Why is TOTP code not getting burnt after successful usage?

[mmfnaja]

I use the email MFA method to get an OTP code. Now if I logout and login quickly I am getting the same code.

According to https://datatracker.ietf.org/doc/html/rfc6238#section-5.2, "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP."

However I found in the def dispatch_message(self) implementation of class SendMailMessageDispatcher(AbstractMessageDispatcher), the following code:

context = {"code": self.create_code()}

The create_code function of AbstractMessageDispatcher returns the following:

self._get_otp().now()

where the _get_otp() returns a TOTP object.

Additionally, the authenticate_second_step_command just verify the code via self._get_otp().verify(otp=code) and fails to burn an already used code after successful verification.

So, I think the reason I am getting the same code is OK, but does this mean the library didn't follow the RFC consideration? Or do you want the developers who uses the package to implement our own burning mechanism? Please could you mind sharing some guidelines?

[nefrob]

@mmfnaja trench currently uses time based one time passwords which are valid for the duration of the validity window. This also means a new code will not be generated until a new window opens.

Support for hash-based one time passwords is up for PR #206. It will increment a counter after each code ensuring the next generate is different. This is standard for methods like email or SMS as mentioned above.