A complete implementation of a secure TOTP (Time-based One-Time Password) authentication system with Flutter mobile app and Go backend.
- β Offline TOTP generation (5-minute intervals)
- π Secure secret storage with flutter_secure_storage
- π Secret rotation on demand
- π± QR code setup for authenticator apps
- π‘οΈ JWT-based authentication
- π SQLite database storage
- π Audit logging
- β±οΈ Time drift tolerance (Β±5 minutes)
- Go 1.21 or higher
- Flutter 3.0 or higher
- SQLite3
- Create project directory:
mkdir totp-auth-backend
cd totp-auth-backend- Initialize Go module:
go mod init totp-auth-backend-
Copy the go.mod content and main.go files from the artifacts above
-
Install dependencies:
go mod tidy- Run the server:
go run main.goThe server will start on http://localhost:8080
- Create Flutter project:
flutter create totp_auth_app
cd totp_auth_app-
Replace pubspec.yaml with the provided content
-
Get dependencies:
flutter pub get- Create the directory structure:
mkdir -p lib/models lib/services lib/screens-
Copy all the Flutter files:
lib/main.dartlib/models/user.dartlib/services/auth_service.dartlib/services/totp_service.dartlib/screens/auth_screen.dartlib/screens/home_screen.dart
-
Run the app:
# For Android
flutter run
# For iOS
flutter run -d ios
# For web (development)
flutter run -d chromeAdd to android/app/src/main/AndroidManifest.xml:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.USE_FINGERPRINT" />
<uses-permission android:name="android.permission.USE_BIOMETRIC" />Add to ios/Runner/Info.plist:
<key>NSFaceIDUsageDescription</key>
<string>Use Face ID to authenticate</string>
<key>NSCameraUsageDescription</key>
<string>Camera access for QR code scanning</string>- Import the Postman collection using the JSON file provided above
- Set the base URL to
http://localhost:8080 - Test the API endpoints in order:
- Health Check - Verify server is running
- Register User - Create a new user account
- Login User - Get authentication token
- Get TOTP Setup - Retrieve QR code and secret
- Generate TOTP Code - Get current valid code
- Verify TOTP Code - Test code validation
- Rotate TOTP Secret - Update secret key
- Open the app
- Switch to "Register" tab
- Enter username and password
- Scan the QR code with your preferred authenticator app
- Continue to the main app
- Switch to "Login" tab
- Enter your credentials
- Access the TOTP dashboard
- Current TOTP Code: View and copy current 6-digit code
- Auto-refresh: Code automatically updates every 5 minutes
- Manual verification: Test codes against the server
- QR Code display: View setup QR code anytime
- Secret rotation: Generate new secret key
- Secure logout: Clear all stored data
- JWT Secret: Change
jwtSecretin main.go for production - Database: SQLite file created as
totp_auth.db - TOTP Interval: 300 seconds (5 minutes)
- Port: 8080 (configurable)
- API Base URL: Update in
auth_service.dartfor production - Storage: Uses flutter_secure_storage for encrypted storage
- Biometrics: Optional local authentication
- Password hashing with bcrypt
- JWT token-based authentication
- HMAC-SHA1 for TOTP generation
- Input validation and sanitization
- Rate limiting ready (Redis integration)
- Audit logging for all auth attempts
- Encrypted secret storage
- Secure HTTP communications
- Local authentication (biometrics)
- No sensitive data in app logs
- Memory protection for secrets
CREATE TABLE users (
id TEXT PRIMARY KEY,
username TEXT UNIQUE NOT NULL,
password_hash TEXT NOT NULL,
secret TEXT NOT NULL,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
);CREATE TABLE auth_logs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id TEXT,
action TEXT,
success BOOLEAN,
ip_address TEXT,
timestamp DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users (id)
);GET /health- Health checkPOST /api/register- User registrationPOST /api/login- User authentication
GET /api/auth/totp/setup- Get TOTP setup dataPOST /api/auth/totp/verify- Verify TOTP codePOST /api/auth/totp/rotate- Rotate secret keyGET /api/auth/totp/generate- Generate current code
- Environment Variables:
export JWT_SECRET="your-256-bit-secret-key"
export DB_PATH="/path/to/production.db"
export PORT="8080"- Build and deploy:
go build -o totp-auth-server main.go
./totp-auth-server- Build for release:
# Android
flutter build apk --release
flutter build appbundle --release
# iOS
flutter build ios --release- Update API URLs in production builds
- CORS errors: Check CORS configuration in main.go
- Database permission: Ensure write permissions for SQLite file
- Time sync: Verify system time is synchronized
- Token expiry: Tokens expire after 24 hours
- Secret storage: Clear app data if storage issues occur
- Enable verbose logging in both Go and Flutter
- Check network connectivity
- Verify API endpoint accessibility
- Test with curl commands
This project is for educational and demonstration purposes. Please review and modify security settings before production use.
- Fork the repository
- Create a feature branch
- Commit your changes
- Push to the branch
- Create a Pull Request
Note: This implementation uses a 5-minute TOTP interval for demonstration. Standard TOTP uses 30-second intervals. Adjust the interval value in both backend and frontend for different requirements.