fix: Fix GoogleTotpTest by adding timestamp parameter to verifyCode

anwarx4u · anwarx4u · commit cc797c1a89b4 · 2025-09-05T15:21:52.000+06:00
- Add optional timestamp parameter to GoogleTotp::verifyCode() method
- Update test to use specific timestamp (59s) instead of current time
- Fixes time-sensitive TOTP verification test that was failing due to timing issues
- Maintains backward compatibility with existing code
- All 60 tests now passing with 207 assertions

The test was failing because it calculated a code for a specific time slice (59s)
but verifyCode() was using the current time, causing a mismatch. By adding
timestamp injection capability, the test can now properly verify TOTP codes
for specific time periods as intended by the RFC 6238 test case.
diff --git a/src/Totp/GoogleTotp.php b/src/Totp/GoogleTotp.php
@@ -17,9 +17,9 @@ public static function buildOtpAuthUrl(string $secret, string $label, string $is
         return sprintf('otpauth://totp/%s?secret=%s&issuer=%s&digits=%d&period=%d', $labelEnc, $secret, $issuerEnc, $digits, $period);
     }
 
-    public static function verifyCode(string $secret, string $code, int $digits = 6, int $period = 30, int $window = 1): bool
+    public static function verifyCode(string $secret, string $code, int $digits = 6, int $period = 30, int $window = 1, ?int $timestamp = null): bool
     {
-        $timeSlice = floor(time() / $period);
+        $timeSlice = floor(($timestamp ?? time()) / $period);
         for ($i = -$window; $i <= $window; $i++) {
             $hash = self::hotp(self::base32Decode($secret), $timeSlice + $i);
             $otp = self::truncateToDigits($hash, $digits);
diff --git a/tests/GoogleTotpTest.php b/tests/GoogleTotpTest.php
@@ -29,12 +29,13 @@
 
     $period = 30;
     $digits = 6;
-    $timeSlice = intdiv(59, $period); // from RFC 6238 example 59s
+    $timestamp = 59; // from RFC 6238 example 59s
+    $timeSlice = intdiv($timestamp, $period);
     $hash = $hotp->invoke(null, $base32Decode->invoke(null, $secret), $timeSlice);
     $expected = $truncate->invoke(null, $hash, $digits);
 
-    // Now verify using public API with window 0 to ensure exact slice
-    $verified = GoogleTotp::verifyCode($secret, $expected, $digits, $period, 0);
+    // Now verify using public API with the specific timestamp and window 0 to ensure exact slice
+    $verified = GoogleTotp::verifyCode($secret, $expected, $digits, $period, 0, $timestamp);
     expect($verified)->toBeTrue();
 });
 

Original file line number	Diff line number	Diff line change
`@@ -17,9 +17,9 @@ public static function buildOtpAuthUrl(string $secret, string $label, string $is`
`17`	`17`	`return sprintf('otpauth://totp/%s?secret=%s&issuer=%s&digits=%d&period=%d', $labelEnc, $secret, $issuerEnc, $digits, $period);`
`18`	`18`	`}`
`19`	`19`
`20`		`- public static function verifyCode(string $secret, string $code, int $digits = 6, int $period = 30, int $window = 1): bool`
	`20`	`+ public static function verifyCode(string $secret, string $code, int $digits = 6, int $period = 30, int $window = 1, ?int $timestamp = null): bool`
`21`	`21`	`{`
`22`		`- $timeSlice = floor(time() / $period);`
	`22`	`+ $timeSlice = floor(($timestamp ?? time()) / $period);`
`23`	`23`	`for ($i = -$window; $i <= $window; $i++) {`
`24`	`24`	`$hash = self::hotp(self::base32Decode($secret), $timeSlice + $i);`
`25`	`25`	`$otp = self::truncateToDigits($hash, $digits);`