Merge pull request #13 from azmeuk/non-ascii

lepture · web-flow · commit 77139586882c · 2025-05-07T23:06:06.000+09:00
avoid verify to raise an exception when the code argument is non-ascii
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -9,6 +9,13 @@ Changelog
 
 For **v1**, please head over to https://pythonhosted.org/otpauth/
 
+2.1.2
+-----
+
+**Unreleased**
+
+- Avoid ``verify`` to raise an exception when the ``code`` argument is non-ascii.
+
 2.1.1
 -----
 
diff --git a/src/otpauth/_rfc4226.py b/src/otpauth/_rfc4226.py
@@ -37,7 +37,10 @@ def verify(self, code: int, counter: int) -> bool:
         """
         if len(str(code)) > self.digit:
             return False
-        return hmac.compare_digest(self.string_code(self.generate(counter)), self.string_code(code))
+        try:
+            return hmac.compare_digest(self.string_code(self.generate(counter)), self.string_code(code))
+        except (TypeError, ValueError):
+            return False
 
     def to_uri(self, label: str, issuer: str, counter: int) -> str:
         """Generate the otpauth protocal string for HOTP.
diff --git a/src/otpauth/_rfc6238.py b/src/otpauth/_rfc6238.py
@@ -42,7 +42,11 @@ def verify(self, code: int, timestamp: t.Optional[int] = None) -> bool:
         """
         if len(str(code)) > self.digit:
             return False
-        return hmac.compare_digest(self.string_code(self.generate(timestamp)), self.string_code(code))
+
+        try:
+            return hmac.compare_digest(self.string_code(self.generate(timestamp)), self.string_code(code))
+        except (TypeError, ValueError):
+            return False
 
     def to_uri(self, label: str, issuer: str) -> str:
         """Generate the otpauth protocal string for TOTP.
diff --git a/tests/test_hotp.py b/tests/test_hotp.py
@@ -18,8 +18,11 @@ def test_verify(self):
         # due to not match
         self.assertFalse(self.hotp.verify(12345, 0))
 
+        self.assertFalse(self.hotp.verify("●●●●●●", 0))
+
         self.assertTrue(self.hotp.verify(170566, 0))
 
+
     def test_to_uri(self):
         uri = self.hotp.to_uri("Typlog:lepture.com", "Authlib", 0)
         expected = (
diff --git a/tests/test_totp.py b/tests/test_totp.py
@@ -19,6 +19,7 @@ def test_verify(self):
 
         # due to not match
         self.assertFalse(self.totp.verify(12345, FIXED_TIME))
+        self.assertFalse(self.totp.verify("●●●●●●", FIXED_TIME))
 
         self.assertTrue(self.totp.verify(129815, FIXED_TIME))
 
