xlzd / gotp Goto Github PK

Hi, I tried to generate and OTP fo 10 digits (I understand that OTPs of more thatn 6-8 digits are really unusual) but the generateOTP() is capping it to 9 digits.
I think the problem is since line 51 (otp.go) clamps to 31b and 1<<31 < 1e10, this can't be more than 9.
I am ok with 9 being a limit, but that should probably be clearly documented and/or asserted somewhere.
Thanks

Calls time Now() and At() can panic if the secret is invalid, but there's no safe way using this library to check if the secret is valid without handling the panic.

Providing a non-panic method for checking this would be ideal (IsValid() or something which could return the err from byteSecret() instead of panicing).

Most APIs should not panic and should just push errors up the stack instead.

Hi, I've stumbled on your library and like it! While I was testing I noticed this.
Most accounts are linked to email addresses that obviously include '@' symbol.
Any reason why we are URL Escaping the account?

Problem is when passing the URI to a QR code generator the email is translated to ....%40domain.com

package main

import (
	"fmt"
	"github.com/xlzd/gotp"
	"strings"
)

func main() {
	secret := gotp.RandomSecret(16)
	totp := gotp.NewDefaultTOTP(secret)

	fmt.Println(totp.NowWithExpiration())
	fmt.Println(totp.OTP)

	url := totp.ProvisioningUri("jw", "jwrookie")
	fmt.Println(url)
}

---------------output---------------
440823 1651462380
{ZOTQH5DBJ5RML7W4D24F2F5HDE====== 6 0xc0000a4018}
otpauth://totp/jwrookie:jw?issuer=jwrookie&secret=ZOTQH5DBJ5RML7W4D24F2F5HDE%3D%3D%3D%3D%3D%3D

---------------expectations---------------
440823 1651462380
{ZOTQH5DBJ5RML7W4D24F2F5HDE 6 0xc0000a4018}
otpauth://totp/jwrookie:jw?issuer=jwrookie&secret=ZOTQH5DBJ5RML7W4D24F2F5HDE

Using the current time as a random seed opens the library up to timing attacks if the time that the user enabled OTP can be guessed. Worse, some sites may record this as a matter of courtesy for example to display "You have had OTP enabled since October 2018".

The example secret size should be doubled from 16 to 32 bytes. See #3 and PR12 for additional color.

TOTP algorithm has the param of control step length , but I don't found it. Please ...

// Generate the current time OTP and expiration time
func (t *TOTP) NowWithExpiration() (string, int64) {
	interval64 := int64(t.interval)
	timeCodeInt64 := time.Now().Unix() / interval64
	expirationTime := (timeCodeInt64 + 1) * interval64
	return t.generateOTP(int(timeCodeInt64)), expirationTime
}

more readable BuildUri by using net/url

randomSecret := gotp.RandomSecret(16)
fmt.Println("Random secret:", randomSecret)
// Convert string to byte slice
byteSlice := []byte(randomSecret)

// Get the length of the byte slice (number of bytes)
byteLength := len(byteSlice)
fmt.Println("size",byteLength)  //26

This gives issue when scanning the generated qrcode of provision uri directly by google authenticator on iPhone

Good afternoon;

In the totp.go function "At" you've got an 'int' timestamp - presumably a UNIX time integer - being fed into that function.

Seeing as you've already got "time" as a dependency, perhaps it might be better for that to be a "Time" object? This way, users of the library can have the Time functions calculate the various windows and such rather than having to extract the current or future time, do the conversion, and then convert to an int to feed into that function.

I already have to call https://golang.org/pkg/time/#Unix to get that, after all

key := viper.GetString("totp") code := gotp.NewDefaultTOTP(k).Now()
is causing this problem.

Pull request #8 - adds lowercase, numbers and special characters to the set permitted for use in RandomSecret().