URL Encoding bug

[arigon]

Hello

if the issuer contains a space, the URL encoder will mix up the URL.

key, err := totp.Generate(totp.GenerateOpts{
	Issuer:      "Test Issuer",
	AccountName: "my@email.com",
})

Actual result:
otpauth://totp/Test%20Issuer:my@email.com?algorithm=SHA1&digits=6&issuer=Test+Issuer&period=30&secret=QE2C7JXZB3TY3FBKL6PB7PZXP7UCRPOA

Expected result:
otpauth://totp/Test%20Issuer:my@email.com?algorithm=SHA1&digits=6&issuer=Test%20Issuer&period=30&secret=QE2C7JXZB3TY3FBKL6PB7PZXP7UCRPOA

[pquerna]

So, we are just using standard golang url.Values{} and the Encode method. This uses a + as to encode a Space. This is a valid encoding -- alternatively, using %20 is also valid. maybe call this upstream golang/go#4013

Do you have a Client that isn't supporting the + encoding for spaces?

[arigon]

I saw this golang issue as well. The client I made the screenshots with is Google Authenticator. My workaround is to concat the URL and encode each parameter.

[arigon]

I will explain the differences of both encodings used by net.URL. Go net.URL has two different encoding functions: url.PathEscape() and url.QueryEscape(). PathEscape will replace a space with %20, QueryEscape will replace a space with +.
The Path of the OTP URL is escaped by PathEscape (space -> %20) and the parameters are escaped by QueryEscape (space -> +).

I'm building my own URL by concating the user defined values and only use PathEscape().

func buildOTPURL(issuer, email, algorithm, digits string, key *otp.Key) string {
	otpURL := "otpauth://totp/"
	otpURL += url.PathEscape(issuer)
	otpURL += ":"
	otpURL += url.PathEscape(email)
	otpURL += "?"
	otpURL += "algorithm=" + algorithm
	otpURL += "&digits=" + digits
	otpURL += "&issuer=" + url.PathEscape(issuer)
	otpURL += "&period=" + fmt.Sprint(key.Period())
	otpURL += "&secret=" + key.Secret()

	return otpURL
}

[pquerna]

Fixed by #78 and the v1.4 release https://github.com/pquerna/otp/releases/tag/v1.4.0