Google Authenticator for Go

The following function sometimes returns 5 digits instead of 6:

https://github.com/dgryski/dgoogauth/blob/96977cbd42e27be71f9f731db6634123de7e861a/googauth.go#L27-L49

e.g.

package main

import (
  "crypto/hmac"
  "crypto/sha1"
  "encoding/base32"
  "encoding/binary"
  "fmt"
  "time"

  "github.com/dgryski/dgoogauth"
)

func main() {
  secret := []byte{'H', 'e', 'l', 'l', 'o', '!', 0xDE, 0xAD, 0xBE, 0xEF}
  secretEnc := base32.StdEncoding.EncodeToString(secret)

  var t0 int64
  t0 = int64(time.Now().Unix() / 2)
  code := dgoogauth.ComputeCode(secretEnc, t0)

  fmt.Printf("code = %+v\n", code)
}

func ComputeCode(secret string, value int64) int {
  key, err := base32.StdEncoding.DecodeString(secret)
  if err != nil {
    return -1
  }

  hash := hmac.New(sha1.New, key)
  err = binary.Write(hash, binary.BigEndian, value)
  if err != nil {
    return -1
  }
  h := hash.Sum(nil)

  offset := h[19] & 0x0f

  truncated := binary.BigEndian.Uint32(h[offset : offset+4])

  truncated &= 0x7fffffff
  code := truncated % 1000000

  return int(code)
}

Outputs the following when looped:

code = 292234
code = 108363
code = 108363
code = 828914
code = 45510
code = 45510
code = 45288
code = 45288
code = 286406
code = 166336
code = 166336
code = 569768
code = 569768

For compatibility reasons, the library will need to use local time. However, switching on UTC is available via a boolean field in the configuration structure. This extends #3, which switches completely to UTC, by adding this field.

Hi Damian,

The major change is the addition of ProvisionURIWithIssuer method, that respects the recommendations found here: https://code.google.com/p/google-authenticator/wiki/ConflictingAccounts

It's an addition so that existing code does not break, and the current ProvisionURI returns the same values as before (I added a test to validate before and after the change).

Smaller changes: return an invalid code in case of error in ComputeCode (thanks for confirming that -1 is indeed invalid as per the RFCs), get rid of the fmt dependency and remove unused second return value in the internal checkXxx functions.

Let me know if you want me to tweak a few things (or if you're not interested in the PR).

Thanks! Martin

I received this error when decoding my 26 character secret.

You should probably update your code to decode the secret using this: https://github.com/gokyle/twofactor/issues/10#issuecomment-381966785

I would like to include this library in one of my side projects but I don't want to violate your rights. Could you please update this repository with a LICENSE file so people understand the restrictions on its use?

See: https://opensource.org/licenses

Google has a very useful document which discusses its legal positions on each of the open source licenses as far as being consumed for commercial purposes. It's a good way to understand the consequences of certain licenses such as the WTFPL: https://opensource.google.com/docs/thirdparty/licenses/