search

BastiaanJansen / otp-java

A small and easy-to-use one-time password generator library for Java implementing RFC 4226 (HOTP) and RFC 6238 (TOTP).
MIT License
186 stars 30 forks source link

Issuer is not properly escaped in path segment of URI #71

Closed svschouw-bb closed 1 year ago

svschouw-bb commented 1 year ago

Take the following code:

byte[] secret = SecretGenerator.generate();
TOTPGenerator totp = TOTPGenerator.withDefaultValues(secret);
URI uri = totp.getURI("Acme Co", "myuser");
System.out.println(uri);

This will throw a java.net.URISyntaxException: Illegal character in path at index 19: otpauth://totp/Acme Co:myuser?period=30&digits=6&secret=<secret>&issuer=Acme+Co&algorithm=SHA1

If I escaped the issuer myself:

byte[] secret = SecretGenerator.generate();
TOTPGenerator totp = TOTPGenerator.withDefaultValues(secret);
URI uri = totp.getURI("Acme%20Co", "myuser");
System.out.println(uri);

It outputs otpauth://totp/Acme%20Co:myuser?period=30&digits=6&secret=<secret>&issuer=Acme%2520Co&algorithm=SHA1 Notice the double escaping of issuer=Acme%2520Co in the query parameters.

The path section (both issuer and account) should be escaped when generating the URI.

svschouw-bb commented 1 year ago

Thanks for the fix!

A new version was tagged, but not released yet.

BastiaanJansen commented 1 year ago

Thanks for noticing! Version 2.0.2 is now released.