[Security] window not taking transmission delay into account #708
Description
Is your feature request related to a problem? Please describe.
Issue #22 quoted the following part of RFC 6238 :
The validation system should compare OTPs not only with the receiving timestamp but also the past timestamps that are within the transmission delay.
And so, a window option was added and implemented as follows :
Option Type Description window integer,
[number, number]Tokens in the previous and future x-windows that should be considered valid.
If integer, same value will be used for both.
Alternatively, define array:[past, future]
Which means that even with the most conservative window = [1, 0], 2 codes are always valid at any time : previous and current, even if we're 29 seconds into a current 30-second window.
Except the abovementioned spec's transmission delay definitely isn't 29 seconds, in most cases, it shouldn't exceed 5 seconds.
Describe the solution you'd like
A new option as a number of seconds (e.g. timeWindow) would allow accepting the previous code for that many seconds into the current window and not more.
Describe alternatives you've considered
None
Additional context
None
Thanks