I'd call this 7 lines rather than 20. The rest is function definition and argument parsing. But really it should be just 1:
pyotp.TOTP('base32secret3232').now()
Why is this relevant? Because it's inadvisable to write security related software if you're not prepared to take on the full range of possible problems that introducing another security library brings (CVEs, supply chain security, etc.). The adage that doing security right requires doing everything right. Doing security wrong only takes 1 thing.
To be very clear, I don’t use this, but I confirmed it does work and generates the same codes as the linked article. Requires Bash (3+) and doesn’t work as written in Zsh.
The other "bash" one-liner references a bunch of tools that are not part of bash or even a POSIX environment. FWIW I would rather use oathtool than the other monstrosity.
> The other "bash" one-liner references a bunch of tools that are not part of bash or even a POSIX environment.
You do understand that there is a commonly accepted definition of a bash one-liner and that the one I shared fits that definition spot on, right? Further, there is a bunch of very Bash specific code in it that doesn't work in most other Posix compliant shells, so your scare quotes feel even more like a failed trolling attempt.
> FWIW I would rather use oathtool than the other monstrosity.
So would any sane person. The point wasn't what you should use, it was what is possible, which if you had read comments up the thread chain and tried to understand the context rather than making it a pissing contest about which tool is better when that wasn't even the question at hand.
> You do understand that there is a commonly accepted definition of a bash one-liner and that the one I shared fits that definition spot on, right?
We both disagree with you. What would that definition be?
The one-liner in question doesn't have any of bash's syntax in it. You could pass those words to execve() directly, without any shell, and it would still work. Calling it a line of bash code is just wrong.
Similarly, would you say this is a PHP one-liner? You can run it through PHP, but it contains no PHP syntax:
I had decided to back away, so thank you for pointing that out! There’s not just Bash syntax in mine, but rather advanced Bash that many terminal users wouldn’t recognize, so I was confused wth GP was on about until you pointed out he was probably referring to the other post which seemingly was trolling.
> We both disagree with you. What would that definition be?
A “bash one-liner” as in common use is a chain of commands using any combination of pipes, subshells, variables, tests, loops, etc.
The distinction between a “bash one-liner” and a “bash script” is that extraneous white space is removed and generally speaking should still be readable.
Admittedly mine is pushing the limits of readability do to the advanced bash syntax, but I still feel it qualifies.
Also, just because my reply was threaded two levels below yours doesn’t mean I was replying to you. I had upvoted you in fact as I actually agree with you re: oathtool example. The party I was replying to actually doesn’t agree with you and thinks that the oathtool example is a “bash one-liner” and that because I call other basic Unix commands mines not, which is just silliness.
I'm not making fun of your bash, a lot of bash one-liners are, essentially, tongue-in-cheek and not intended for daily use.
What I take issue with is the arbitrary point made by the post I replied to that using oathtool is somehow not "bash one-liney", whereas your attempt is somehow "bash one-liney".
Could I make a bash one-liner that uses a rube goldberg machine of echo, netcat, dd, ed etc. to make a HTTP request? Yeah I could, or I could just use curl and it's also still a valid "bash" one-liner.
> Could I make a bash one-liner that uses a rube goldberg machine of echo, netcat, dd, ed etc. to make a HTTP request? Yeah I could
Can you paste your bash one-liner here?
As previously, I’m interested in seeing your Rube Goldberg machine, and mainly for adoration, not practical use. `curl`, as previously, would not qualify.
The basics is something like `printf "GET /\r\n" | nc neverssl.com 80` (interestingly this is considered a HTTP 0.9 request, which HTTP 1.0 compliant servers need to handle).
Add in few useless pipes to cat and dd, and you got yourself a Rube Goldberg machine.
> interestingly this is considered a HTTP 0.9 request, which HTTP 1.0 compliant servers need to handle
For GP, the reason this is an HTTP/0.9 request is because it doesn’t specify a version number on the GET line (HTTP/1.0 would require that to be “GET / HTTP/1.0\r\n\r\n”). HTTP/0.9 was the “one-line” version of HTTP before headers and such were added. Not sure if @22c intended the pun there, but if so, we’ll played!
It’s not “fluff”, it’s overhead. The real work there is done in about 4 lines (which could be compacted to two and still be somewhat readable). The rest as someone else already said, imports, helper functions (there’s no technical need for totp to just be a wrapper around hotp unless you want to expose hotp or be illustrative), function overhead, etc.
That said, TOTP shouldn’t be treated as code golf, especially in production code. The point is the protocol is trivially simple to implement not that it’s X lines in Y language.
Ah, okay. It doesn't appear overly golfed to me. It felt like the point of publishing it was probably similar to what you're saying. That the TOTP algorithm isn't terribly complicated.
It's not golfed at all, it's more or less where you get when you implement TOTP by hand from the RFCs.
Except for the final reduction, which in the RFC is implemented via a mod, and the base32 decoding, which is not part of either HOTP or TOTP RFCs, but is instead part of the ad hoc "key uri" format. Which is a funny spec because it was defined for Google Authenticator yet AFAIK GA uses none of the parametrisation so that's only useful if you specifically want to exclude GA users.
Not pictured: the wall of incomprehensible math code implementing SHA1. Most languages do not provide such implementations by default so I struggle to really call this only 20 lines.
The hmac can be forgiven, in my opinion. But the ~30 lines of code for the Python stdlib's Base32-decoder, which would inflate the line count by 150%, is harder to forgive.
Base32? The hard part is to implement QR code scanning across a range of different cameras, lighting conditions and shaky hands. Not to mention melting your own sand to make silicon.
