What is TOTP?
TOTP stands for Time-based One-Time Passwords and is a common form of two factor authentication (2FA). Unique numeric passwords are generated with a standardized algorithm that uses the current time as an input. The time-based passwords are available offline and provide user friendly, increased account security when used as a second factor.
TOTP is also known as app based authentication, software tokens, or soft tokens. Authentication apps like Microsoft Authenticator and Google Authenticator support the TOTP standard.
When TOTP ?
Imagine a secure system that combines something you know (like a password) with something you have (a device generating a one-time password). That’s where TOTP comes in.
How TOTP works?
When user register into our application system will generate a secret key and that will be stored in DB. System will generate a QR code that combines the Algorithm, number of digits and period that will be used by the server to generate the TOTP.
Upon login user will provide the credential and validate. As a next step they will be prompted for OTP. This will be generated by the authenticator application, this will be validated by the server using the time bucket the OTP is entered.
Project:
We are going to implement the Backend server in Spring Boot and Mongo DB as Persistence layer. Angular 14 is our Front end which will connect to backend over rest endpoints. We will be using “dev.samstevens.totp” to generate and verify TOTP.
End-Point Implementation overview:
/register
register endpoint will accept the registration details including the username and password as payload. It will check for user existence, if user already exist then respond with UserAlreadyExist exception, else Generate the Secret key, encode the password received and persist the user details. Further generate the QR code and add it to the response.
/verifyTotp
This endpoint accepts username and TOTP as payload. It will fetch the secret key with the username provided and pass it the verify method of “dev.samstevens.totp” code verifier. If the code is valid then it will generate the JWT and respond back. Else it will respond as Invalid Token.
/login
This endpiont will get the username and password as payload and validate with the AuthProvider. If the credentials are valid and user opted for MFA then respond with MFA Required. Else generate the JWT.
Project Setup:
Create a Spring Boot Project with following dependencies,
org.springframework.boot
spring-boot-starter-data-mongodb
org.springframework.boot
spring-boot-starter-mail
org.springframework.boot
spring-boot-starter-security
org.springframework.boot
spring-boot-starter-web
dev.samstevens.totp
totp
1.7.1
org.springframework.boot
spring-boot-starter-validation
org.springframework.boot
spring-boot-devtools
runtime
true
org.projectlombok
lombok
true
application.yaml
spring:
application:
name: mfa-server
data:
mongodb:
host: localhost
port: 27017
database: mfa-server
Create a websecurity configuration class to all endpoints. Also create a bean if BCryptPasswordEncoder.
`@EnableWebSecurity
@Configuration
public class AppSecurityConfig {
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Bean
public SecurityFilterChain defaultFilterChain(HttpSecurity httpSecurity) throws Exception {
return httpSecurity
.cors(cors-> cors.disable())
.csrf(csrf-> csrf.disable())
.sessionManagement(session-> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth-> auth
.requestMatchers("https://dev.to/error**","https://dev.to/register**","https://dev.to/login**","https://dev.to/verifyTotp**").permitAll()
.anyRequest().authenticated()
)
.build();
}
}`
Create User Entity. This stores the user details, credentials and roles.
`@Document(collection = "users")
@NoArgsConstructor
@AllArgsConstructor
@Data
public class User {
@Id
private String id;
@Indexed
@NotBlank
private String username;
private String password;
boolean mfaEnabled;
@JsonIgnore
private String secretKey;
private String firstName;
private String lastName;
private boolean active;
@DBRef
private Set roles = new HashSet<>();
}`
Create UserRepository.
`@Repository
public interface UserRepository extends MongoRepository {
Optional findByUsername(String username);
}`
Create a Service that Helps us Register and Verify Totp
`public interface UserService {
MfaTokenData registerUser(User user) throws UserAlreadyExistException, QrGenerationException;
boolean verifyTotp(final String code,String username);
}`
Createa a Controller exposing the endpoints for /register, /login and /verifyTotp.
We will look into the Implementation in our next blog.
Securing Your App: TOTP Authentication with Spring Boot and Angular — Part Two— Implementation & Demo
Anbumani ・ Dec 31
#security
#springboot
#angular
#mongodb
Angular Project Setup
Create angular project and include bootstrap.
`"styles": [
"node_modules/bootstrap/scss/bootstrap.scss" ,
"src/styles.scss"
],
"scripts": [
"node_modules/bootstrap/dist/js/bootstrap.bundle.js"
]
`
Create client service that connects with backend over the rest endpoints.
`@Injectable({
providedIn: 'root'
})
export class AuthClientService {
constructor(private http: HttpClient) { }
public login(payload: string): Observable {
const httpOptions = {
headers: new HttpHeaders({
'Content-Type': 'application/json'
})
};
return this.http.post(
environment.apiUrl + '/login', payload, httpOptions
);
}
public verifyTotp(payload: MfaVerificationRequest): Observable {
return this.http.post(
environment.apiUrl + '/verifyTotp', payload
);
}
public register(
payload: string
): Observable {
return this.http.post(
environment.apiUrl + '/register',payload,
{ responseType: 'text' }
);
}
}
`
Create Login, Register components as per your wish and connect them with client. You can refer my implementation from below GitHub.
Mfaapplication
Application developed using Angular 14 and Bootstrap.
Components involved.
- Login
- Register
- TOTP
- Home Module
Check out the complete code implementation here