Secure number generator verification authentication

Question

My code generates a random sequence of letters/numbers using secure random number generator, but when going to verify the code in the console, the verification fails. Also, is there a way to save a single generated for a certain amount of time.

import java.security.SecureRandom;
import java.util.Base64;
import java.util.Base64.Encoder;
import java.util.Scanner;

public class PasswordGenerator {


public void generatePassword() {
        System.out.println(generateSafeToken());
    }

private String generateSafeToken() {
    SecureRandom random = new SecureRandom();
    byte bytes[] = new byte[20];
    random.nextBytes(bytes);
    Encoder encoder = Base64.getUrlEncoder().withoutPadding();
    String token = encoder.encodeToString(bytes);
    return token;
}

public void verify() {
    Scanner sc = new Scanner(System.in);
    System.out.println("Enter code: ");
    String myToken = sc.next();
    if (generateSafeToken().equals(myToken)) {
        System.out.println("Code Verified");
}
    System.out.println("Not Verified");
    sc.close();
}

}

Answer 1

You're generating a new token and trying to validate against that one:

if (generateSafeToken().equals(myToken))

It's highly unlikely that the two randomly generated tokens would be the same. Instead, store the first one and compare with the stored value. Could be something as simple as:

private string randomToken;

public void generatePassword() {
    this.randomToken= generateSafeToken();
    System.out.println(this.randomToken);
}

Then later compare against it:

String myToken = sc.next();
if (this.randomToken.equals(myToken)) {
    System.out.println("Code Verified");
} else {
    System.out.println("Not Verified");
}

As you expand your logic you could put in some error checking for null values, ensure your methods are called in the intended order, perhaps store the token elsewhere outside the class, etc. (On that last one, for example, in a registration system where a token is sent to a user in an email and later verified you'd need to persist it somewhere, such as in a database.)

Answer 2

the problem is that it is invoking the generateSafeToken method in verify method instead Save token previously generated on a map with the vigency date

private static final Map<String, Calendar> TOKENS = new HashMap<>();

save in map token when is generated with vigency date (ej 2 hours)

public void generatePassword() {
      String token = generateSafeToken();
      Calendar valideEnd = Calendar.getInstance();
      valideEnd.add(Calendar.HOUR, 2);
      TOKENS.put(token, valideEnd);
      System.out.println(token);
}

in verify search token in map and compare vigency date with current date

 public void verify() {
        Scanner sc = new Scanner(System.in);
        System.out.println("Enter code: ");
        String myToken = sc.next();
        if (TOKENS.containsKey(myToken) && TOKENS.get(myToken).after(Calendar.getInstance())) {
            System.out.println("Code Verified");
        } else {
           System.out.println("Not Verified");
        }
        sc.close();
    }