First of all thank you for this great library!

I'm using otp for my web service and I'm currently trying to write some tests against my login process. Since otp uses six digits by default (same as google authenticator app) I have to create a valid otp with six digits.

I looked at your tests for otp but they all use eight digits. How can I generate a valid six digit one time password?

Thank you!

Hello

if the issuer contains a space, the URL encoder will mix up the URL.

key, err := totp.Generate(totp.GenerateOpts{
	Issuer:      "Test Issuer",
	AccountName: "[email protected]",
})

Actual result: otpauth://totp/Test%20Issuer:[email protected]?algorithm=SHA1&digits=6&issuer=Test+Issuer&period=30&secret=QE2C7JXZB3TY3FBKL6PB7PZXP7UCRPOA

Expected result: otpauth://totp/Test%20Issuer:[email protected]?algorithm=SHA1&digits=6&issuer=Test%20Issuer&period=30&secret=QE2C7JXZB3TY3FBKL6PB7PZXP7UCRPOA

in https://github.com/pquerna/otp/blob/master/totp/totp.go#L183 the secret should not be re-encoded since that is the final seed we will store in the DB. To be able to reuse the seed to generate a new key we need to add it as a final secret.

I've been using this package for quite a while and it has helped me thousands of times. However, sometimes I get confused in using custom validators/generators. I think we can make it better if you agree on using options in main functions, say, Validate and Generate funcs.

Hello, So I was trying out the library and using google authenticator to scan the QR codes. This is the code I'm using to do so.

import (
	"github.com/pquerna/otp"
	"github.com/pquerna/otp/totp"

	"bufio"
	"bytes"
	"fmt"
	"image/png"
	"io/ioutil"
	"os"
)

func display(key *otp.Key, data []byte) {
	fmt.Printf("Issuer:       %s\n", key.Issuer())
	fmt.Printf("Account Name: %s\n", key.AccountName())
	fmt.Printf("Secret:       %s\n", key.Secret())
	fmt.Printf("URL:          %s\n", key.URL())
	fmt.Println("Writing PNG to qr-code.png....")
	ioutil.WriteFile("qr-code.png", data, 0644)
	fmt.Println("")
	fmt.Println("Please add your TOTP to your OTP Application now!")
	fmt.Println("")
}

func promptForPasscode() string {
	reader := bufio.NewReader(os.Stdin)
	fmt.Print("Enter Passcode: ")
	text, _ := reader.ReadString('\n')
	return text
}

func main() {
	key, err := totp.Generate(totp.GenerateOpts{
		Issuer:      "Example.com",
		AccountName: "[email protected]",
		Algorithm:   otp.AlgorithmSHA1,
	})
	if err != nil {
		panic(err)
	}
	// Convert TOTP key into a PNG
	var buf bytes.Buffer
	img, err := key.Image(200, 200)
	if err != nil {
		panic(err)
	}
	png.Encode(&buf, img)

	// display the QR code to the user.
	display(key, buf.Bytes())

	// Now Validate that the user's successfully added the passcode.
	fmt.Println("Validating TOTP...")
	for {
		passcode := promptForPasscode()
		valid := totp.Validate(passcode, key.Secret())
		if valid {
			println("Valid passcode!")
		} else {
			println("Invalid passocde!")
		}
	}
}

This generates a QR code which I am able to scan with goole authenticator, but everytime i try the passcode it is invalid. Wanted to know if theres some issue with my code.

I want to generate a password so I used the function in totp package GenerateCodeCustom() as

   func getPassword(token_shared_secret string) string{
	opts := totp.ValidateOpts{}
	opts.Period = 30
	opts.Skew = 1
	opts.Digits = 10
	opts.Algorithm = otp.AlgorithmSHA512
	
	var password string
	t := time.Now()
	password, err := totp.GenerateCodeCustom(token_shared_secret,t,opts)
	if err != nil {
		panic(err)
	}
	return password
}

var password string = getPassword(myID+subfix)

I needed to change some options like that cuz the main purpose is to make a HTTP POST to some URL and they directed me to make the password as an 10-digit time-based one, time step X is 30secs ,T0 is 0 and use HMAC-SHA-512 for the hash function.

the parameter I put as myID+subfix is a concatenated string with an email address and an English string.

The problem is that email address contains special charters @ and . (at and dot). And I failed to get the password with the error sign

panic: Decoding of secret as base32 failed.

So I tried modifying the GenerateCodeCustom() function in hotp package I changed the line (line no.84)

secretBytes, err := base32.StdEncoding.DecodeString(secret)

as

secretBytes := []byte(secret)

At least I succeeded to get a ten-digit time-based password but I don't think it is correct one because the server keep sending me http 401 response. I think it's not a proper way, I may need to do something.

Can you let me know how can I solve this ?

Hi, I use the following code (which is very similar to this example, if not for line 19 (which I added), line 38 (which I added), and the cycle (lines 56 and 64) which I added to simplify testing with multiple clients:

package main

import (
	"github.com/pquerna/otp"
	"github.com/pquerna/otp/totp"

	"bufio"
	"bytes"
	"fmt"
	"image/png"
	"io/ioutil"
	"os"
)

func display(key *otp.Key, data []byte) {
	fmt.Printf("Issuer:       %s\n", key.Issuer())
	fmt.Printf("Account Name: %s\n", key.AccountName())
	fmt.Printf("Secret:       %s\n", key.Secret())
	fmt.Printf("URL:          %s\n", key.URL())
	fmt.Println("Writing PNG to qr-code.png....")
	ioutil.WriteFile("qr-code.png", data, 0644)
	fmt.Println("")
	fmt.Println("Please add your TOTP to your OTP Application now!")
	fmt.Println("")
}

func promptForPasscode() string {
	reader := bufio.NewReader(os.Stdin)
	fmt.Print("Enter Passcode: ")
	text, _ := reader.ReadString('\n')
	return text
}

func main() {
	key, err := totp.Generate(totp.GenerateOpts{
		Issuer:      "Example.com",
		AccountName: "[email protected]",
		Algorithm:   otp.AlgorithmSHA512,
	})
	if err != nil {
		panic(err)
	}
	// Convert TOTP key into a PNG
	var buf bytes.Buffer
	img, err := key.Image(200, 200)
	if err != nil {
		panic(err)
	}
	png.Encode(&buf, img)

	// display the QR code to the user.
	display(key, buf.Bytes())

	// Now Validate that the user's successfully added the passcode.
	fmt.Println("Validating TOTP...")
	for {
		passcode := promptForPasscode()
		valid := totp.Validate(passcode, key.Secret())
		if valid {
			println("Valid passcode!")
		} else {
			println("Invalid passocde!")
		}
	}
}

In a test run, this is what it outputs:

Issuer:       Example.com
Account Name: [email protected]
Secret:       N3K5NHE26HHXP2CL
URL:          otpauth://totp/Example.com:[email protected]?algorithm=SHA512&digits=6&issuer=Example.com&period=30&secret=N3K5NHE26HHXP2CL

I tried to add the QRCode to Google Authenticator (on Android), FreeOTP (on Android), Google Authenticator (on iOS), FreeOTP (on iOS), gopass (on Linux).

On multiple tests, FreeOTP (on both Android and iOS), Google Authenticator on iOS and gopass agree on the generated OTPs, while Google Authenticator on Android does not. Only the code from Google Authenticator on Android is recognised as right.

Now, I'm not sure if this is a problem on the server side or on the client side, so I'm opening the ticket on both the clients (FreeOTP Android, gopass) and the server (github.com/pquerna/otp)

Google gave me a QR code with this content: otpauth://totp/Google%3Afoo%40example.com?secret=qlt6vmy6svfx4bt4rpmisaiyol6hihca&issuer=Google (don't worry, I haven't taken this secret into use).

It yields this error: Decoding of secret as base32 failed

If I uppercase the secret myself (=> otpauth://totp/Google%3Afoo%40example.com?secret=QLT6VMY6SVFX4BT4RPMISAIYOL6HIHCA&issuer=Google), it succeeds.

This pull request addresses https://github.com/pquerna/otp/issues/68. I have also encountered + signs instead of spaces in Google Authenticator when using https://github.com/ory/kratos (which uses this library).

It seems to me that copy-pasting the URL-encoding function is the simplest and most robust solution here (instead of trying to do some clever replacing post-encoding). I also fixed some typos in the first commit.

Problem: If the validateOps.Digit parameter is not passed to the hotp.GenerateCodeCustom() function, the default value is not correctly assigned. By default, it should generate a 6-digit code, but it produces 0.

Solution:

• Add unit test for hotp.GenerateCodeCustom()
• I set the otp.DigitSix value as the default.

        key,_ := totp.Generate(totp.GenerateOpts{ 
              AccountName: "XYZ Test", 
              Issuer: "some.domain.com", 
              Algorithm: otp.AlgorithmSHA512, 
        })
        
        var buff bytes.Buffer
	img, _ := key.Image(256,256)
	f, _ := os.Create("test.html")
	png.Encode(&buff, img)
	encodedString := base64.StdEncoding.EncodeToString(buff.Bytes())
	htmlImage := "<img src=\"data:image/png;base64," + encodedString + "\" />"
	l, err := f.WriteString(htmlImage)
	if err != nil {
		log.Println(err)
	}

The resultant test.html shows a QR code that provides correct codes when scanned with Google Authenticator on Android, but not on iPhone.

First of all, thank you for keeping things simple. It was very easy going over your code, great job!

Motivation - I wanted to see how it works out-of-the-box, without installing/compiling anything.

So I wrote a Dockerfile to build the application and test it easily, allowing users to test the app immediately.

Build a Docker image

DOCKER_ORG=unfor19
$ docker build -t ${DOCKER_ORG}/totp -f Dockerfile.example .

Run a container

DOCKER_ORG=unfor19
$ docker run --rm -it -e GENERATE_TEMP_PASSCODE="true" ${DOCKER_ORG}/totp:latest

Example

Issuer:       Example.com
Account Name: [email protected]
Secret:       PZLTOL3RPGS67EYXPYFLIBYEY5QMSJB5
Writing PNG to qr-code.png....

Please add your TOTP to your OTP Application now!

Generating temporary passcode, valid for 30 seconds...
Temp Passcode: 375146
Validating TOTP...
Enter Passcode: 375146
Valid passcode!

TODO

• I've already pushed this image to my DockerHub repository unfor19/totp, so I recommend that you do the same, and then replace unfor19 in README.md

Let me know if you want to migrate from Travis to GitHub Actions, your builds/tests will run much faster and it's free 😄

Forgive me if this is a stupid question, how exactly can I handle recovery codes for users?

In README, you said "These can simply be randomly generated strings that you store in your backend" but I could not find the code that do this.

Does that mean I need to handle recovery codes myself? I was thinking along the lines of

1. Generate recovery codes in backend
2. Give users recovery codes
3. Compare passcode with recovery codes (pulled from backend storage). If not matched, then compare passcode with TOTP / HOTP as usual? If matched, remove recovery codes (one time use like Github)

Let me know if you have plan to support this behavior natively in this package, or if you are interested in a Pull Request that does this (backend storage via an interface, of course)?