "Source Code": "https://github.com/pyauth/pyotp";, - "Issue Tracker": "https://github.com/pyauth/pyotp/issues";, - "Change Log": "https://github.com/pyauth/pyotp/blob/master/Changes.rst";, - }, - license="MIT License", - author="PyOTP contributors", - author_email="[email protected]", - description="Python One Time Password Library", - long_description=open("README.rst").read(), - python_requires=">=3.7", - install_requires=[], - extras_require={ - "test": ["coverage", "wheel", "ruff", "mypy"], - }, - packages=["pyotp", "pyotp.contrib"], - package_dir={"": "src"}, - package_data={"pyotp": ["py.typed"]}, - platforms=["MacOS X", "Posix"], - zip_safe=False, - test_suite="test", - classifiers=[ - "Intended Audience :: Developers", - "License :: OSI Approved :: MIT License", - "Operating System :: MacOS :: MacOS X", - "Operating System :: POSIX", - "Programming Language :: Python", - "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.7", - "Programming Language :: Python :: 3.8", - "Programming Language :: Python :: 3.9", - "Programming Language :: Python :: 3.10", - "Programming Language :: Python :: 3.11", - "Topic :: Software Development :: Libraries :: Python Modules", - ], -) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp/__init__.py new/pyotp-2.10.0/src/pyotp/__init__.py --- old/pyotp-2.9.0/src/pyotp/__init__.py 2023-07-28 01:37:40.000000000 +0200 +++ new/pyotp-2.10.0/src/pyotp/__init__.py 2020-02-02 01:00:00.000000000 +0100 @@ -10,7 +10,7 @@ from .totp import TOTP as TOTP -def random_base32(length: int = 32, chars: Sequence[str] = list("ABCDEFGHIJKLMNOPQRSTUVWXYZ234567")) -> str: +def random_base32(length: int = 32, chars: Sequence[str] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567") -> str: # Note: the otpauth scheme DOES NOT use base32 padding for secret lengths not divisible by 8. # Some third-party tools have bugs when dealing with such secrets. # We might consider warning the user when generating a secret of length not divisible by 8. @@ -20,7 +20,7 @@ return "".join(random.choice(chars) for _ in range(length)) -def random_hex(length: int = 40, chars: Sequence[str] = list("ABCDEF0123456789")) -> str: +def random_hex(length: int = 40, chars: Sequence[str] = "ABCDEF0123456789") -> str: if length < 40: raise ValueError("Secrets should be at least 160 bits") return random_base32(length=length, chars=chars) @@ -49,19 +49,26 @@ # Data we'll parse to the correct constructor otp_data: Dict[str, Any] = {} - # Parse with URLlib - parsed_uri = urlparse(unquote(uri)) + # Parse the URI structure first, then unquote individual components. + # Unquoting the whole URI before splitting the label would turn an + # encoded colon (%3A) inside the issuer or account name into a literal + # ":" and mis-parse the issuer:account separator (see GitHub issue #174). + parsed_uri = urlparse(uri) if parsed_uri.scheme != "otpauth": raise ValueError("Not an otpauth URI") - # Parse issuer/accountname info - accountinfo_parts = split(":|%3A", parsed_uri.path[1:], maxsplit=1) + # Parse issuer/accountname info. The label uses a literal ":" as the + # issuer:account separator; a percent-encoded "%3A" is a colon that is + # part of the issuer or account name, not a separator. Split on the + # literal ":" while the components are still percent-encoded, then + # unquote each component on its own. + accountinfo_parts = split(":", parsed_uri.path[1:], maxsplit=1) if len(accountinfo_parts) == 1: - otp_data["name"] = accountinfo_parts[0] + otp_data["name"] = unquote(accountinfo_parts[0]) else: - otp_data["issuer"] = accountinfo_parts[0] - otp_data["name"] = accountinfo_parts[1] + otp_data["issuer"] = unquote(accountinfo_parts[0]) + otp_data["name"] = unquote(accountinfo_parts[1]) # Parse values for key, value in parse_qsl(parsed_uri.query): @@ -89,13 +96,11 @@ otp_data["interval"] = int(value) elif key == "counter": otp_data["initial_count"] = int(value) - elif key != "image": - raise ValueError("{} is not a valid parameter".format(key)) - + if encoder != "steam": if digits is not None and digits not in [6, 7, 8]: raise ValueError("Digits may only be 6, 7, or 8") - + if not secret: raise ValueError("No secret found in URI") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp/compat.py new/pyotp-2.10.0/src/pyotp/compat.py --- old/pyotp-2.9.0/src/pyotp/compat.py 2021-12-09 10:28:01.000000000 +0100 +++ new/pyotp-2.10.0/src/pyotp/compat.py 2020-02-02 01:00:00.000000000 +0100 @@ -1,7 +1,9 @@ +import sys + # Use secrets module if available (Python version >= 3.6) per PEP 506 -try: - from secrets import SystemRandom # type: ignore -except ImportError: +if sys.version_info >= (3, 6): + from secrets import SystemRandom +else: from random import SystemRandom random = SystemRandom() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp/contrib/steam.py new/pyotp-2.10.0/src/pyotp/contrib/steam.py --- old/pyotp-2.9.0/src/pyotp/contrib/steam.py 2023-07-28 01:37:40.000000000 +0200 +++ new/pyotp-2.10.0/src/pyotp/contrib/steam.py 2020-02-02 01:00:00.000000000 +0100 @@ -13,12 +13,7 @@ """ def __init__( - self, - s: str, - name: Optional[str] = None, - issuer: Optional[str] = None, - interval: int = 30, - digits: int = 5 + self, s: str, name: Optional[str] = None, issuer: Optional[str] = None, interval: int = 30, digits: int = 5 ) -> None: """ :param s: secret in base32 format @@ -34,16 +29,12 @@ :param input: the HMAC counter value to use as the OTP input. Usually either the counter, or the computed integer based on the Unix timestamp """ - str_code = super().generate_otp(input) - int_code = int(str_code) - - steam_code = "" + int_code = int(super().generate_otp(input)) total_chars = len(STEAM_CHARS) + digits = [] for _ in range(STEAM_DEFAULT_DIGITS): - pos = int_code % total_chars - char = STEAM_CHARS[int(pos)] - steam_code += char + digits.append(STEAM_CHARS[int_code % total_chars]) int_code //= total_chars - return steam_code + return "".join(digits) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp/hotp.py new/pyotp-2.10.0/src/pyotp/hotp.py --- old/pyotp-2.9.0/src/pyotp/hotp.py 2023-03-04 21:03:14.000000000 +0100 +++ new/pyotp-2.10.0/src/pyotp/hotp.py 2020-02-02 01:00:00.000000000 +0100 @@ -29,6 +29,8 @@ """ if digest is None: digest = hashlib.sha1 + elif digest in [hashlib.md5, hashlib.shake_128]: + raise ValueError("selected digest function must generate digest size greater than or equals to 18 bytes") self.initial_count = initial_count super().__init__(s=s, digits=digits, digest=digest, name=name, issuer=issuer) @@ -56,7 +58,7 @@ name: Optional[str] = None, initial_count: Optional[int] = None, issuer_name: Optional[str] = None, - image: Optional[str] = None, + **kwargs, ) -> str: """ Returns the provisioning URI for the OTP. This can then be @@ -79,5 +81,5 @@ issuer=issuer_name if issuer_name else self.issuer, algorithm=self.digest().name, digits=self.digits, - image=image, + **kwargs, ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp/otp.py new/pyotp-2.10.0/src/pyotp/otp.py --- old/pyotp-2.9.0/src/pyotp/otp.py 2023-07-28 01:37:37.000000000 +0200 +++ new/pyotp-2.10.0/src/pyotp/otp.py 2020-02-02 01:00:00.000000000 +0100 @@ -21,6 +21,8 @@ if digits > 10: raise ValueError("digits must be no greater than 10") self.digest = digest + if digest in [hashlib.md5, hashlib.shake_128]: + raise ValueError("selected digest function must generate digest size greater than or equals to 18 bytes") self.secret = s self.name = name or "Secret" self.issuer = issuer @@ -33,6 +35,8 @@ if input < 0: raise ValueError("input must be positive integer") hasher = hmac.new(self.byte_secret(), self.int_to_bytestring(input), self.digest) + if hasher.digest_size < 18: + raise ValueError("digest size is lower than 18 bytes, which will trigger error on otp generation") hmac_hash = bytearray(hasher.digest()) offset = hmac_hash[-1] & 0xF code = ( diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp/totp.py new/pyotp-2.10.0/src/pyotp/totp.py --- old/pyotp-2.9.0/src/pyotp/totp.py 2023-03-04 21:03:14.000000000 +0100 +++ new/pyotp-2.10.0/src/pyotp/totp.py 2020-02-02 01:00:00.000000000 +0100 @@ -24,14 +24,16 @@ ) -> None: """ :param s: secret in base32 format - :param interval: the time interval in seconds for OTP. This defaults to 30. :param digits: number of integers in the OTP. Some apps expect this to be 6 digits, others support more. :param digest: digest function to use in the HMAC (expected to be SHA1) :param name: account name :param issuer: issuer + :param interval: the time interval in seconds for OTP. This defaults to 30. """ if digest is None: digest = hashlib.sha1 + elif digest in [hashlib.md5, hashlib.shake_128]: + raise ValueError("selected digest function must generate digest size greater than or equals to 18 bytes") self.interval = interval super().__init__(s=s, digits=digits, digest=digest, name=name, issuer=issuer) @@ -83,10 +85,7 @@ return utils.strings_equal(str(otp), str(self.at(for_time))) - def provisioning_uri( - self, name: Optional[str] = None, issuer_name: Optional[str] = None, image: Optional[str] = None - ) -> str: - + def provisioning_uri(self, name: Optional[str] = None, issuer_name: Optional[str] = None, **kwargs) -> str: """ Returns the provisioning URI for the OTP. This can then be encoded in a QR Code and used to provision an OTP app like @@ -103,7 +102,7 @@ algorithm=self.digest().name, digits=self.digits, period=self.interval, - image=image, + **kwargs, ) def timecode(self, for_time: datetime.datetime) -> int: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp/utils.py new/pyotp-2.10.0/src/pyotp/utils.py --- old/pyotp-2.9.0/src/pyotp/utils.py 2023-03-04 21:03:14.000000000 +0100 +++ new/pyotp-2.10.0/src/pyotp/utils.py 2020-02-02 01:00:00.000000000 +0100 @@ -12,7 +12,7 @@ algorithm: Optional[str] = None, digits: Optional[int] = None, period: Optional[int] = None, - image: Optional[str] = None, + **kwargs, ) -> str: """ Returns the provisioning URI for the OTP; works for either TOTP or HOTP. @@ -35,7 +35,7 @@ :param digits: the length of the OTP generated code. :param period: the number of seconds the OTP generator is set to expire every code. - :param image: optional logo image url + :param kwargs: other query string parameters to include in the URI :returns: provisioning uri """ # initial_count may be 0 as a valid param @@ -64,11 +64,14 @@ url_args["digits"] = digits if is_period_set: url_args["period"] = period - if image: - image_uri = urlparse(image) - if image_uri.scheme != "https" or not image_uri.netloc or not image_uri.path: - raise ValueError("{} is not a valid url".format(image_uri)) - url_args["image"] = image + for k, v in kwargs.items(): + if not isinstance(v, str): + raise ValueError("All otpauth uri parameters must be strings") + if k == "image": + image_uri = urlparse(v) + if image_uri.scheme != "https" or not image_uri.netloc or not image_uri.path: + raise ValueError("{} is not a valid url".format(image_uri)) + url_args[k] = v uri = base_uri.format(otp_type, label, urlencode(url_args).replace("+", "%20")) return uri diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp.egg-info/PKG-INFO new/pyotp-2.10.0/src/pyotp.egg-info/PKG-INFO --- old/pyotp-2.9.0/src/pyotp.egg-info/PKG-INFO 2023-07-28 01:40:52.000000000 +0200 +++ new/pyotp-2.10.0/src/pyotp.egg-info/PKG-INFO 1970-01-01 01:00:00.000000000 +0100 @@ -1,211 +0,0 @@ -Metadata-Version: 2.1 -Name: pyotp -Version: 2.9.0 -Summary: Python One Time Password Library -Home-page: https://github.com/pyotp/pyotp -Author: PyOTP contributors -Author-email: [email protected] -License: MIT License -Project-URL: Documentation, https://pyauth.github.io/pyotp -Project-URL: Source Code, https://github.com/pyauth/pyotp -Project-URL: Issue Tracker, https://github.com/pyauth/pyotp/issues -Project-URL: Change Log, https://github.com/pyauth/pyotp/blob/master/Changes.rst -Platform: MacOS X -Platform: Posix -Classifier: Intended Audience :: Developers -Classifier: License :: OSI Approved :: MIT License -Classifier: Operating System :: MacOS :: MacOS X -Classifier: Operating System :: POSIX -Classifier: Programming Language :: Python -Classifier: Programming Language :: Python :: 3 -Classifier: Programming Language :: Python :: 3.7 -Classifier: Programming Language :: Python :: 3.8 -Classifier: Programming Language :: Python :: 3.9 -Classifier: Programming Language :: Python :: 3.10 -Classifier: Programming Language :: Python :: 3.11 -Classifier: Topic :: Software Development :: Libraries :: Python Modules -Requires-Python: >=3.7 -Provides-Extra: test -License-File: LICENSE - -PyOTP - The Python One-Time Password Library -============================================ - -PyOTP is a Python library for generating and verifying one-time passwords. It can be used to implement two-factor (2FA) -or multi-factor (MFA) authentication methods in web applications and in other systems that require users to log in. - -Open MFA standards are defined in `RFC 4226 <https://tools.ietf.org/html/rfc4226>`_ (HOTP: An HMAC-Based One-Time -Password Algorithm) and in `RFC 6238 <https://tools.ietf.org/html/rfc6238>`_ (TOTP: Time-Based One-Time Password -Algorithm). PyOTP implements server-side support for both of these standards. Client-side support can be enabled by -sending authentication codes to users over SMS or email (HOTP) or, for TOTP, by instructing users to use `Google -Authenticator <https://en.wikipedia.org/wiki/Google_Authenticator>`_, `Authy <https://www.authy.com/>`_, or another -compatible app. Users can set up auth tokens in their apps easily by using their phone camera to scan `otpauth:// -<https://github.com/google/google-authenticator/wiki/Key-Uri-Format>`_ QR codes provided by PyOTP. - -Implementers should read and follow the `HOTP security requirements <https://tools.ietf.org/html/rfc4226#section-7>`_ -and `TOTP security considerations <https://tools.ietf.org/html/rfc6238#section-5>`_ sections of the relevant RFCs. At -minimum, application implementers should follow this checklist: - -- Ensure transport confidentiality by using HTTPS -- Ensure HOTP/TOTP secret confidentiality by storing secrets in a controlled access database -- Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most - recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is - seen) -- Throttle (rate limit) brute-force attacks against your application's login functionality (see RFC 4226, section 7.3) -- When implementing a "greenfield" application, consider supporting - `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_/`WebAuthn <https://www.w3.org/TR/webauthn/>`_ in - addition to HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which strengthens your - MFA solution against server-side attacks. Hardware U2F also sequesters the client secret in a dedicated single-purpose - device, which strengthens your clients against client-side attacks. And by automating scoping of credentials to - relying party IDs (application origin/domain names), U2F adds protection against phishing attacks. One implementation - of FIDO U2F/WebAuthn is PyOTP's sister project, `PyWARP <https://github.com/pyauth/pywarp>`_. - -We also recommend that implementers read the -`OWASP Authentication Cheat Sheet -<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md>`_ and -`NIST SP 800-63-3: Digital Authentication Guideline <https://pages.nist.gov/800-63-3/>`_ for a high level overview of -authentication best practices. - -Quick overview of using One Time Passwords on your phone --------------------------------------------------------- - -* OTPs involve a shared secret, stored both on the phone and the server -* OTPs can be generated on a phone without internet connectivity -* OTPs should always be used as a second factor of authentication (if your phone is lost, you account is still secured - with a password) -* Google Authenticator and other OTP client apps allow you to store multiple OTP secrets and provision those using a QR - Code - -Installation ------------- -:: - - pip install pyotp - -Usage ------ - -Time-based OTPs -~~~~~~~~~~~~~~~ -:: - - import pyotp - import time - - totp = pyotp.TOTP('base32secret3232') - totp.now() # => '492039' - - # OTP verified for current time - totp.verify('492039') # => True - time.sleep(30) - totp.verify('492039') # => False - -Counter-based OTPs -~~~~~~~~~~~~~~~~~~ -:: - - import pyotp - - hotp = pyotp.HOTP('base32secret3232') - hotp.at(0) # => '260182' - hotp.at(1) # => '055283' - hotp.at(1401) # => '316439' - - # OTP verified with a counter - hotp.verify('316439', 1401) # => True - hotp.verify('316439', 1402) # => False - -Generating a Secret Key -~~~~~~~~~~~~~~~~~~~~~~~ -A helper function is provided to generate a 32-character base32 secret, compatible with Google Authenticator and other -OTP apps:: - - pyotp.random_base32() - -Some applications want the secret key to be formatted as a hex-encoded string:: - - pyotp.random_hex() # returns a 40-character hex-encoded secret - -Google Authenticator Compatible -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -PyOTP works with the Google Authenticator iPhone and Android app, as well as other OTP apps like Authy. PyOTP includes -the ability to generate provisioning URIs for use with the QR Code scanner built into these MFA client apps:: - - pyotp.totp.TOTP('JBSWY3DPEHPK3PXP').provisioning_uri(name='[email protected]', issuer_name='Secure App') - - >>> 'otpauth://totp/Secure%20App:alice%40google.com?secret=JBSWY3DPEHPK3PXP&issuer=Secure%20App' - - pyotp.hotp.HOTP('JBSWY3DPEHPK3PXP').provisioning_uri(name="[email protected]", issuer_name="Secure App", initial_count=0) - - >>> 'otpauth://hotp/Secure%20App:alice%40google.com?secret=JBSWY3DPEHPK3PXP&issuer=Secure%20App&counter=0' - -This URL can then be rendered as a QR Code (for example, using https://github.com/soldair/node-qrcode) which can then be -scanned and added to the users list of OTP credentials. - -Parsing these URLs is also supported:: - - pyotp.parse_uri('otpauth://totp/Secure%20App:alice%40google.com?secret=JBSWY3DPEHPK3PXP&issuer=Secure%20App') - - >>> <pyotp.totp.TOTP object at 0xFFFFFFFF> - - pyotp.parse_uri('otpauth://hotp/Secure%20App:alice%40google.com?secret=JBSWY3DPEHPK3PXP&issuer=Secure%20App&counter=0' - - >>> <pyotp.totp.HOTP object at 0xFFFFFFFF> - -Working example -~~~~~~~~~~~~~~~ - -Scan the following barcode with your phone's OTP app (e.g. Google Authenticator): - -.. image:: https://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP - -Now run the following and compare the output:: - - import pyotp - totp = pyotp.TOTP("JBSWY3DPEHPK3PXP") - print("Current OTP:", totp.now()) - -Third-party contributions -~~~~~~~~~~~~~~~~~~~~~~~~~ -The following third-party contributions are not described by a standard, not officially supported, and provided for -reference only: - -* ``pyotp.contrib.Steam()``: An implementation of Steam TOTP. Uses the same API as `pyotp.TOTP()`. - -Links -~~~~~ - -* `Project home page (GitHub) <https://github.com/pyauth/pyotp>`_ -* `Documentation <https://pyauth.github.io/pyotp/>`_ -* `Package distribution (PyPI) <https://pypi.python.org/pypi/pyotp>`_ -* `Change log <https://github.com/pyauth/pyotp/blob/master/Changes.rst>`_ -* `RFC 4226: HOTP: An HMAC-Based One-Time Password <https://tools.ietf.org/html/rfc4226>`_ -* `RFC 6238: TOTP: Time-Based One-Time Password Algorithm <https://tools.ietf.org/html/rfc6238>`_ -* `ROTP <https://github.com/mdp/rotp>`_ - Original Ruby OTP library by `Mark Percival <https://github.com/mdp>`_ -* `OTPHP <https://github.com/lelag/otphp>`_ - PHP port of ROTP by `Le Lag <https://github.com/lelag>`_ -* `OWASP Authentication Cheat Sheet <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md>`_ -* `NIST SP 800-63-3: Digital Authentication Guideline <https://pages.nist.gov/800-63-3/>`_ - -For new applications: - -* `WebAuthn <https://www.w3.org/TR/webauthn/>`_ -* `PyWARP <https://github.com/pyauth/pywarp>`_ - -Versioning -~~~~~~~~~~ -This package follows the `Semantic Versioning 2.0.0 <http://semver.org/>`_ standard. To control changes, it is -recommended that application developers pin the package version and manage it using `pip-tools -<https://github.com/jazzband/pip-tools>`_ or similar. For library developers, pinning the major version is -recommended. - -.. image:: https://github.com/pyauth/pyotp/workflows/Python%20package/badge.svg - :target: https://github.com/pyauth/pyotp/actions -.. image:: https://img.shields.io/codecov/c/github/pyauth/pyotp/master.svg - :target: https://codecov.io/github/pyauth/pyotp?branch=master -.. image:: https://img.shields.io/pypi/v/pyotp.svg - :target: https://pypi.python.org/pypi/pyotp -.. image:: https://img.shields.io/pypi/l/pyotp.svg - :target: https://pypi.python.org/pypi/pyotp -.. image:: https://readthedocs.org/projects/pyotp/badge/?version=latest - :target: https://pyotp.readthedocs.io/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp.egg-info/SOURCES.txt new/pyotp-2.10.0/src/pyotp.egg-info/SOURCES.txt --- old/pyotp-2.9.0/src/pyotp.egg-info/SOURCES.txt 2023-07-28 01:40:52.000000000 +0200 +++ new/pyotp-2.10.0/src/pyotp.egg-info/SOURCES.txt 1970-01-01 01:00:00.000000000 +0100 @@ -1,21 +0,0 @@ -LICENSE -MANIFEST.in -README.rst -pyproject.toml -setup.py -test.py -src/pyotp/__init__.py -src/pyotp/compat.py -src/pyotp/hotp.py -src/pyotp/otp.py -src/pyotp/py.typed -src/pyotp/totp.py -src/pyotp/utils.py -src/pyotp.egg-info/PKG-INFO -src/pyotp.egg-info/SOURCES.txt -src/pyotp.egg-info/dependency_links.txt -src/pyotp.egg-info/not-zip-safe -src/pyotp.egg-info/requires.txt -src/pyotp.egg-info/top_level.txt -src/pyotp/contrib/__init__.py -src/pyotp/contrib/steam.py \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp.egg-info/dependency_links.txt new/pyotp-2.10.0/src/pyotp.egg-info/dependency_links.txt --- old/pyotp-2.9.0/src/pyotp.egg-info/dependency_links.txt 2023-07-28 01:40:52.000000000 +0200 +++ new/pyotp-2.10.0/src/pyotp.egg-info/dependency_links.txt 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp.egg-info/not-zip-safe new/pyotp-2.10.0/src/pyotp.egg-info/not-zip-safe --- old/pyotp-2.9.0/src/pyotp.egg-info/not-zip-safe 2021-12-09 10:32:05.000000000 +0100 +++ new/pyotp-2.10.0/src/pyotp.egg-info/not-zip-safe 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp.egg-info/requires.txt new/pyotp-2.10.0/src/pyotp.egg-info/requires.txt --- old/pyotp-2.9.0/src/pyotp.egg-info/requires.txt 2023-07-28 01:40:52.000000000 +0200 +++ new/pyotp-2.10.0/src/pyotp.egg-info/requires.txt 1970-01-01 01:00:00.000000000 +0100 @@ -1,6 +0,0 @@ - -[test] -coverage -wheel -ruff -mypy diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/src/pyotp.egg-info/top_level.txt new/pyotp-2.10.0/src/pyotp.egg-info/top_level.txt --- old/pyotp-2.9.0/src/pyotp.egg-info/top_level.txt 2023-07-28 01:40:52.000000000 +0200 +++ new/pyotp-2.10.0/src/pyotp.egg-info/top_level.txt 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -pyotp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.9.0/test.py new/pyotp-2.10.0/test.py --- old/pyotp-2.9.0/test.py 2023-07-28 01:37:40.000000000 +0200 +++ new/pyotp-2.10.0/test.py 2020-02-02 01:00:00.000000000 +0100 @@ -335,6 +335,22 @@ self.assertFalse(totp.verify("195979", 200, 1)) +class DigestFunctionTest(unittest.TestCase): + def test_md5(self): + with self.assertRaises(ValueError) as cm: + pyotp.OTP(s="secret", digest=hashlib.md5) + self.assertEqual( + "selected digest function must generate digest size greater than or equals to 18 bytes", str(cm.exception) + ) + + def test_shake128(self): + with self.assertRaises(ValueError) as cm: + pyotp.OTP(s="secret", digest=hashlib.shake_128) + self.assertEqual( + "selected digest function must generate digest size greater than or equals to 18 bytes", str(cm.exception) + ) + + class ParseUriTest(unittest.TestCase): def test_invalids(self): with self.assertRaises(ValueError) as cm: @@ -350,10 +366,6 @@ self.assertEqual("Not a supported OTP type", str(cm.exception)) with self.assertRaises(ValueError) as cm: - pyotp.parse_uri("otpauth://totp?foo=secret") - self.assertEqual("foo is not a valid parameter", str(cm.exception)) - - with self.assertRaises(ValueError) as cm: pyotp.parse_uri("otpauth://totp?digits=-1") self.assertEqual("Digits may only be 6, 7, or 8", str(cm.exception)) @@ -364,7 +376,7 @@ with self.assertRaises(ValueError) as cm: pyotp.parse_uri("otpauth://totp?algorithm=aes") self.assertEqual("Invalid value for algorithm, must be SHA1, SHA256 or SHA512", str(cm.exception)) - + def test_parse_steam(self): otp = pyotp.parse_uri("otpauth://totp/Steam:?secret=SOME_SECRET&encoder=steam") self.assertEqual(type(otp), pyotp.contrib.Steam) @@ -435,13 +447,44 @@ self.assertEqual(otp.at(90), "JG3T3") # period and digits should be ignored - otp = pyotp.parse_uri("otpauth://totp/Steam:?secret=FMXNK4QEGKVPULRTADY6JIDK5VHUBGZW&period=15&digits=7&encoder=steam") + otp = pyotp.parse_uri( + "otpauth://totp/Steam:?secret=FMXNK4QEGKVPULRTADY6JIDK5VHUBGZW&period=15&digits=7&encoder=steam" + ) self.assertEqual(type(otp), pyotp.contrib.Steam) self.assertEqual(otp.at(0), "C5V56") self.assertEqual(otp.at(30), "QJY8Y") self.assertEqual(otp.at(60), "R3WQY") self.assertEqual(otp.at(90), "JG3T3") + pyotp.parse_uri("otpauth://totp?secret=abc&image=foobar") + + def test_parse_encoded_colon_in_label(self): + # Regression test for issue #174: an encoded colon (%3A) inside the + # issuer or account name must not be treated as the issuer:account + # separator. The label issuer and the query issuer should still match. + otp = pyotp.parse_uri( + "otpauth://totp/Text%3A%20More%20Text:Secret?secret=FFFFFFFAAAAAABBBBBBB&issuer=Text%3A%20More%20Text" + ) + self.assertEqual(otp.name, "Secret") + self.assertEqual(otp.issuer, "Text: More Text") + + # An encoded colon in the account name (no issuer) is kept intact. + otp = pyotp.parse_uri("otpauth://totp/a%3Ab?secret=GEZDGNBV") + self.assertEqual(otp.name, "a:b") + self.assertIsNone(otp.issuer) + + # Round-trip: building the URI and parsing it back preserves both parts. + source = pyotp.TOTP("FFFFFFFAAAAAABBBBBBB", name="Secret", issuer="Text: More Text") + roundtrip = pyotp.parse_uri(source.provisioning_uri()) + self.assertEqual(roundtrip.name, "Secret") + self.assertEqual(roundtrip.issuer, "Text: More Text") + + # A percent-encoded space in a plain issuer (no colon) still decodes. + otp = pyotp.parse_uri("otpauth://totp/Big%20Corp:bob?secret=GEZDGNBV&issuer=Big%20Corp") + self.assertEqual(otp.name, "bob") + self.assertEqual(otp.issuer, "Big Corp") + + class Timecop(object): """ Half-assed clone of timecop.rb, just enough to pass our tests.
