This is very interesting if it was done for fun. However, this is very likely unsuitable for real world usage. A couple of issues I could see with a quick glance:<p>- Using '=' for comparing TOTPs in the totp.verify function[1] is not safe from timing attacks.<p>- The function random() used in the totp.random_base32 function[2] is not a cryptographically secure random number generator.<p>[1]: <a href="https://github.com/pyramation/totp/blob/7ec3104/packages/totp/sql/launchql-totp--0.0.3.sql#L111" rel="nofollow">https://github.com/pyramation/totp/blob/7ec3104/packages/tot...</a><p>[2]: <a href="https://github.com/pyramation/totp/blob/7ec3104/packages/totp/sql/launchql-totp--0.0.3.sql#L121" rel="nofollow">https://github.com/pyramation/totp/blob/7ec3104/packages/tot...</a>
The author's main SQL code seems to be in this file: <a href="https://github.com/pyramation/totp/blob/master/packages/totp/deploy/schemas/totp/procedures/generate_totp.sql" rel="nofollow">https://github.com/pyramation/totp/blob/master/packages/totp...</a><p>For comparison, these are my relatively short TOTP implementations in {TypeScript, Python, Java, Rust, C++}: <a href="https://www.nayuki.io/page/time-based-one-time-password-tools" rel="nofollow">https://www.nayuki.io/page/time-based-one-time-password-tool...</a> . I even have a 6-line Python function.
Author here. Here is the full code if anyone is interested: <a href="https://github.com/pyramation/totp/blob/master/packages/totp/sql/launchql-totp--0.0.3.sql" rel="nofollow">https://github.com/pyramation/totp/blob/master/packages/totp...</a>
Cool! I remember seeing a pg TOTP implementation in this gist[1] before. Seems this extension was based off that?<p>[1]: <a href="https://gist.github.com/bwbroersma/676d0de32263ed554584ab132434ebd9" rel="nofollow">https://gist.github.com/bwbroersma/676d0de32263ed554584ab132...</a>