Skip to content

typing improvements #184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

typing improvements #184

wants to merge 7 commits into from

Conversation

jap
Copy link

@jap jap commented Sep 15, 2025
edited
Loading

This series of commits brings some typing improvements, but also adds the option to return the timecode that matched when verifying a TOTP, which is a feature in passlib.totp but that project appears to no longer be maintained.

  • Add option to return the timecode that matched when verifying TOTP.
  • typing: accept float for timestamp values
  • typing: add explicit isinstance asserts to tests
  • typing: don't construct TOTP instances with a secret that is bytes
  • tests: make the Timecop more pythonic
  • refactor: remove testing of stdlib code
  • lint: perform typing checks on test.py as well

@jap jap marked this pull request as ready for review September 15, 2025 12:11
jap added 7 commits September 17, 2025 12:51
@jap
Add option to return the timecode that matched when verifying TOTP.
e9f4498 
This adds a boolean option `return_timecode` to TOTP.verify that
changes its return value on success to an integer containing the
timecode that was used to generate the matching OTP.

This is especially useful when `valid_window` is not 0, as then
several values might be valid at the same moment. If an implementation
compares just the bare OTP, replaying a recent value is possible.
By comparing timecodes, that can be prevented, as they are strictly
increasing.

The patch also fixes a minor typing issue, as the `for_time` argument
can also be an number - there even is a test that calls it like this.

Finally, the special case for `valid_window == 0` has been removed as
it is a micro-optimization that only leads to repeated code.
@jap
typing: accept float for timestamp values
fb49577 
Tests were already passing -29.5 to `TOTP.at`; note that casting a
float to an int in Python just strips off the fractional part (like
`floor(3)`). Because TOTP intervals are integers, this means that this
rounding off operation does not change which interval the timestamp is
in so we can do this safely.
@jap
typing: add explicit isinstance asserts to tests
14c8945 
This allows mypy to infer that the called methods actually exist.

Note that two self.assertIsInstance got replaced by these; the tests
will still fail on type mismatch.
@jap
typing: don't construct TOTP instances with a secret that is bytes
9ff08b8 
This accidentally worked but the typing police does not like it.
@jap
tests: make the Timecop more pythonic
0a964ba
@jap
refactor: remove testing of stdlib code
86a1bca 
This removes a bunch of test calls against compare_digest which is
imported from the standard library, and not exposed to users of this
library.

Mypy also did not like this.
@jap
lint: perform typing checks on test.py as well
acd7917
@jap jap force-pushed the typing-improvements branch from 8143db2 to acd7917 Compare September 17, 2025 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jap