GitBucket
HIROSE Yuuji
OneTimePassword auth example
Terminology
auth=Authentication, tmp=Temporary
Common Procedure
- Clone this
- cd $TOP/otp
WebSocket mode
- ./otp.rb
- Open http://localhost:3000/otp.html
CGI mode
- ./web.rb
- ./otp-cgi.rb
- Open http://localhost:3000/otp-cgi.html
OTP Procedure for WebSocket
| Client | Data Flow | Server | Person |
|---|---|---|---|
| (First Access) | Nothing | ||
| Username(email) | --> | (store) | |
| (storage) | <-- | tmpKey | |
| .. | passcode | --> get via email | |
| Passcode+tmpKey | --> | Verify | |
| (storage) | <-- | SessionKey | |
| Sessionkey | --> | Set AuthFlag for connection channel |
All keys and passcodes are stored in databases(server side) or localStorage(browsers).
OTP Procedure for CGI
| Client | Data Flow | Server | Person |
|---|---|---|---|
| Username(email) | --> | (store) | |
| (storage) | <-- | tmpKey | |
| .. | passcode | --> get via email | |
| .. | exits | ||
| .. | ------- | ||
| Passcode+tmpKey | --> | Verify | |
| (storage) | <-- | SessionKey | |
| .. | exits | ||
| .. | ------- | ||
| User+Sessionkey | --> | Auth OK | |
| (expand to view) | <-- | Any answers | |
| .. | exits | ||
| .. | ------- |
Difference between CGI and WebSocket Servers
CGI server
One response for one request 
WebSocket server
Persist connection per session.
One server for multi clients. 