#  -*- text -*-
#
#  $Id: d1dc0cc20b2a0510b554d122846dfa7d9e8698e4 $

########################################################################
#
#  = Time-based One-Time Passwords (TOTP)
#
#  Defined in `rfc6238`, and used in Google Authenticator.
#
#  This module can only be used in the "authenticate" section.
#
#  The Base32-encoded secret should be placed into:
#
#	`&control.TOTP.Secret`
#
#  Any "bare" key should be placed into:
#
#	`&control.TOTP.Key`
#
#  If `TOTP.Key` exists, then it will be used instead of `TOTP.Secret`.
#
#  The TOTP password entered by the user should be placed into:
#
#	`&request.TOTP.From-User`
#
#  The module will return `ok` if the passwords match, and `fail`
#  if the passwords do not match.
#
#  NOTE: The crypto algorithms are HmacSHA1, HmacSHA256 and HmacSHA512.
#
#  NOTE: This module will *NOT* interact with Google. The module is
#  intended to be used where the local administrator knows the TOTP
#  secret key, and user has an authenticator app on their phone.
#
#  NOTE: Also that while you can use the Google "chart" APIs to
#  generate a QR code, doing this will give the secret to Google!
#
#  Administrators should instead install a tool such as "qrcode"
#
#	https://linux.die.net/man/1/qrencode
#
#  and then run that locally to get an image.
#

#
#  ## Configuration Settings
#
#  totp { ... }::
#
totp {
	#
	#  time_step:: Default time step between time changes.
	#
	time_step = 30

	#
	#  otp_length:: Length of the one-time password.
	#
	#  Must be 6 or 8
	#
	otp_length = 6

	#
	#  lookback_steps:: How many steps backward in time we look for a matching OTP.
	#
	lookback_steps = 1

	#
	#  lookforward_steps:: How many steps forward in time we look for a matching OTP.
	#
	lookforward_steps = 0

	#
	#  lookback_interval:: Time delta between steps.
	#
	#  Cannot be larger than `time_step`
	#
	lookback_interval = 30
}
