sil-org · fillup · Dec 1, 2017 · Nov 29, 2017 · Dec 1, 2017 · Dec 1, 2017
diff --git a/api.raml b/api.raml
@@ -160,11 +160,15 @@ protocols: [HTTPS]
             example: |
               {"code": "012345"}
         responses:
-          204:
+          200:
+            description: |
+              The given TOTP code was valid.
           400:
             description: |
-              The request body was invlalid, such as if no `code` value was found.
+              The request body was invalid, such as if no `code` value was found.
           401:
+            description: |
+              The given TOTP code was wrong.
           404:
 
 /u2f:

diff --git a/models/totp.js b/models/totp.js
@@ -20,13 +20,17 @@ module.exports.create = (apiKeyValue, apiSecret, {issuer, label = 'SecretKey'} =
 
     const otpSecrets = speakeasy.generateSecret({length: 10});
     let otpAuthUrlOptions = {
-      'label': label,
+      'label': encodeURIComponent(label),
       'secret': otpSecrets.base32,
       'encoding': 'base32'
     };
     if (issuer) {
       otpAuthUrlOptions.issuer = issuer;
-      otpAuthUrlOptions.label = issuer + ':' + label;
+
+      // Note: The issuer and account-name used in the `label` need to be
+      // URL-encoded. Presumably speakeasy doesn't automatically do so because
+      // the colon (:) separating them needs to NOT be encoded.
+      otpAuthUrlOptions.label = encodeURIComponent(issuer) + ':' + encodeURIComponent(label);
     }
 
     const otpAuthUrl = speakeasy.otpauthURL(otpAuthUrlOptions);