Documentation
¶
Overview ¶
Package auth implements the reverse-engineered Suunto login signing pipeline: KeyObfuscator XOR, secret derivation, RFC 6238 TOTP, and SHA-256 signatures.
Key material is extracted from APK com.stt.android.suunto v6.8.13. On a Suunto app major version bump the constants below may need to be refreshed from the new APK; see CONTRIBUTING.md "Key rotation".
Index ¶
Constants ¶
const ( AppVersionCode = "6008013" PackageName = "com.stt.android.suunto" UserAgent = PackageName + "/" + AppVersionCode // TOTPDummySalt is used when no email is known yet; mirrors GenerateOTPUseCaseImpl.a(). TOTPDummySalt = "totp.validation.dummy.email@suunto.com" )
Variables ¶
This section is empty.
Functions ¶
func DeriveLoginSecret ¶
func DeriveLoginSecret() string
DeriveLoginSecret returns the secret used to sign /login2 form submissions.
func DeriveTOTPMasterSecret ¶
func DeriveTOTPMasterSecret() string
DeriveTOTPMasterSecret returns the PBKDF2 password for per-user TOTP generation.
func GenerateTOTP ¶
GenerateTOTP returns the current 6-digit TOTP for the given salt (email/username). offset adjusts the wall clock — pass the server-time offset in milliseconds.
func RandomSalt ¶
func RandomSalt() string
RandomSalt returns 16 random bytes as base64url-no-padding (matches Python random_salt()).
func SignParams ¶
SignParams returns the base64url(no-padding) SHA-256 signature of:
"POST&" + path + ("&" + k + "=" + v)... + "&secret=" + DeriveLoginSecret()
No URL-encoding is applied — values are concatenated verbatim, matching SessionRemoteApi.Companion.d() in the APK.
Source Files