feat(otp): ignore whitespaces

Some OTP applications (e.g. Authy) add them for nicer display.

@vates/otp/index.mjs

@@ -9,6 +9,15 @@ function assert(name, value) {
   }
 }
 
+const WHITESPACES = /\s+/g
+function cleanToken(otp) {
+  // remove whitespaces
+  //
+  // some OTP clients add whitespaces for better readability (e.g. `XXX XXX`)
+  // and users might be tempted to write them
+  return otp && otp.replace(WHITESPACES, '')
+}
+
 // https://github.com/google/google-authenticator/wiki/Key-Uri-Format
 function generateUri(protocol, label, params) {
   assert('label', typeof label === 'string')
@@ -64,7 +73,7 @@ export function generateHotpUri({ counter, digits, issuer, label, secret }) {
 }
 
 export async function verifyHotp(token, opts) {
-  return token === (await generateHotp(opts))
+  return cleanToken(token) === (await generateHotp(opts))
 }
 
 function totpCounter(period = 30, timestamp = Math.floor(Date.now() / 1e3)) {
@@ -85,6 +94,7 @@ export async function verifyTotp(token, { period, timestamp, window = 1, ...opts
   const counter = totpCounter(period, timestamp)
   const end = counter + window
   opts.counter = counter - window
+  token = cleanToken(token)
   while (opts.counter <= end) {
     if (token === (await generateHotp(opts))) {
       return true

CHANGELOG.unreleased.md

@@ -8,6 +8,7 @@
 > Users must be able to say: “Nice enhancement, I'm eager to test it”
 
 - [VM Creation] Automatically create a VTPM if the template requests it (Windows templates starting from XCP-ng 8.3) (PR [#7436](https://github.com/vatesfr/xen-orchestra/pull/7436))
+- [OTP] Accepts (ignores) whitespaces in the one-time password (some OTP applications add them for nicer display)
 
 ### Bug fixes
 
@@ -34,6 +35,7 @@
 
 <!--packages-start-->
 
+- @vates/otp minor
 - xo-server minor
 - xo-web patch