TOTP Code Repeatedly Fails

[u-ashish]

Hi there,

Was attempting to set up authboss in my golang API and did a straight-forward TOTP implementation.

I was able:

• to login
• hit POST /auth/2fa/totp/setup
• get the code GET /auth/2fa/totp/confirm which returns

{
    "modules": {
        "auth": true,
        "lock": true
    },
    "status": "success",
    "totp_secret": "<SECRET_IN_SESSION>"
}

• get the QR code (GET /auth/2fa/totp/qr)
• use Authenticator or Authy and register via QR (Also tried manually). On my iPhone.
• make a post to /auth/2fa/totp/confirm with this request body:

{
	"code": "<CODE_FROM_APP>"
}

• It fails every time (no matter which app).

I'm assuming it has to do with the logic used to generate the code (duration, secret, etc.) but not sure what the recommended way to debug/solve this is.

I confirmed from my debugger that the TOTP secret it uses to decode is the same that I registered in the authenticator app. Looking at your source code it seems the default behavior you used is supposed to be compatible, so I'm trying to understand what else might cause this to deviate.

For fun I ran your totp.GenerateCode(...) method and passed that in and it worked, so there's something about how it generates/validates codes via the default options that might be off from the three different auth apps on my iPhone:

• Google Authenticator
• Authy
• Authenticator

Or maybe I'm missing something...

[u-ashish]

Hmm, I do see that you use the pquerna/otp package (which if I did this manually, I'd have used as well), so I'm even more confused as to why the code from my app after registering via QR is not the same as what the algo generates.

(I made sure I was using the right code 😄 )

This... appears to have resolved itself so closing...