createOTP() currently treats the secret parameter as a UTF-8 string and passes it directly into createHMAC().sign(secret, bytes).
This results in incorrect HOTP/TOTP values for any secret that contains bytes ≥ 0x80 after Base32 decoding.
This breaks compatibility with standard OTP secrets (e.g., those generated by Google Authenticator, Authy, etc.), which are Base32 encoded.
createOTP()currently treats the secret parameter as a UTF-8 string and passes it directly intocreateHMAC().sign(secret, bytes).This results in incorrect HOTP/TOTP values for any secret that contains bytes ≥ 0x80 after Base32 decoding.
This breaks compatibility with standard OTP secrets (e.g., those generated by Google Authenticator, Authy, etc.), which are Base32 encoded.