Merge pull request #195 from spaze/spaze/default-window

The default validation window is 1, not 4
antonioribeiro · Oct 13, 2024 · 8aee071 · 8aee071
2 parents 0f60738 + 96d7d9e
commit 8aee071
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -267,7 +267,7 @@ sudo service ntp start
 
 ## Validation Window
 
-To avoid problems with clocks that are slightly out of sync, we do not check against the current key only but also consider `$window` keys each from the past and future. You can pass `$window` as optional third parameter to `verifyKey`, it defaults to `4`. A new key is generated every 30 seconds, so this window includes keys from the previous two and next two minutes.
+To avoid problems with clocks that are slightly out of sync, we do not check against the current key only but also consider `$window` keys each from the past and future. You can pass `$window` as optional third parameter to `verifyKey`, it defaults to `1`. When a new key is generated every 30 seconds, then with the default setting, keys from one previous, the current, and one next 30-seconds intervals will be considered. To the user with properly synchronized clock, it will look like the key is valid for 60 seconds instead of 30, as the system will accept it even when it is already expired for let's say 29 seconds.
 
 ```php
 $secret = $request->input('secret');
@@ -277,6 +277,8 @@ $window = 8; // 8 keys (respectively 4 minutes) past and future
 $valid = $google2fa->verifyKey($user->google2fa_secret, $secret, $window);
 ```
 
+Setting the `$window` parameter to `0` may also mean that the system will not accept a key that was valid when the user has seen it in their generator as it usually takes some time for the user to input the key to the particular form field.
+
 An attacker might be able to watch the user entering his credentials and one time key.
 Without further precautions, the key remains valid until it is no longer within the window of the server time. In order to prevent usage of a one time key that has already been used, you can utilize the `verifyKeyNewer` function.
 

diff --git a/tests/Google2FATest.php b/tests/Google2FATest.php
@@ -628,6 +628,11 @@ public function testConvertsToBase32()
         );
     }
 
+    public function testDefaultWindow()
+    {
+        $this->assertEquals(1, $this->google2fa->getWindow());
+    }
+
     public function testSetsTheWindow()
     {
         $this->google2fa->setWindow(6);