Improve Performance for HOTP OCRA (#196)

* Refactor OCRA Verify

- [+] refactor(otpverifier): simplify OCRA token comparison logic

* Reduce allocations per operation

- [+] refactor(benchmark_test.go): update benchmark results for OCRAVerify with reduced allocations per operation
- [+] refactor(hotp_ocra.go): optimize generateOCRA by preallocating data slice and using copy instead of append
- [+] refactor(hotp_ocra.go): simplify HOTP string formatting using fmt.Sprintf with width and padding options

Author: H0llyW00dzZ

internal/otpverifier/benchmark_test.go

@@ -228,12 +228,12 @@ func BenchmarkOCRAVerify(b *testing.B) {
 				// goarch: amd64
 				// pkg: github.com/H0llyW00dzZ/fiber2fa/internal/otpverifier
 				// cpu: AMD Ryzen 9 3900X 12-Core Processor (Best CPU Cryptographic)
-				// BenchmarkOCRAVerify/Hash=OCRA-1:HOTP-SHA1-6-24         	  504555	      2243 ns/op	     792 B/op	      22 allocs/op
-				// BenchmarkOCRAVerify/Hash=OCRA-1:HOTP-SHA256-8-24       	  595725	      2027 ns/op	     832 B/op	      22 allocs/op
-				// BenchmarkOCRAVerify/Hash=OCRA-1:HOTP-SHA512-8-24       	  425383	      2819 ns/op	    1185 B/op	      22 allocs/op
-				// BenchmarkOCRAVerify/Hash=OCRA-1:HOTP-SHA1-6#01-24      	  529720	      2242 ns/op	     792 B/op	      22 allocs/op
+				// BenchmarkOCRAVerify/Hash=OCRA-1:HOTP-SHA1-6-24         	  520404	      2181 ns/op	     784 B/op	      20 allocs/op
+				// BenchmarkOCRAVerify/Hash=OCRA-1:HOTP-SHA256-8-24       	  643852	      1950 ns/op	     824 B/op	      20 allocs/op
+				// BenchmarkOCRAVerify/Hash=OCRA-1:HOTP-SHA512-8-24       	  429360	      2791 ns/op	    1177 B/op	      20 allocs/op
+				// BenchmarkOCRAVerify/Hash=OCRA-1:HOTP-SHA1-6#01-24      	  533643	      2212 ns/op	     784 B/op	      20 allocs/op
 				//
-				// Note: 22 allocs/op it's because of Pseudorandom and Hash Function you poggers.
+				// Note: 20 allocs/op it's because of Pseudorandom and Hash Function you poggers.
 				verifier.Verify(tc.token, challenge)
 			}
 		})

internal/otpverifier/hotp_ocra.go

@@ -105,12 +105,10 @@ func (v *OCRAVerifier) generateOCRA(counter uint64, question string, hash func()
 	// Prepare the input data
 	// Note: The counterBytes and counter are not just any values. They can be bound to a cryptographically secure pseudorandom number,
 	// along with questionBytes, similar to how [DecodeBase32WithPadding] is used to manipulate the result in the frontend hahaha.
-	counterBytes := make([]byte, 8)
-	binary.BigEndian.PutUint64(counterBytes, counter)
-	questionBytes := []byte(question)
-
-	// Concatenate the input data
-	data := append(counterBytes, questionBytes...)
+	var data []byte
+	data = make([]byte, 8+len(question))
+	binary.BigEndian.PutUint64(data[:8], counter)
+	copy(data[8:], question)
 
 	// Generate the HMAC hash
 	hmacHash := hmac.New(hash, v.config.DecodeBase32WithPadding())
@@ -130,7 +128,7 @@ func (v *OCRAVerifier) generateOCRA(counter uint64, question string, hash func()
 	hotp := truncatedHash % uint32(p10n)
 
 	// Format the HOTP value as a string with the specified number of digits
-	return fmt.Sprintf(fmt.Sprintf("%%0%dd", v.config.Digits), hotp)
+	return fmt.Sprintf("%0*d", v.config.Digits, hotp) // Result will padding it with leading zeros if necessary.
 }
 
 // GenerateOTPURL creates the URL for the QR code based on the provided URI template.
@@ -147,9 +145,5 @@ func (v *OCRAVerifier) Verify(token string, challenge string) bool {
 	// Note: Signature verification is not applicable here because the OCRA algorithm itself provides sufficient security.
 	// It follows the specifications defined in RFC 6287 (https://datatracker.ietf.org/doc/html/rfc6287#section-7.1)
 	// and uses this [crypto/subtle] package, which is a crucial component in cryptographic operations.
-	if subtle.ConstantTimeCompare([]byte(token), []byte(expectedToken)) == 1 {
-		return true
-	}
-
-	return false
+	return subtle.ConstantTimeCompare([]byte(token), []byte(expectedToken)) == 1
 }