Package com.iizix.server.user.mfa
Class MFAUser
java.lang.Object
com.iizix.server.user.mfa.MFAUser
The class used to provide an MFA authentication using a TOTP based QR code. The authentication software will use this QR code to set-up the users' account. The sign in, the user will have to provide a six digit code that is valid during a certain period of time, generally 60 seconds, with a time drift of +/-30 seconds. Oftentimes, allow codes valid for 2 time periods before/after to pass as valid.
Nested Class Summary
Modifier and TypeClassDescriptionstatic enum
Enum to define valid hashing algorithms.Field Summary
Modifier and TypeFieldDescriptionstatic String
The default time provider host: "pool.ntp.org".static int
Default timeout in milliseconds: 3_000 (or 3 seconds).static final int
The default number of digits: 6.final int
The drift period, default +/- 30 seconds.static final int
The default number of characters in the secret: 32.Constructor Summary
Method Summary
Modifier and TypeMethodDescriptiongenerateQRCodeData
(ErrorCorrectionLevel errorCorrectionLevel) Generate the QR code data with relevant information with specified error correction level.Generate the secret with thesecretLength
specified, defaultSECRET_LENGTH = 32
.Gets or generate the secret with thesecretLength
specified, defaultSECRET_LENGTH = 32
, if not previously done.Sets the algorithm to use when creating the QR code.setDigits
(int digits) Sets the number of digits to use for the code.setPeriod
(int period) Sets the drift period in +/- seconds to use, default isPERIOD = 30
.setTimeProvider
(String timeProviderHost, int timeoutMilliseconds) Before validating a code, the time provider host and the timeout value in milliseconds can be set.boolean
validateCode
(String code) Validates a code.
Field Details
SECRET_LENGTH
public static final int SECRET_LENGTHThe default number of characters in the secret: 32.- See Also:
DIGITS
public static final int DIGITSThe default number of digits: 6.- See Also:
PERIOD
public final int PERIODThe drift period, default +/- 30 seconds.- See Also:
DEFAULT_TIME_PROVIDER_HOST
The default time provider host: "pool.ntp.org".DEFAULT_TIMEOUT_MILLISECONDS
public static int DEFAULT_TIMEOUT_MILLISECONDSDefault timeout in milliseconds: 3_000 (or 3 seconds).
Constructor Details
MFAUser
Constructor of the instance for a six digit code.- Parameters:
appName
- The application name as the issuer, in localized form (should never change).account
- The account name is generally something to identify uniquely the user, generally an email address.
Method Details
setDigits
Sets the number of digits to use for the code.Setting how many digits long the generated codes are:
Most TOTP implementations generate codes that are 6 digits long, but codes can have a length of any positive non-zero integer.
- Parameters:
digits
- The requested number of digits (default 6, minimum 4 and maximum 8 is recommended).- Returns:
- "this" instance for concatenation.
- Throws:
IllegalArgumentException
- If digits range is not within 4 to 8.
setPeriod
Sets the drift period in +/- seconds to use, default isPERIOD = 30
.Setting the time period and discrepancy:
The one time password codes generated in the authenticator apps only last for a certain time period before they are re-generated, and most implementations of TOTP allow room for codes that have recently expired, or will only "become valid" soon in the future to be accepted as valid, to allow for a small time drift between the server and the authenticator app (discrepancy).
- Parameters:
period
- The requested period in seconds (range is 10 to 60).- Returns:
- "this" instance for concatenation.
- Throws:
IllegalArgumentException
- If period range is not within 10 to 60 seconds.
setAlgorithm
Sets the algorithm to use when creating the QR code.- Parameters:
alg
- The hashing algorithm.- Returns:
- "this" instance for concatenation.
generateSecret
Generate the secret with thesecretLength
specified, defaultSECRET_LENGTH = 32
. The secret is only generated once, so there is no point in calling this method many times, nothing will happen.- Returns:
- "this" instance for concatenation.
getSecret
Gets or generate the secret with thesecretLength
specified, defaultSECRET_LENGTH = 32
, if not previously done.- Returns:
- The secret.
generateQRCodeData
public BarcodeURN generateQRCodeData(ErrorCorrectionLevel errorCorrectionLevel) throws BarcodeException Generate the QR code data with relevant information with specified error correction level.- Parameters:
errorCorrectionLevel
-null
for default L = Low = ~7% error correction level.- Returns:
- The generated barcode URN from where e.g. an SVG can be extracted.
- Throws:
IllegalStateException
- If the secret is missing (has not been generated).BarcodeException
- If there are missing or invalid parameters assigned in this builder encountered during barcode encoding.
setTimeProvider
Before validating a code, the time provider host and the timeout value in milliseconds can be set. If this is not done, the default values are used:timeProviderHost = DEFAULT_TIME_PROVIDER_HOST timeoutMilliseconds = DEFAULT_TIMEOUT_MILLISECONDS
- Parameters:
timeProviderHost
- The time provider host.timeoutMilliseconds
- The timeout value in milliseconds (must be over 500 milliseconds).- Returns:
- "this" instance for concatenation.
- Throws:
IllegalArgumentException
- If thetimeoutMilliseconds
value is less than 500 milliseconds or larger than 60_000 milliseconds (1 minute).NullPointerException
- If thetimeProviderHost
isnull
.
validateCode
Validates a code.- Parameters:
code
- The code.- Returns:
- The valid code flag.
- Throws:
UnknownHostException
- In case thetimeProviderHost
is an unknown host.