From d996779182fb50d9424c10d4702ac3320d6418b1 Mon Sep 17 00:00:00 2001
From: Matthijs <Mattie112@users.noreply.github.com>
Date: Fri, 17 Nov 2023 13:53:13 +0100
Subject: [PATCH 1/3] Changed default secret bits from 80 to 160 as recommended
 by RFC4226

https://www.ietf.org/rfc/rfc4226.txt

(and TOTP refers to RFC4226, see https://www.ietf.org/rfc/rfc6238.txt)
---
 lib/TwoFactorAuth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/TwoFactorAuth.php b/lib/TwoFactorAuth.php
index f3f867e..6517e6e 100644
--- a/lib/TwoFactorAuth.php
+++ b/lib/TwoFactorAuth.php
@@ -51,7 +51,7 @@ public function __construct(
     /**
      * Create a new secret
      */
-    public function createSecret(int $bits = 80, bool $requirecryptosecure = true): string
+    public function createSecret(int $bits = 160, bool $requirecryptosecure = true): string
     {
         $secret = '';
         $bytes = (int)ceil($bits / 5);   // We use 5 bits of each byte (since we have a 32-character 'alphabet' / BASE32)

From 319a58a001279100cc3627e28a08a4453ad80b60 Mon Sep 17 00:00:00 2001
From: Matthijs <Mattie112@users.noreply.github.com>
Date: Mon, 4 Mar 2024 16:16:31 +0100
Subject: [PATCH 2/3] Update IRNGProviderTest.php

---
 tests/Providers/Rng/IRNGProviderTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/Providers/Rng/IRNGProviderTest.php b/tests/Providers/Rng/IRNGProviderTest.php
index 7ff40c8..e3da0c2 100644
--- a/tests/Providers/Rng/IRNGProviderTest.php
+++ b/tests/Providers/Rng/IRNGProviderTest.php
@@ -34,7 +34,7 @@ public function testCreateSecretDoesNotThrowOnSecureRNGProvider(): void
         $rng = new TestRNGProvider(true);
 
         $tfa = new TwoFactorAuth('Test', 6, 30, Algorithm::Sha1, null, $rng);
-        $this->assertSame('ABCDEFGHIJKLMNOP', $tfa->createSecret());
+        $this->assertSame('ABCDEFGHIJKLMNOPQRSTUVWXYZ234567', $tfa->createSecret());
     }
 
     public function testCreateSecretGeneratesDesiredAmountOfEntropy(): void

From d4a5026d86c9ed49c66a4fde8b86773f848c69c7 Mon Sep 17 00:00:00 2001
From: Rob Janssen <rob@devcorner.nl>
Date: Wed, 17 Apr 2024 20:43:49 +0200
Subject: [PATCH 3/3] Revert back to the intended 160 bits

---
 lib/TwoFactorAuth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/TwoFactorAuth.php b/lib/TwoFactorAuth.php
index 52d09ab..82b8501 100644
--- a/lib/TwoFactorAuth.php
+++ b/lib/TwoFactorAuth.php
@@ -52,7 +52,7 @@ public function __construct(
     /**
      * Create a new secret
      */
-    public function createSecret(int $bits = 80): string
+    public function createSecret(int $bits = 160): string
     {
         $secret = '';
         $bytes = (int)ceil($bits / 5);   // We use 5 bits of each byte (since we have a 32-character 'alphabet' / BASE32)