We're building a system to validate mobile phone numbers.
To achieve this, when a user adds his number, we are sending him a text message with a 6 digit code.
We don't want this code to go in our database as we don't like to clutter our database with fields that have no business meaning.
So we came up with the idea to reuse pragmarx/google2falibrary, have it generate an OTP code, dispatch it to the user by a text message, and then the circle would be round.
So basically we wanted to use the phone number, prefixed by somehting secret as the "secret" for the pragmarx/google2fa library:
$secret = '1263' . $mobile->country_code . $mobile->subscriber;
$google2fa = new Google2FA();
$google2fa->setEnforceGoogleAuthenticatorCompatibility(false);
$google2fa->getCurrentOtp($secret);
The above results in a secretsimilar to 12633232970987. However, the call to getCurrentOtp throws an exception Invalid characters in the base32 string. which is obviously not what I was hoping for.
So, I tried adding
$secret = base_convert($secret, 10, 32)
and pass that to the getCurrentOtpmethod, but that returned the same error. Checking into the library code, I see the following constant:
const VALID_FOR_B32 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
My base_convert returns a string that has other characters in there though. Are these really the only valid characters?
My alternative would be to just have the library generate a random secret, but we don't really want to do that, as that would require us to keep that secret somewhere in the database (or at least in cache), which we would like to avoid. The idea is that we could generate the code for a mobile number using the number as the secret, and let the OTP mechanism deal with expiring codes.
Anyone has any suggestion how I can resolve this?
Related
I am using the botbuilder DialogTestClient 's sendActivity method to send prompts to my bot while testing but the method only accepts string types and in my bot i use number promts to prompt the user for numbers . Do you have any idea on how i can overturn this problem ?
Thanks in advance
I'm a bit unclear if you are having this issue only for DialogTestClient or all Clients, but in nodejs you can just convert the string to number using Number(promptInput). If the promptInput is already a number, it will still work fine. I assume there is a similar function in C#.
Edit: Some additional context. You can take a look at userProfileDialog.js in multi-turn-prompt sample for an example. Essentially, NumberPrompt has a "succeeded" property in the recognizer that ensures you entered a number. You can use that plus whatever validations you want in the validator function. If it succeeds and is validated, a number, not a string, is passed to the next step in your dialog.
If the error is coming when you are trying to repeat back the prompt value to the user, you need to convert it to a string. I favor using the backtick for this (template string/literal), e.g.
await step.context.sendActivity(`You entered ${step.result}`);
where step.result is the numberPrompt result.
I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.
What caught me off guard is the fact that I can enter multiple valid signatures.
For example, head over to http://jwt.io
- enter MySuperSecretKey for the secret
This token is valid:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU
as well as this one:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV
In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.
Can anyone tell me what's going on here?
It's the Base64 encoding of the signature which can have the last letter changed to certain targets without affecting the relevant bits.
Try popping both signatures into a base64->hex decoder and you'll get the same results. In fact at https://conv.darkbyte.ru/ both signatures get re-evaluated to base64 SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==
I am a NEWBIE. Any help is appreciated.
I've been given the challenge of automating a Key Pass challenge.
a URL is provided (this is an example, I don't think the creator of the challenge wants it in public): www.guessmypasskey.com
When you visit the site, the body text simple returns, Key Denied:
If you add the following path, www.guessmypasskey/?key=a the site will return: Key Denied:00
The key is only alphanumeric and of unknown length...through manual testing I was able to find the key by determining that the binary code returns meant the following: 00 not a character used, 01 character used, wrong position, 11 correct character, correct position.
I envision, opening a browser to the URL with watir, checking a-a, A-Z, 0-9, in the first position...if 00 is displayed on page, delete character from possibility, if 01 is present write the number to a file (this will determine the character length needed.
Basic question, Am I going the wrong direction? Trying to automate with Ruby Cucumber Watir?
I know additional steps will be needed t determine the order of the characters....I'm just trying to get started on the first step, confirming the validity of the characters and the length of the pass key.
Kind of disappointed that the URL the real one. =p
Anyways, that approach would work... but I would imagine it being massive overkill.
Instead, what I would do is simply create a simple Node.js script (using JavaScript) which basically just loops through all possible combinations for each character, stepping through as you move.
You can just use the simple "request" module to request the web page. Then just build up your string like that.
var request = require('request');
// Gets content of one call... add this to your loop somehow.
request({uri: 'http://guessmypasskey.com?key=' + key}, function (err, response, body) {
// body has the result to check
});
This is probably going to be infinitely easier than setting up the tech stack you were talking about... not to mention a lot faster.
Your general approach (ignoring technology) sounds pretty spot on.
Can I determine if the user entered a phone number that can be safely formatted into E164?
For Germany, this requires that the user started his entry with a local area code. For example, 123456 may be a subscriber number in his city, but it cannot be formatted into E164, because we don't know his local area code. Then I would like to keep the entry as it is. In contrast, the input 089123456 is independent of the area code and could be formatted into E164, because we know he's from Germany and we could convert this into +4989123456.
You can simply convert your number into E164 using libphonenumber
and after conversion checks if both the strings are same or not. If they're same means a number can not be formatted, otherwise the number you'll get from library will be formatted in E164.
Here's how you can convert
PhoneNumberUtil phoneUtil = PhoneNumberUtil.getInstance();
String formattedNumber = phoneUtil.format(inputNumber, PhoneNumberFormat.E164);
Finally compare formattedNumber with inputNumber
It looks as though you'll need to play with isValidNumber and isPossibleNumber for your case. format is certainly not guaranteed to give you something actually dialable, see the javadocs. This is suggested by the demo as well, where formatting is not displayed when isValidNumber is false.
I also am dealing with this FWIW. In the context of US numbers: The issue is I'd like to parse using isPossibleNumber in order to be as lenient as possible, and store the number in E164. However then we accept, e.g. +15551212. This string itself even passes isPossibleNumber despite clearly (I think) not being dialable anywhere.
I'm trying to generate UUIDs with the same style as bit.ly urls like:
http://bit [dot] ly/aUekJP
or cloudapp ones:
http://cl [dot] ly/1hVU
which are even smaller
how can I do it?
I'm now using UUID gem for ruby but I'm not sure if it's possible to limitate the length and get something like this.
I am currently using this:
UUID.generate.split("-")[0] => b9386070
But I would like to have even smaller and knowing that it will be unique.
Any help would be pretty much appreciated :)
edit note: replaced dot letters with [dot] for workaround of banned short link
You are confusing two different things here. A UUID is a universally unique identifier. It has a very high probability of being unique even if millions of them were being created all over the world at the same time. It is generally displayed as a 36 digit string. You can not chop off the first 8 characters and expect it to be unique.
Bitly, tinyurl et-al store links and generate a short code to represent that link. They do not reconstruct the URL from the code they look it up in a data-store and return the corresponding URL. These are not UUIDS.
Without knowing your application it is hard to advise on what method you should use, however you could store whatever you are pointing at in a data-store with a numeric key and then rebase the key to base32 using the 10 digits and 22 lowercase letters, perhaps avoiding the obvious typo problems like 'o' 'i' 'l' etc
EDIT
On further investigation there is a Ruby base32 gem available that implements Douglas Crockford's Base 32 implementation
A 5 character Base32 string can represent over 33 million integers and a 6 digit string over a billion.
If you are working with numbers, you can use the built in ruby methods
6175601989.to_s(30)
=> "8e45ttj"
to go back
"8e45ttj".to_i(30)
=>6175601989
So you don't have to store anything, you can always decode an incoming short_code.
This works ok for proof of concept, but you aren't able to avoid ambiguous characters like: 1lji0o. If you are just looking to use the code to obfuscate database record IDs, this will work fine. In general, short codes are supposed to be easy to remember and transfer from one medium to another, like reading it on someone's presentation slide, or hearing it over the phone. If you need to avoid characters that are hard to read or hard to 'hear', you might need to switch to a process where you generate an acceptable code, and store it.
I found this to be short and reliable:
def create_uuid(prefix=nil)
time = (Time.now.to_f * 10_000_000).to_i
jitter = rand(10_000_000)
key = "#{jitter}#{time}".to_i.to_s(36)
[prefix, key].compact.join('_')
end
This spits out unique keys that look like this: '3qaishe3gpp07w2m'
Reduce the 'jitter' size to reduce the key size.
Caveat:
This is not guaranteed unique (use SecureRandom.uuid for that), but it is highly reliable:
10_000_000.times.map {create_uuid}.uniq.length == 10_000_000
The only way to guarantee uniqueness is to keep a global count and increment it for each use: 0000, 0001, etc.