How to solve the problem of “Access Denied: Invalid token, wrong code”?

Question

A recent school project I was assigned has a coding challenge we have to complete. The challenge has multiple parts, and the final part is uploading to a private GitHub repo and submitting a completion request by making a POST request under certain conditions.

I have successfully completed the other parts of the challenge and am stuck on submitting the request. The submission has to follow these rules:

Build your solution request

First, construct a JSON string like below:

{

"github_url": "https://github.com/YOUR_ACCOUNT/GITHUB_REPOSITORY",

"contact_email": "YOUR_EMAIL"

}

Fill in your email address for YOUR_EMAIL, and the private Github repository with your solution in YOUR_ACCOUNT/GITHUB_REPOSITORY. Then, make an HTTP POST request to the following URL with the JSON string as the body part.

CHALLENGE_URL

Content type

The Content-Type: of the request must be application/json.

Authorization

The URL is protected by HTTP Basic Authentication, which is explained on Chapter 2 of RFC2617, so you have to provide an Authorization: header field in your POST request.

For the userid of HTTP Basic Authentication, use the same email address you put in the JSON string. For the password, provide a 10-digit time-based one time password conforming to RFC6238 TOTP. Authorization password

For generating the TOTP password, you will need to use the following setup:

You have to generate a correct TOTP password according to RFC6238 TOTP's Time Step X is 30 seconds. T0 is 0. Use HMAC-SHA-512 for the hash function, instead of the default HMAC-SHA-1. Token shared secret is the userid followed by ASCII string value "APICHALLENGE" (not including double quotations). Shared secret examples

For example, if the userid is "email@example.com", the token shared secret is "email@example.comAPICHALLENGE" (without quotes).

If your POST request succeeds, the server returns HTTP status code 200.

I have tried to follow this outline very carefully, and testing my work in different ways. However, it seems I can't get it right. We are supposed to make the request from a Node server backend. This is what I have done so far. I created a new npm project with npm init and installed the dependencies you will see in the code below:

const base64 = require('base-64');
const utf8 = require('utf8');

const { totp } = require('otplib');


const reqJSON = 
{
    github_url: GITHUB_URL,
    contact_email: MY_EMAIL
}
const stringData = JSON.stringify(reqJSON);

const URL = CHALLENGE_URL;
const sharedSecret = reqJSON.contact_email + "APICHALLENGE";

totp.options = { digits: 10, algorithm: "sha512" , epoch: 0}

const myTotp = totp.generate(sharedSecret);
const isValid = totp.check(myTotp, sharedSecret);

console.log("Token Info:", {myTotp, isValid});




const authStringUTF = reqJSON.contact_email + ":" + myTotp;
const bytes = utf8.encode(authStringUTF);
const encoded = base64.encode(bytes);



const createReq = async () =>
{

    try 
    {

        // set the headers
        const config = {
            headers: {
                'Content-Type': 'application/json',
                "Authorization": "Basic " + encoded
            }
        };

        console.log("Making req", {URL, reqJSON, config});

        const res = await axios.post(URL, stringData, config);
        console.log(res.data);
    }
    catch (err)
    {
        console.error(err.response.data);
    }
};

createReq();```
As far as I understand, I'm not sure where I'm making a mistake. I have tried to be very careful in my understanding of the requirements. I have briefly looked into all of the documents the challenge outlines, and gathered the necessary requirements needed to correctly generate a TOTP under the given conditions.

I have found the npm package otplib can satisfy these requirements with the options I have passed in.

However, my solution is incorrect. When I try to submit my solution, I get the error message, "Invalid token, wrong code". Can someone please help me see what I'm doing wrong?

I really don't want all my hard work to be for nothing, as this was a lengthy project.

Thank you so much in advance for your time and help on this. I am very grateful.

Answer 1

Try this code with hotp-totp-generator Library

const axios = require('axios');
const base64 = require('base-64');
const utf8 = require('utf8');
const hotpTotpGenerator = require('hotp-totp-generator');

const ReqJSON = {
  github_url: 'GITHUB_REPO',
  contact_email: 'YOUR_MAIL',
};

const stringData = JSON.stringify(ReqJSON);
const URL = 'CHALLENGE_URL';
const sharedSecret = ReqJSON.contact_email + 'SPECIAL_CODE';

const MyTOTP = hotpTotpGenerator.totp({
  key: sharedSecret,
  T0: 0,
  X: 30,
  algorithm: 'sha512',
  digits: 10,
});

const authStringUTF = ReqJSON.contact_email + ':' + MyTOTP;
const bytes = utf8.encode(authStringUTF);
const encoded = base64.encode(bytes);

const createReq = async () => {
  try {
    const config = {
      withCredentials: true,
      headers: {
        'Content-Type': 'application/json',
         Authorization: 'Basic ' + encoded,
      },
    };

    console.log('Making request', { URL, ReqJSON, config });

    const response = await axios.post(URL, stringData, config);
    console.log(response.data);
  } catch (err) {
    console.error(err.response.data);
  }
};

createReq();