xlzd / gotp Goto Github PK
View Code? Open in Web Editor NEWGolang OTP(One-Time Password) Library.
License: MIT License
Golang OTP(One-Time Password) Library.
License: MIT License
Hi, I tried to generate and OTP fo 10 digits (I understand that OTPs of more thatn 6-8 digits are really unusual) but the generateOTP() is capping it to 9 digits.
I think the problem is since line 51 (otp.go) clamps to 31b and 1<<31 < 1e10, this can't be more than 9.
I am ok with 9 being a limit, but that should probably be clearly documented and/or asserted somewhere.
Thanks
Calls time Now() and At() can panic if the secret is invalid, but there's no safe way using this library to check if the secret is valid without handling the panic.
Providing a non-panic method for checking this would be ideal (IsValid() or something which could return the err from byteSecret() instead of panicing).
Most APIs should not panic and should just push errors up the stack instead.
Line 42 in fab697c
Hi, I've stumbled on your library and like it! While I was testing I noticed this.
Most accounts are linked to email addresses that obviously include '@' symbol.
Any reason why we are URL Escaping the account?
Problem is when passing the URI to a QR code generator the email is translated to ....%40domain.com
package main
import (
"fmt"
"github.com/xlzd/gotp"
"strings"
)
func main() {
secret := gotp.RandomSecret(16)
totp := gotp.NewDefaultTOTP(secret)
fmt.Println(totp.NowWithExpiration())
fmt.Println(totp.OTP)
url := totp.ProvisioningUri("jw", "jwrookie")
fmt.Println(url)
}
---------------output---------------
440823 1651462380
{ZOTQH5DBJ5RML7W4D24F2F5HDE====== 6 0xc0000a4018}
otpauth://totp/jwrookie:jw?issuer=jwrookie&secret=ZOTQH5DBJ5RML7W4D24F2F5HDE%3D%3D%3D%3D%3D%3D
---------------expectations---------------
440823 1651462380
{ZOTQH5DBJ5RML7W4D24F2F5HDE 6 0xc0000a4018}
otpauth://totp/jwrookie:jw?issuer=jwrookie&secret=ZOTQH5DBJ5RML7W4D24F2F5HDE
Using the current time as a random seed opens the library up to timing attacks if the time that the user enabled OTP can be guessed. Worse, some sites may record this as a matter of courtesy for example to display "You have had OTP enabled since October 2018".
TOTP algorithm has the param of control step length , but I don't found it. Please ...
// Generate the current time OTP and expiration time
func (t *TOTP) NowWithExpiration() (string, int64) {
interval64 := int64(t.interval)
timeCodeInt64 := time.Now().Unix() / interval64
expirationTime := (timeCodeInt64 + 1) * interval64
return t.generateOTP(int(timeCodeInt64)), expirationTime
}
more readable BuildUri by using net/url
randomSecret := gotp.RandomSecret(16)
fmt.Println("Random secret:", randomSecret)
// Convert string to byte slice
byteSlice := []byte(randomSecret)
// Get the length of the byte slice (number of bytes)
byteLength := len(byteSlice)
fmt.Println("size",byteLength) //26
This gives issue when scanning the generated qrcode of provision uri directly by google authenticator on iPhone
Good afternoon;
In the totp.go function "At" you've got an 'int' timestamp - presumably a UNIX time integer - being fed into that function.
Seeing as you've already got "time" as a dependency, perhaps it might be better for that to be a "Time" object? This way, users of the library can have the Time functions calculate the various windows and such rather than having to extract the current or future time, do the conversion, and then convert to an int to feed into that function.
I already have to call https://golang.org/pkg/time/#Unix to get that, after all
key := viper.GetString("totp") code := gotp.NewDefaultTOTP(k).Now()
is causing this problem.
Pull request #8 - adds lowercase, numbers and special characters to the set permitted for use in RandomSecret().
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.