An OTP code receiver/server/forwarder.
otpbase is a server which, in conjunction with Twilio, can be used to receve OTP codes via SMS, store them for a brief period of time, and forward them to another phone number. The use case it was built for is ability to access the OTP codes for applications and services which only offer the option to send the codes via SMS messages (or proprietary applications) in a generic way.
otpbase can also generate TOTP codes. This functionality is similar to what Google Authenticator provides.
In order to use otpbase, the following setup is necessary:
- A Twilio account.
- A phone number in Twilio. These cost money, however a US phone number with SMS support costs $1/month at the time of this writing. There are also per-SMS fees, though again at the time of this writing they are under 1 cent/message for US phone numbers.
- Configure Twilio to invoke otpbase as a web hook via POST.
- If desired, configure otpbase to forward the messages to another phone number.
otpbase's dependencies are managed with go-get-deps.
otpbase recognizes the following environment variables at runtime:
- DEBUG: enable Gin debug mode
- DB_PATH: Path to database file for storing TOTP application tokens
- PORT: port number to bind to (default is 8092)
- HTTP_USER: enable HTTP authentication for retrieving OTP codes, specify the user name
- HTTP_PASSWORD: enable HTTP authentication for retrieving OTP codes, specify the password
To view codes received from SMSes: http://localhost
To add an application for generating OTP codes:
curl -d 'name=myapp&secret=OTPSECRET' http://localhost/apps
Then to retrieve an OTP code: http://localhost/apps/myapp
When I gave a Twilio SMS number to Google for MFA, Google accpted the number but never sent any messages to it. I imagine Google knows whether each phone number in existence is attached to a physical phone or not, or at the very least has this as one of their goals. This makes the SMS part of otpbase unusable for Google MFA. Fortunately it is possible to set up otpbase in lieu of using Google Authenticator, which Google so far accepts.
2 clause BSD