Go library for one-time passwords, supports HOPT and TOPT (Google Authenticator compatible)

Overview

GoTP: One-time password library for Go

GoTP library provides implementations of one-time password generators and validators.

This implemantation supports HMAC-based OTP (RFC 4226) and Time-based OTP (RFC 6238).

This library allows generation and validation of one-time passwords as used by variuos services. It is compatible with Google Authenticator and Authy.

It supports all hash functions in standard library crypto module and provides utility methods to create provisioning URIs from configured OTP generators and parse URIs to configured OTP generators.

HMAC-based One-time Password

    import "github.com/uaraven/gotp"
    ...

    counter := 10
    hotp := gotp.NewDefaultHOTP([]byte("secret key"), counter)
    code := hotp.CurrentOTP(counter)

    if hotp.Verify(code, counter) {
        panic(fmt.Error("invalid OTP code"))
    }

NewHOTP function creates HOTP instance with parameters such as number of digits in the one-time code and truncation offset. You can use NewDefaultHOTP with the sane default parameters (6 digits, dynamic truncation, SHA1 hash function).

Default counter value must be provided every time when instance of HOTP is created. The counter will increment every time new one-time password is requested. Counter can be reset by either setting it directly with HOTP.SetCounter(value) or by calling HOTP.GenerateOTP(counter). In the latter case internal HOTP counter will be updated to the new value and the counter will be incremented after the one-time password is generated.

HOTP also provides basic verification function. Resynchronization and verification throttling are out of scope for this library.

Time-based One-time Password

    import (
        "github.com/uaraven/gotp"
        "time"
    )
    ...

    totp := gotp.NewDefaultTOTP([]byte("secret key"))
    timestamp := time.Date(2021, 12, 20, 11, 28, 13, 0, time.UTC)
    code := totp.At(timestamp)

    if totp.VerifyAt(code, timestamp) {
        panic(fmt.Error("invalid OTP code"))
    }

TOTP parameters, such as number of digits in the resulting code, time step duration and starting time can be configured by using NewTOTP function. NewDefaultTOTP creates a TOTP implementation with default parameters compatible with most authentication services.

TOTP instance provides functions to verify correctness of the one-time password at any time. It also supports verification within the wider window to allow for out-of-sync clocks and network lag.

VerifyWithinWindow(otp, timestamp, validationWindow) will validate otp code within ±validateWindow time steps around given timestamp. It is not recommended to use validationWindow values larger than 1 as this will expose larget window for attacks.

Provisioning URLs

GoTP supports generating and parsing of Google Authenticator-compatible URLs.

To generate a new provisioning URL use ProvisioningUri(label string, issuer string) string function in OTP interface.

To create an OTP generator from URL use OTPFromUri(uri string) (*OTPKeyData, error) function. It will return pointer to OTPKeyData structure that contains instance of the generator and, additionally, label and issuer fields from the URI.

Notes on hash functions

This library will work with all hash functions defined in crypto module. Default hash function used is SHA-1.

If you see following error

panic: crypto: requested hash function #X is unavailable

you need to import corresponding module so that the hash function can register itself with crypto module.

For example if you want to use TOTP with SHA-512 hash

    import (
        "github.com/uaraven/gotp"
        "crypto"
        _ "crypto/sha512" // you need this
    )
    ...

    totp := gotp.NewTOTPHash([]byte("secret key"), DefaultDigits, DefaultTimeStep, 0, crypto.SHA512)
    code := totp.Now()

When generating provisioning URI, algorithm parameter will be included only if the hash function is one of SHA1, SHA256 or SHA512. Note that some of popular one-time passcode generation applications (like Google Authenticator) will ignore algorithm parameter and always use SHA1.

License

This project is distributed under MIT license.

Owner
Oleksiy Voronin
Oleksiy Voronin
Go based HTTP server with 2FA based on OTP (One-Time Password) manager like Google Authenticator

Go based HTTP server with 2FA based on OTP (One-Time Password) manager like Goog

Valentin Kuznetsov 1 Mar 8, 2022
Generate a generic library of 2FA tokens compatible with Google Authenticator

towfa Generate a generic library of 2FA tokens compatible with Google Authenticator go get -u github.com/golandscape/twofa $twofa "you secret" result:

golandscape 13 Mar 23, 2022
Terraform utility provider for generating Time-Based One-Time Passwords (TOTPs)

Terraform TOTP Provider The TOTP provider is a utility provider, which allows for generating Time-Based One-Time Passwords (TOTP) following the RFC 62

null 2 Dec 27, 2021
Time-Based One-Time Password (TOTP) and HMAC-Based One-Time Password (HOTP) library for Go.

otpgo HMAC-Based and Time-Based One-Time Password (HOTP and TOTP) library for Go. Implements RFC 4226 and RFC 6238. Contents Supported Operations Read

Jose Torres 34 May 8, 2022
A tool to manage accounts and codes of Google Authenticator.

A tool to manage accounts and codes of Google Authenticator.

Jormin 5 Sep 10, 2021
Google Authenticator for Go

This is a Go implementation of the Google Authenticator library. Copyright (c) 2012 Damian Gryski [email protected] This code is licensed under the Ap

Damian Gryski 391 May 10, 2022
Implementation of RFC-6238 (Time-Based One-Time Password Algorithm) in Go.

TOTP TOTP (RFC-6238) implementation in Go with no external dependencies. INSTALL You can do little copying the totp.go file or add this package as Go

Sarjono Mukti Aji 1 Jan 18, 2022
Go implementation of OTP (One-time-password). SMS send async (goroutine)

Go-OTP Go realization to otp authentication Stack: Redis (Save OTP and token) Go SMS provider (Megafon as example) Schema: User send phonenumber (ex.7

Andrei Koptev 0 Dec 14, 2021
One time password for Go.

otp One time password for Go. Features Simple API. Dependency-free. Clean and tested code. HOTP RFC 4226. TOTP RFC 6238. See GUIDE.md for more details

cristaltech 4 May 16, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 13, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Casbin 11.9k May 11, 2022
simple-jwt-provider - Simple and lightweight provider which exhibits JWTs, supports login, password-reset (via mail) and user management.

Simple and lightweight JWT-Provider written in go (golang). It exhibits JWT for the in postgres persisted user, which can be managed via api. Also, a password-reset flow via mail verification is available. User specific custom-claims also available for jwt-generation and mail rendering.

Max 24 Apr 25, 2022
A Sample Integration of Google and GitHub OAuth2 in Golang (GoFiber) utilising MongoDB

Go Oauth Server This is sample OAuth integration written in GoLang that also uses MongoDB. This is a sample TODO Application where people can Create a

Hemanth Krishna 8 Apr 25, 2022
Server bridging Google's OAuth and service using Radius for authentication

Fringe Fringe is an easy workaround for Google Workplace users who need a Radius server to perform authentication on behalf of other services (e.g. 80

Pierre-Luc Simard 5 Mar 7, 2022
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

loginsrv loginsrv is a standalone minimalistic login server providing a JWT login for multiple login backends. ** Attention: Update to v1.3.0 for Goog

tarent 1.9k May 6, 2022
Go session management for web servers (including support for Google App Engine - GAE).

Session The Go standard library includes a nice http server, but unfortunately it lacks a very basic and important feature: HTTP session management. T

András Belicza 107 Feb 16, 2022
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 30 Apr 29, 2022
A reverse proxy that provides authentication with Google, Github or other providers.

A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.

OAuth2 Proxy 5.2k May 15, 2022
A reverse proxy that provides authentication with Google, Github or other providers.

A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain

OAuth2 Proxy 5.2k May 17, 2022