[GH-ISSUE #171] verifyKey always fail - simple demo #549

New issue

Closed

opened 2026-03-14 12:10:38 +03:00 by kerem · 1 comment

kerem commented 2026-03-14 12:10:38 +03:00

Owner

Copy link

Originally created by @dayeggpi on GitHub (Jul 24, 2021).
Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/171

I am trying to implement a simple page to try this out.
I am able to generate a QR code, and I get the secret code.
I add the QR code to an app, and it works fine.
Then when I try to test the OTP code in order to validate it, it always fails.

Below the code I have.

index.php :

<?php
require_once __DIR__ . '/vendor/autoload.php'; 

use PragmaRX\Google2FA\Google2FA;
use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\Image\ImagickImageBackEnd;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;

$google2fa = new Google2FA();

$g2faUrl = $google2fa->getQRCodeUrl(
    'pragmarx',
    'google2fa@pragmarx.com',
    $google2fa->generateSecretKey()
);

$writer = new Writer(
    new ImageRenderer(
        new RendererStyle(400),
        new ImagickImageBackEnd()
    )
);

$qrcode_image = base64_encode($writer->writeString($g2faUrl));
$secret = $google2fa->generateSecretKey();

?>
<img src="data:image/png;base64, <?php echo $qrcode_image; ?> "/>
<br/>
<?php echo $secret; ?>

I scan the QR code with my app, then I save $secret, keep the page open and open a new tab and go to url verif.php?secret=$secret&code=XXXXXX
with $secret being the $secret from output of index.php and XXXXXX being what the app gives me.

In verif.php I have the following :

<?php
require_once __DIR__ . '/vendor/autoload.php'; 

use PragmaRX\Google2FA\Google2FA;
use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\Image\ImagickImageBackEnd;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;

$google2fa = new Google2FA();

$secret = $_GET['secret'];
$check_this_code = $_GET['code'];

$valid = $google2fa->verifyKey($secret, $check_this_code);
if ($valid) {
$msg = 'ok';}
else 
{$msg='not ok';}
?>
<?php echo $msg; ?>

As there are no clear full code and always small parts of code, I find it difficult to implement.
I am new to that but I am trying.

Thank for your help.

Originally created by @dayeggpi on GitHub (Jul 24, 2021). Original GitHub issue: https://github.com/antonioribeiro/google2fa/issues/171 I am trying to implement a simple page to try this out. I am able to generate a QR code, and I get the secret code. I add the QR code to an app, and it works fine. Then when I try to test the OTP code in order to validate it, it always fails. Below the code I have. index.php : ``` <?php require_once __DIR__ . '/vendor/autoload.php'; use PragmaRX\Google2FA\Google2FA; use BaconQrCode\Renderer\ImageRenderer; use BaconQrCode\Renderer\Image\ImagickImageBackEnd; use BaconQrCode\Renderer\RendererStyle\RendererStyle; use BaconQrCode\Writer; $google2fa = new Google2FA(); $g2faUrl = $google2fa->getQRCodeUrl( 'pragmarx', 'google2fa@pragmarx.com', $google2fa->generateSecretKey() ); $writer = new Writer( new ImageRenderer( new RendererStyle(400), new ImagickImageBackEnd() ) ); $qrcode_image = base64_encode($writer->writeString($g2faUrl)); $secret = $google2fa->generateSecretKey(); ?> <img src="data:image/png;base64, <?php echo $qrcode_image; ?> "/> <br/> <?php echo $secret; ?> ``` I scan the QR code with my app, then I save $secret, keep the page open and open a new tab and go to url verif.php?secret=$secret&code=XXXXXX with $secret being the $secret from output of index.php and XXXXXX being what the app gives me. In verif.php I have the following : ``` <?php require_once __DIR__ . '/vendor/autoload.php'; use PragmaRX\Google2FA\Google2FA; use BaconQrCode\Renderer\ImageRenderer; use BaconQrCode\Renderer\Image\ImagickImageBackEnd; use BaconQrCode\Renderer\RendererStyle\RendererStyle; use BaconQrCode\Writer; $google2fa = new Google2FA(); $secret = $_GET['secret']; $check_this_code = $_GET['code']; $valid = $google2fa->verifyKey($secret, $check_this_code); if ($valid) { $msg = 'ok';} else {$msg='not ok';} ?> <?php echo $msg; ?> ``` As there are no clear full code and always small parts of code, I find it difficult to implement. I am new to that but I am trying. Thank for your help.

kerem closed this issue 2026-03-14 12:10:43 +03:00

kerem commented 2026-03-14 12:10:49 +03:00

Author

Owner

Copy link

@dayeggpi commented on GitHub (Jul 24, 2021):

my bad....I generate a second time "$secret = $google2fa->generateSecretKey();" which is therefore not the same secret as the QR code...hence it always fails...

changed index.php to the following and it all works better of course.

index.php

<?php

require_once __DIR__ . '/vendor/autoload.php'; 

use PragmaRX\Google2FA\Google2FA;
use BaconQrCode\Renderer\ImageRenderer;
use BaconQrCode\Renderer\Image\ImagickImageBackEnd;
use BaconQrCode\Renderer\RendererStyle\RendererStyle;
use BaconQrCode\Writer;

$google2fa = new Google2FA();
$secret = $google2fa->generateSecretKey(32);
$g2faUrl = $google2fa->getQRCodeUrl(
    'pragmarx',
    'google2fa@pragmarx.com',
    $secret
);

$writer = new Writer(
    new ImageRenderer(
        new RendererStyle(400),
        new ImagickImageBackEnd()
    )
);

$qrcode_image = base64_encode($writer->writeString($g2faUrl));


?>
<img src="data:image/png;base64, <?php echo $qrcode_image; ?> "/>
<br/> 
<?php echo $secret; ?>

<!-- gh-comment-id:886072921 --> @dayeggpi commented on GitHub (Jul 24, 2021): my bad....I generate a second time "$secret = $google2fa->generateSecretKey();" which is therefore not the same secret as the QR code...hence it always fails... changed index.php to the following and it all works better of course. index.php ``` <?php require_once __DIR__ . '/vendor/autoload.php'; use PragmaRX\Google2FA\Google2FA; use BaconQrCode\Renderer\ImageRenderer; use BaconQrCode\Renderer\Image\ImagickImageBackEnd; use BaconQrCode\Renderer\RendererStyle\RendererStyle; use BaconQrCode\Writer; $google2fa = new Google2FA(); $secret = $google2fa->generateSecretKey(32); $g2faUrl = $google2fa->getQRCodeUrl( 'pragmarx', 'google2fa@pragmarx.com', $secret ); $writer = new Writer( new ImageRenderer( new RendererStyle(400), new ImagickImageBackEnd() ) ); $qrcode_image = base64_encode($writer->writeString($g2faUrl)); ?> <img src="data:image/png;base64, <?php echo $qrcode_image; ?> "/> <br/> <?php echo $secret; ?> ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

9.x

fix-coverage

bump-to-version-9

10.x

reformat-code

add-linting

reorder-imports

8.x

install-php-84

test-on-php84

github-actions

master

7.x

pspstan

revert-124-123-google2fa_fix

v9.0.0

v8.0.3

v8.0.2

v8.0.1

8.0.0

v7.0.0

v6.1.3

v6.1.0

v6.0.1

v6.0.0

v4.0.2

v4.0.1

v5.0.0

v4.0.0

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.0.1

v1.0.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.0

v0.1.0

Labels

Clear labels   

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/google2fa#549

No description provided.