tenseleyflow/shithub / 74ae64c

+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect

+	github.com/pquerna/otp v1.5.0 // indirect

+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=

+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=

+github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=

+github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package totp

+

+import (

+	"fmt"

+	"html/template"

+	"strings"

+

+	"github.com/boombuler/barcode/qr"

+)

+

+// QRSize is the rendered SVG side length in CSS pixels (the SVG itself

+// is resolution-independent; this drives the viewport-mapped size).

+const QRSize = 256

+

+// QRSVG renders the otpauth URI as an SVG QR code suitable for inline

+// embedding in a template. Returns template.HTML so html/template doesn't

+// double-escape the markup.

+//

+// The URI is high-entropy and contains the secret. Callers MUST NOT log

+// either the URI or the rendered SVG.

+func QRSVG(otpauthURI string) (template.HTML, error) {

+	code, err := qr.Encode(otpauthURI, qr.M, qr.Auto)

+	if err != nil {

+		return "", fmt.Errorf("totp: qr encode: %w", err)

+	}

+	bounds := code.Bounds()

+	side := bounds.Dx()

+	if side <= 0 {

+		return "", fmt.Errorf("totp: qr empty bounds")

+	}

+

+	var b strings.Builder

+	fmt.Fprintf(&b,

+		`<svg xmlns="http://www.w3.org/2000/svg" width="%d" height="%d" viewBox="0 0 %d %d" shape-rendering="crispEdges" role="img" aria-label="2FA setup QR code">`,

+		QRSize, QRSize, side, side)

+	// White background.

+	fmt.Fprintf(&b, `<rect width="%d" height="%d" fill="#ffffff"/>`, side, side)

+

+	// Emit one <rect> per module. For typical otpauth URIs the QR is

+	// ~33×33 modules, so the SVG stays under a few KB.

+	type img interface {

+		Get(x, y int) bool

+	}

+	g, ok := code.(img)

+	if !ok {

+		return "", fmt.Errorf("totp: qr type lacks Get(x,y) accessor")

+	}

+	for y := 0; y < side; y++ {

+		for x := 0; x < side; x++ {

+			if g.Get(x, y) {

+				fmt.Fprintf(&b, `<rect x="%d" y="%d" width="1" height="1" fill="#000000"/>`, x, y)

+			}

+		}

+	}

+	b.WriteString(`</svg>`)

+	return template.HTML(b.String()), nil //nolint:gosec // we built the SVG ourselves; no untrusted input.

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package totp

+

+import (

+	"crypto/rand"

+	"crypto/sha256"

+	"crypto/subtle"

+	"encoding/base32"

+	"errors"

+	"strings"

+)

+

+// RecoveryCodeCount is the number of recovery codes generated per user.

+const RecoveryCodeCount = 10

+

+// recoveryAlphabet is RFC 4648 base32 minus 0/1/8/B/I/L/O/S so adjacent

+// glyphs don't get mistyped. 24 characters is plenty of entropy for our

+// per-code length (12 chars → ~57 bits).

+const recoveryAlphabet = "ACDEFGHJKMNPQRTUVWXYZ234"

+

+// RecoveryCodeGroups is the number of dash-separated groups in the

+// rendered code (currently 3, of 4 chars each → 12 chars total).

+const RecoveryCodeGroups = 3

+

+// RecoveryCodeGroupSize is the length of each group.

+const RecoveryCodeGroupSize = 4

+

+// GenerateRecoveryCodes mints RecoveryCodeCount fresh codes. Returns the

+// human-readable strings (XXXX-XXXX-XXXX) that are shown to the user

+// once, and the matching sha256 hashes (stored in the DB).

+func GenerateRecoveryCodes() ([]string, [][]byte, error) {

+	codes := make([]string, RecoveryCodeCount)

+	hashes := make([][]byte, RecoveryCodeCount)

+	for i := 0; i < RecoveryCodeCount; i++ {

+		c, err := mintCode()

+		if err != nil {

+			return nil, nil, err

+		}

+		codes[i] = c

+		h := sha256.Sum256([]byte(NormalizeRecoveryCode(c)))

+		hashes[i] = h[:]

+	}

+	return codes, hashes, nil

+}

+

+// HashRecoveryCode returns the sha256 hash of the normalized form of

+// code, suitable for DB lookup.

+func HashRecoveryCode(code string) []byte {

+	h := sha256.Sum256([]byte(NormalizeRecoveryCode(code)))

+	return h[:]

+}

+

+// NormalizeRecoveryCode strips dashes/whitespace and uppercases the

+// result so codes typed with stray spaces or lowercase still match.

+func NormalizeRecoveryCode(s string) string {

+	s = strings.ToUpper(s)

+	var b strings.Builder

+	b.Grow(len(s))

+	for _, r := range s {

+		if r == '-' || r == ' ' {

+			continue

+		}

+		b.WriteRune(r)

+	}

+	return b.String()

+}

+

+// LooksLikeRecoveryCode is a cheap predicate the login challenge handler

+// uses to distinguish a recovery code from a TOTP code: alphanumeric and

+// of the expected post-normalization length.

+func LooksLikeRecoveryCode(s string) bool {

+	n := NormalizeRecoveryCode(s)

+	if len(n) != RecoveryCodeGroups*RecoveryCodeGroupSize {

+		return false

+	}

+	for _, r := range n {

+		if !((r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9')) {

+			return false

+		}

+	}

+	return true

+}

+

+// EqualHash compares two recovery-code hashes in constant time. Used by

+// callers that read a candidate hash from the DB and want to compare to

+// a value they computed themselves.

+func EqualHash(a, b []byte) bool {

+	return subtle.ConstantTimeCompare(a, b) == 1

+}

+

+// mintCode generates one fresh formatted recovery code.

+func mintCode() (string, error) {

+	const total = RecoveryCodeGroups * RecoveryCodeGroupSize

+	out := make([]byte, total)

+	// Generate 5 raw bytes per 4 base32 chars (40 bits → 8 chars; we use

+	// our reduced alphabet so generate plenty and slice).

+	buf := make([]byte, total*2)

+	if _, err := rand.Read(buf); err != nil {

+		return "", err

+	}

+	for i := 0; i < total; i++ {

+		out[i] = recoveryAlphabet[int(buf[i])%len(recoveryAlphabet)]

+	}

+	// Insert dashes between groups.

+	var b strings.Builder

+	for g := 0; g < RecoveryCodeGroups; g++ {

+		if g > 0 {

+			b.WriteByte('-')

+		}

+		b.Write(out[g*RecoveryCodeGroupSize : (g+1)*RecoveryCodeGroupSize])

+	}

+	return b.String(), nil

+}

+

+// ErrRecoveryCodeInvalid is returned by callers when the typed code

+// doesn't match any stored hash.

+var ErrRecoveryCodeInvalid = errors.New("totp: recovery code invalid")

+

+// noOpUseStdEncoding silences unused-import warnings during refactors.

+var _ = base32.StdEncoding

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package totp implements RFC 6238 TOTP (time-based one-time password)

+// enrollment and verification. We use SHA-1 / 30-second period / 6 digits

+// to maximize authenticator-app compatibility (every popular app speaks

+// these defaults; SHA-256/512 cause real-world surprises).

+//

+// Counter anti-replay is enforced at the DB layer (BumpTOTPCounter only

+// advances last_used_counter when the new step is strictly greater).

+package totp

+

+import (

+	"crypto/rand"

+	"encoding/base32"

+	"errors"

+	"fmt"

+	"net/url"

+	"strconv"

+	"strings"

+	"time"

+

+	"github.com/pquerna/otp"

+	"github.com/pquerna/otp/totp"

+)

+

+// SecretSize is the secret length in bytes. 20 is the RFC 4226/6238

+// recommendation (160 bits — comfortably above brute-force reach).

+const SecretSize = 20

+

+// Period is the time-step in seconds.

+const Period uint = 30

+

+// Digits is the number of digits in the generated code.

+const Digits = otp.DigitsSix

+

+// SkewSteps is the number of windows ±0 we accept either side of `now`.

+// A value of 1 means accept now-30s, now, now+30s — covers normal clock

+// drift without expanding the replay window meaningfully.

+const SkewSteps uint = 1

+

+// GenerateSecret returns a fresh 20-byte secret.

+func GenerateSecret() ([]byte, error) {

+	b := make([]byte, SecretSize)

+	if _, err := rand.Read(b); err != nil {

+		return nil, fmt.Errorf("totp: secret: %w", err)

+	}

+	return b, nil

+}

+

+// EncodeBase32 returns the Base32 encoding (no padding) authenticator

+// apps display to the user. Used in the otpauth URI.

+func EncodeBase32(secret []byte) string {

+	return strings.TrimRight(base32.StdEncoding.EncodeToString(secret), "=")

+}

+

+// OtpauthURI builds the canonical otpauth:// URI consumed by authenticator

+// apps. issuer is the site name (e.g. "shithub"); accountName is the user's

+// canonical identifier (we use "shithub:<username>"). The URI carries the

+// secret in plaintext — never log it; redactor scrubs it as defense in depth.

+func OtpauthURI(issuer, accountName string, secret []byte) string {

+	q := url.Values{}

+	q.Set("secret", EncodeBase32(secret))

+	q.Set("issuer", issuer)

+	q.Set("algorithm", "SHA1")

+	q.Set("digits", strconv.Itoa(int(Digits)))

+	q.Set("period", strconv.FormatUint(uint64(Period), 10))

+	u := url.URL{

+		Scheme:   "otpauth",

+		Host:     "totp",

+		Path:     "/" + issuer + ":" + accountName,

+		RawQuery: q.Encode(),

+	}

+	return u.String()

+}

+

+// Generate returns the current 6-digit code for secret. Test affordance —

+// not used at runtime by the server, only in tests.

+func Generate(secret []byte, t time.Time) (string, error) {

+	code, err := totp.GenerateCodeCustom(EncodeBase32(secret), t, totp.ValidateOpts{

+		Period:    Period,

+		Skew:      SkewSteps,

+		Digits:    Digits,

+		Algorithm: otp.AlgorithmSHA1,

+	})

+	if err != nil {

+		return "", fmt.Errorf("totp: generate: %w", err)

+	}

+	return code, nil

+}

+

+// Step returns the RFC 6238 step counter for time t.

+func Step(t time.Time) int64 {

+	return t.Unix() / int64(Period)

+}

+

+// Verify checks code against secret with ±SkewSteps tolerance. On

+// acceptance, returns the step counter that matched so the caller can

+// reject codes whose counter is <= last_used_counter.

+//

+// Returns (step, nil) on accepted code; (0, err) otherwise. err is

+// distinguishable via ErrInvalid for bad codes (vs. real errors).

+func Verify(secret []byte, code string, t time.Time) (int64, error) {

+	if !looksLikeCode(code) {

+		return 0, ErrInvalid

+	}

+	b32 := EncodeBase32(secret)

+	// Walk the skew window ourselves so we know which step matched —

+	// pquerna/otp's ValidateCustom returns only a boolean.

+	for offset := -int64(SkewSteps); offset <= int64(SkewSteps); offset++ {

+		atTime := t.Add(time.Duration(offset) * time.Duration(Period) * time.Second)

+		want, err := totp.GenerateCodeCustom(b32, atTime, totp.ValidateOpts{

+			Period:    Period,

+			Skew:      0,

+			Digits:    Digits,

+			Algorithm: otp.AlgorithmSHA1,

+		})

+		if err != nil {

+			return 0, fmt.Errorf("totp: verify: %w", err)

+		}

+		if constantTimeEqual(want, code) {

+			return Step(atTime), nil

+		}

+	}

+	return 0, ErrInvalid

+}

+

+// ErrInvalid means the code doesn't match (or doesn't look like one).

+// Distinct from a generation error so callers can branch on it.

+var ErrInvalid = errors.New("totp: invalid code")

+

+func looksLikeCode(s string) bool {

+	if len(s) != int(Digits) {

+		return false

+	}

+	for _, r := range s {

+		if r < '0' || r > '9' {

+			return false

+		}

+	}

+	return true

+}

+

+func constantTimeEqual(a, b string) bool {

+	if len(a) != len(b) {

+		return false

+	}

+	var v byte

+	for i := 0; i < len(a); i++ {

+		v |= a[i] ^ b[i]

+	}

+	return v == 0

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package totp

+

+import (

+	"strings"

+	"testing"

+	"time"

+)

+

+func TestGenerateAndVerify_RoundTrip(t *testing.T) {

+	t.Parallel()

+	secret, err := GenerateSecret()

+	if err != nil {

+		t.Fatalf("GenerateSecret: %v", err)

+	}

+	now := time.Date(2026, 5, 7, 12, 0, 0, 0, time.UTC)

+	code, err := Generate(secret, now)

+	if err != nil {

+		t.Fatalf("Generate: %v", err)

+	}

+	step, err := Verify(secret, code, now)

+	if err != nil {

+		t.Fatalf("Verify: %v", err)

+	}

+	if step != Step(now) {

+		t.Fatalf("step = %d, want %d", step, Step(now))

+	}

+}

+

+func TestVerify_AcceptsSkew(t *testing.T) {

+	t.Parallel()

+	secret, _ := GenerateSecret()

+	t0 := time.Date(2026, 5, 7, 12, 0, 0, 0, time.UTC)

+	codePrev, _ := Generate(secret, t0.Add(-30*time.Second))

+	codeNext, _ := Generate(secret, t0.Add(30*time.Second))

+	if _, err := Verify(secret, codePrev, t0); err != nil {

+		t.Fatalf("prev step rejected: %v", err)

+	}

+	if _, err := Verify(secret, codeNext, t0); err != nil {

+		t.Fatalf("next step rejected: %v", err)

+	}

+}

+

+func TestVerify_RejectsTooFarOff(t *testing.T) {

+	t.Parallel()

+	secret, _ := GenerateSecret()

+	t0 := time.Date(2026, 5, 7, 12, 0, 0, 0, time.UTC)

+	old, _ := Generate(secret, t0.Add(-90*time.Second)) // ~3 steps back

+	if _, err := Verify(secret, old, t0); err == nil {

+		t.Fatal("expected rejection of code 3 steps behind")

+	}

+}

+

+func TestVerify_RejectsMalformed(t *testing.T) {

+	t.Parallel()

+	secret, _ := GenerateSecret()

+	now := time.Now()

+	cases := []string{"", "12345", "1234567", "abcdef", "12345!"}

+	for _, c := range cases {

+		if _, err := Verify(secret, c, now); err == nil {

+			t.Errorf("expected rejection for %q", c)

+		}

+	}

+}

+

+func TestOtpauthURI_Shape(t *testing.T) {

+	t.Parallel()

+	secret := []byte("0123456789abcdef0123") // 20 bytes

+	u := OtpauthURI("shithub", "alice", secret)

+	if !strings.HasPrefix(u, "otpauth://totp/shithub:alice?") {

+		t.Fatalf("URI shape wrong: %s", u)

+	}

+	for _, want := range []string{"secret=", "issuer=shithub", "algorithm=SHA1", "digits=6", "period=30"} {

+		if !strings.Contains(u, want) {

+			t.Errorf("URI missing %q: %s", want, u)

+		}

+	}

+}

+

+func TestEncodeBase32_NoPadding(t *testing.T) {

+	t.Parallel()

+	enc := EncodeBase32(make([]byte, 20))

+	if strings.Contains(enc, "=") {

+		t.Fatalf("base32 contains padding: %s", enc)

+	}

+}

+

+// ----- recovery codes -----

+

+func TestRecoveryCodes_ShapeAndUniqueness(t *testing.T) {

+	t.Parallel()

+	codes, hashes, err := GenerateRecoveryCodes()

+	if err != nil {

+		t.Fatalf("GenerateRecoveryCodes: %v", err)

+	}

+	if len(codes) != RecoveryCodeCount || len(hashes) != RecoveryCodeCount {

+		t.Fatalf("count mismatch")

+	}

+	seen := map[string]bool{}

+	for _, c := range codes {

+		if !LooksLikeRecoveryCode(c) {

+			t.Errorf("LooksLikeRecoveryCode rejected its own output: %q", c)

+		}

+		if !strings.Contains(c, "-") {

+			t.Errorf("missing dashes: %q", c)

+		}

+		if seen[c] {

+			t.Errorf("duplicate code: %q", c)

+		}

+		seen[c] = true

+	}

+}

+

+func TestRecoveryCodes_HashRoundTrip(t *testing.T) {

+	t.Parallel()

+	codes, hashes, _ := GenerateRecoveryCodes()

+	for i, c := range codes {

+		// Hashing the printed form (with dashes) and the normalized form

+		// must yield the same hash.

+		if !EqualHash(HashRecoveryCode(c), hashes[i]) {

+			t.Errorf("code %q hash mismatch (printed)", c)

+		}

+		if !EqualHash(HashRecoveryCode(NormalizeRecoveryCode(c)), hashes[i]) {

+			t.Errorf("code %q hash mismatch (normalized)", c)

+		}

+		// Lowercase + space variant should also match.

+		messy := "  " + strings.ToLower(c) + "  "

+		if !EqualHash(HashRecoveryCode(messy), hashes[i]) {

+			t.Errorf("code %q hash mismatch (lowercase + spaces)", c)

+		}

+	}

+}

+

+func TestLooksLikeRecoveryCode(t *testing.T) {

+	t.Parallel()

+	yes := []string{"ABCD-EFGH-JKMN", "abcd-efgh-jkmn", "A2C4-EF7H-JKM3"}

+	for _, s := range yes {

+		if !LooksLikeRecoveryCode(s) {

+			t.Errorf("expected accept: %q", s)

+		}

+	}

+	no := []string{"123456", "ABC-DEF", "ABCDEFGHJKMN!", ""}

+	for _, s := range no {

+		if LooksLikeRecoveryCode(s) {

+			t.Errorf("expected reject: %q", s)

+		}

+	}

+}

+

+func TestQRSVG_Renders(t *testing.T) {

+	t.Parallel()

+	secret, _ := GenerateSecret()

+	uri := OtpauthURI("shithub", "alice", secret)

+	svg, err := QRSVG(uri)

+	if err != nil {

+		t.Fatalf("QRSVG: %v", err)

+	}

+	s := string(svg)

+	for _, want := range []string{`<svg`, `</svg>`, `viewBox`, `<rect`} {

+		if !strings.Contains(s, want) {

+			t.Errorf("missing %q in svg", want)

+		}

+	}

+	// Defense-in-depth: secret must NOT appear in the SVG.

+	if strings.Contains(s, EncodeBase32(secret)) {

+		t.Fatal("secret leaked into rendered SVG")

+	}

+}