From e0454deea98d89cf599e955acc0bc097689009e4 Mon Sep 17 00:00:00 2001
From: MaxKey <shimingxy@qq.com>
Date: Sat, 27 Mar 2021 09:27:02 +0800
Subject: [PATCH] TimeBasedOtpAuthn

---
 .../org/maxkey/authn/AbstractAuthenticationProvider.java     | 5 +----
 .../maxkey/password/onetimepwd/impl/TimeBasedOtpAuthn.java   | 5 ++++-
 .../maxkey/web/api/endpoint/RestTimeBasedOtpController.java  | 4 ----
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java
index c4d20348..ed0f9f1f 100644
--- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java
+++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java
@@ -25,7 +25,6 @@ import org.maxkey.authn.realm.AbstractAuthenticationRealm;
 import org.maxkey.authn.support.rememberme.AbstractRemeberMeService;
 import org.maxkey.configuration.ApplicationConfig;
 import org.maxkey.constants.ConstantsLoginType;
-import org.maxkey.crypto.password.PasswordReciprocal;
 import org.maxkey.domain.UserInfo;
 import org.maxkey.password.onetimepwd.AbstractOtpAuthn;
 import org.maxkey.web.WebConstants;
@@ -222,9 +221,7 @@ public abstract class AbstractAuthenticationProvider {
         if (applicationConfig.getLoginConfig().isMfa() && authType.equalsIgnoreCase("tfa")) {
             UserInfo validUserInfo = new UserInfo();
             validUserInfo.setUsername(userInfo.getUsername());
-            String sharedSecret = 
-                    PasswordReciprocal.getInstance().decoder(userInfo.getSharedSecret());
-            validUserInfo.setSharedSecret(sharedSecret);
+            validUserInfo.setSharedSecret(userInfo.getSharedSecret());
             validUserInfo.setSharedCounter(userInfo.getSharedCounter());
             validUserInfo.setId(userInfo.getId());
             if (otpCaptcha == null || !tfaOtpAuthn.validate(validUserInfo, otpCaptcha)) {
diff --git a/maxkey-authentications/maxkey-authentication-otp/src/main/java/org/maxkey/password/onetimepwd/impl/TimeBasedOtpAuthn.java b/maxkey-authentications/maxkey-authentication-otp/src/main/java/org/maxkey/password/onetimepwd/impl/TimeBasedOtpAuthn.java
index fddf5d40..5c38eaca 100644
--- a/maxkey-authentications/maxkey-authentication-otp/src/main/java/org/maxkey/password/onetimepwd/impl/TimeBasedOtpAuthn.java
+++ b/maxkey-authentications/maxkey-authentication-otp/src/main/java/org/maxkey/password/onetimepwd/impl/TimeBasedOtpAuthn.java
@@ -23,6 +23,7 @@ import java.util.Date;
 import java.util.TimeZone;
 import org.apache.commons.codec.binary.Hex;
 import org.maxkey.crypto.Base32Utils;
+import org.maxkey.crypto.password.PasswordReciprocal;
 import org.maxkey.domain.UserInfo;
 import org.maxkey.password.onetimepwd.AbstractOtpAuthn;
 import org.maxkey.password.onetimepwd.algorithm.TimeBasedOTP;
@@ -46,7 +47,9 @@ public class TimeBasedOtpAuthn extends AbstractOtpAuthn {
     public boolean validate(UserInfo userInfo, String token) {
         _logger.debug("utcTime : " + dateFormat.format(new Date()));
         long currentTimeSeconds = System.currentTimeMillis() / 1000;
-        byte[] byteSharedSecret = Base32Utils.decode(userInfo.getSharedSecret());
+        String sharedSecret = 
+                PasswordReciprocal.getInstance().decoder(userInfo.getSharedSecret());
+        byte[] byteSharedSecret = Base32Utils.decode(sharedSecret);
         String hexSharedSecret = Hex.encodeHexString(byteSharedSecret);
         String timeBasedToken = "";
         if (crypto.equalsIgnoreCase("HmacSHA1")) {
diff --git a/maxkey-web-manage/src/main/java/org/maxkey/web/api/endpoint/RestTimeBasedOtpController.java b/maxkey-web-manage/src/main/java/org/maxkey/web/api/endpoint/RestTimeBasedOtpController.java
index 8bfa0ba2..0387a689 100644
--- a/maxkey-web-manage/src/main/java/org/maxkey/web/api/endpoint/RestTimeBasedOtpController.java
+++ b/maxkey-web-manage/src/main/java/org/maxkey/web/api/endpoint/RestTimeBasedOtpController.java
@@ -52,10 +52,6 @@ public class RestTimeBasedOtpController {
     	
     	UserInfo validUserInfo = userInfoService.loadByUsername(username);
     	if(validUserInfo != null) {
-    		 String sharedSecret = 
-                     PasswordReciprocal.getInstance().decoder(validUserInfo.getSharedSecret());
-             validUserInfo.setSharedSecret(sharedSecret);
-             validUserInfo.setSharedCounter(validUserInfo.getSharedCounter());
     		if(timeBasedOtpAuthn.validate(validUserInfo, token)) {
     			return true;
     		}