TimeBasedOtpAuthn

maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java

@@ -25,7 +25,6 @@ import org.maxkey.authn.realm.AbstractAuthenticationRealm;
 import org.maxkey.authn.support.rememberme.AbstractRemeberMeService;
 import org.maxkey.configuration.ApplicationConfig;
 import org.maxkey.constants.ConstantsLoginType;
-import org.maxkey.crypto.password.PasswordReciprocal;
 import org.maxkey.domain.UserInfo;
 import org.maxkey.password.onetimepwd.AbstractOtpAuthn;
 import org.maxkey.web.WebConstants;
@@ -222,9 +221,7 @@ public abstract class AbstractAuthenticationProvider {
         if (applicationConfig.getLoginConfig().isMfa() && authType.equalsIgnoreCase("tfa")) {
             UserInfo validUserInfo = new UserInfo();
             validUserInfo.setUsername(userInfo.getUsername());
-            String sharedSecret = 
-                    PasswordReciprocal.getInstance().decoder(userInfo.getSharedSecret());
-            validUserInfo.setSharedSecret(sharedSecret);
+            validUserInfo.setSharedSecret(userInfo.getSharedSecret());
             validUserInfo.setSharedCounter(userInfo.getSharedCounter());
             validUserInfo.setId(userInfo.getId());
             if (otpCaptcha == null || !tfaOtpAuthn.validate(validUserInfo, otpCaptcha)) {

maxkey-authentications/maxkey-authentication-otp/src/main/java/org/maxkey/password/onetimepwd/impl/TimeBasedOtpAuthn.java

@@ -23,6 +23,7 @@ import java.util.Date;
 import java.util.TimeZone;
 import org.apache.commons.codec.binary.Hex;
 import org.maxkey.crypto.Base32Utils;
+import org.maxkey.crypto.password.PasswordReciprocal;
 import org.maxkey.domain.UserInfo;
 import org.maxkey.password.onetimepwd.AbstractOtpAuthn;
 import org.maxkey.password.onetimepwd.algorithm.TimeBasedOTP;
@@ -46,7 +47,9 @@ public class TimeBasedOtpAuthn extends AbstractOtpAuthn {
     public boolean validate(UserInfo userInfo, String token) {
         _logger.debug("utcTime : " + dateFormat.format(new Date()));
         long currentTimeSeconds = System.currentTimeMillis() / 1000;
-        byte[] byteSharedSecret = Base32Utils.decode(userInfo.getSharedSecret());
+        String sharedSecret = 
+                PasswordReciprocal.getInstance().decoder(userInfo.getSharedSecret());
+        byte[] byteSharedSecret = Base32Utils.decode(sharedSecret);
         String hexSharedSecret = Hex.encodeHexString(byteSharedSecret);
         String timeBasedToken = "";
         if (crypto.equalsIgnoreCase("HmacSHA1")) {

maxkey-web-manage/src/main/java/org/maxkey/web/api/endpoint/RestTimeBasedOtpController.java

@@ -52,10 +52,6 @@ public class RestTimeBasedOtpController {
     	
     	UserInfo validUserInfo = userInfoService.loadByUsername(username);
     	if(validUserInfo != null) {
-    		 String sharedSecret = 
-                     PasswordReciprocal.getInstance().decoder(validUserInfo.getSharedSecret());
-             validUserInfo.setSharedSecret(sharedSecret);
-             validUserInfo.setSharedCounter(validUserInfo.getSharedCounter());
     		if(timeBasedOtpAuthn.validate(validUserInfo, token)) {
     			return true;
     		}