search

BastiaanJansen / otp-java

A small and easy-to-use one-time password generator library for Java implementing RFC 4226 (HOTP) and RFC 6238 (TOTP).
MIT License
186 stars 30 forks source link

Wrong getURI method #81

Open andilem opened 3 months ago

andilem commented 3 months ago

Your HOTPGenerator#getURI method is mighty wrong.

  1. Special characters in the components (label, issuer) must be URI-encoded, i.e. replace " " by "%20" (and not by "+") and so on. Possible solution: Apply following encoding to the label parts (issuer and account) and to the issuer parameter. Note that it is valid to encode the : in the label as well, but this is not required. 
    URLEncoder.encode(s, StandardCharsets.UTF_8)
.replace("+", "%20")
.replace("%21", "!")
.replace("%27", "'")
.replace("%28", "(")
.replace("%29", ")")
.replace("%7E", "~")
  2. The secret must be Base32-encoded, e.g. new Base32().encodeToString(secret) using Apache Commons Codec Base32 implementation
BastiaanJansen commented 3 months ago

Thanks for you comment. I am open to Pull requests, as I currently don't have the time to implement your solution.