[TOTP] Fix space-contained totp url detection

OffRange · OffRange · commit 4f6eb8ebff43 · 2025-08-26T23:56:42.000+02:00
This fixes issues occurring when a totp url contains spaces. Ths approach handles it and encodes them internally.
diff --git a/app/src/main/kotlin/de/davis/keygo/item/create/presentation/password/PasswordContent.kt b/app/src/main/kotlin/de/davis/keygo/item/create/presentation/password/PasswordContent.kt
@@ -180,6 +180,7 @@ fun PasswordContent(state: PasswordUiState, onEvent: (PasswordUiEvent) -> Unit)
             DialogState.TotpParseError -> {
                 TotpParseErrorDialog(
                     onDismiss = { onEvent(PasswordUiEvent.OnTotpParseErrorDismiss) },
+                    modifier = Modifier.fillMaxWidth()
                 )
             }
 
@@ -230,6 +231,7 @@ fun PasswordContent(state: PasswordUiState, onEvent: (PasswordUiEvent) -> Unit)
         }
     }
 
+    // TODO: check permissions
     if (state.scanning) {
         QRScanner(
             onClose = { onEvent(PasswordUiEvent.OnBackClick) },
diff --git a/app/src/main/kotlin/de/davis/keygo/item/create/presentation/password/PasswordViewModel.kt b/app/src/main/kotlin/de/davis/keygo/item/create/presentation/password/PasswordViewModel.kt
@@ -1,5 +1,6 @@
 package de.davis.keygo.item.create.presentation.password
 
+import android.util.Log
 import androidx.compose.foundation.text.input.TextFieldState
 import androidx.compose.foundation.text.input.setTextAndPlaceCursorAtEnd
 import androidx.compose.runtime.snapshotFlow
@@ -203,6 +204,7 @@ class PasswordViewModel(
 
     private fun initWithTotpUri(totpUri: String) {
         getTotpSecret(totpUri).onFailure {
+            Log.e(TAG, "Error parsing TOTP URI: $it")
             showTotpParseError()
         }.onSuccess { secret ->
             totpSecretInformation = secret
@@ -314,7 +316,11 @@ class PasswordViewModel(
             }
 
             is PasswordUiEvent.OnCodesScanned -> {
-                event.codes.firstNotNullOfOrNull { getTotpSecret(it).getOrNull() }
+                event.codes.firstNotNullOfOrNull {
+                    getTotpSecret(it).onFailure { failure ->
+                        Log.e(TAG, "Error parsing TOTP URI: $failure")
+                    }.getOrNull()
+                }
                     ?.let {
                         _uiState.update { state ->
                             state.copy(scanning = false)
@@ -512,4 +518,8 @@ class PasswordViewModel(
             )
         }
     }
+
+    companion object {
+        private const val TAG = "PasswordViewModel"
+    }
 }
diff --git a/app/src/main/kotlin/de/davis/keygo/totp/domain/model/TotpSecretUrlParseError.kt b/app/src/main/kotlin/de/davis/keygo/totp/domain/model/TotpSecretUrlParseError.kt
@@ -1,6 +1,8 @@
 package de.davis.keygo.totp.domain.model
 
 sealed interface TotpSecretUrlParseError {
+    data class CouldNotParseUrl(val url: String) : TotpSecretUrlParseError
+
     data class SchemeNotSupported(val scheme: String?) : TotpSecretUrlParseError
     data class HostNotSupported(val host: String?) : TotpSecretUrlParseError
     data class IssuerMismatch(val param: String, val query: String) : TotpSecretUrlParseError
diff --git a/app/src/main/kotlin/de/davis/keygo/totp/domain/usecase/GetTotpSecretFromUrlUseCase.kt b/app/src/main/kotlin/de/davis/keygo/totp/domain/usecase/GetTotpSecretFromUrlUseCase.kt
@@ -1,6 +1,7 @@
 package de.davis.keygo.totp.domain.usecase
 
 import de.davis.keygo.core.domain.Result
+import de.davis.keygo.core.domain.getOrNull
 import de.davis.keygo.totp.domain.model.Algorithm
 import de.davis.keygo.totp.domain.model.TotpSecretInformation
 import de.davis.keygo.totp.domain.model.TotpSecretUrlParseError
@@ -11,9 +12,15 @@ import java.net.URI
 class GetTotpSecretFromUrlUseCase {
 
     operator fun invoke(url: String): Result<TotpSecretInformation, TotpSecretUrlParseError> {
-        val uri = URI.create(url)
-        if (uri.scheme != "otpauth")
-            return Result.Failure(TotpSecretUrlParseError.SchemeNotSupported(uri.scheme))
+        if (!url.startsWith("otpauth://"))
+            return Result.Failure(
+                TotpSecretUrlParseError.SchemeNotSupported(
+                    url.split("://").firstOrNull()
+                )
+            )
+
+        val uri = sanitizeAndParse(url).getOrNull()
+            ?: return Result.Failure(TotpSecretUrlParseError.CouldNotParseUrl(url))
 
         if (uri.host != "totp")
             return Result.Failure(TotpSecretUrlParseError.HostNotSupported(uri.host))
@@ -33,7 +40,8 @@ class GetTotpSecretFromUrlUseCase {
             }
         }
 
-        val query = uri.query ?: return Result.Failure(TotpSecretUrlParseError.NoQueryProvided)
+        val query = uri.query.ifBlank { null }
+            ?: return Result.Failure(TotpSecretUrlParseError.NoQueryProvided)
         val algorithm = query.getQueryParameter("algorithm").asAlgorithmOrSHA1()
         val digits = query.getQueryParameter("digits")
             ?.toIntOrNull()
@@ -68,6 +76,23 @@ class GetTotpSecretFromUrlUseCase {
 
     private fun String?.asAlgorithmOrSHA1() =
         this?.let { Algorithm.fromString(it) } ?: DefaultTotpValues.DEFAULT_ALGORITHM
+
+    private fun sanitizeAndParse(url: String): Result<URI, Unit> {
+        // - (?<authority>[^/?#]+)  : Named group capturing one or more characters that are not '/', '?', or '#'
+        // - (?<label>[^?#]*)?      : Optional named group capturing zero or more characters that are not '?' or '#'.
+        //                            It includes the leading '/' in the path.
+        // - (?:\\?(?<query>.*))?   : Non-capturing group capturing the query part after '?' if it exists
+        val matches = "^otpauth://(?<authority>[^/?#]+)(?<label>[^?#]*)?(?:\\?(?<query>.*))?$"
+            .toRegex()
+            .matchEntire(url)
+            ?: return Result.Failure(Unit)
+
+        val authority = matches.groups["authority"]?.value
+        val label = matches.groups["label"]?.value
+        val query = matches.groups["query"]?.value
+
+        return Result.Success(URI("otpauth", authority, label, query, null))
+    }
 }
 
 object DefaultTotpValues {
diff --git a/app/src/test/kotlin/de/davis/keygo/totp/domain/usecase/GetTotpSecretFromUrlUseCaseTest.kt b/app/src/test/kotlin/de/davis/keygo/totp/domain/usecase/GetTotpSecretFromUrlUseCaseTest.kt
@@ -31,6 +31,21 @@ class GetTotpSecretFromUrlUseCaseTest {
         assertEquals(30, info.period)
     }
 
+    @Test
+    fun `valid space-contained totp url returns totp secret information`() {
+        val url = "otpauth://totp/example.com (alice@gmail.com)?secret=JBSWY3DPEHPK3PXP"
+        val result = useCase(url)
+        assertTrue(result is Result.Success)
+        val info = (result as Result.Success).success
+        assertEquals("JBSWY3DPEHPK3PXP", info.secret)
+        //TODO: extract issue and acc name from a string that is not separated by a ":"
+        // --> assertEquals("example.com", info.issuer)
+        assertEquals("example.com (alice@gmail.com)", info.accountName)
+        assertEquals(Algorithm.SHA1, info.algorithm)
+        assertEquals(6, info.digits)
+        assertEquals(30, info.period)
+    }
+
     @Test
     fun `missing secret returns no secret provided error`() {
         val url = "otpauth://totp/Example:alice@google.com?issuer=Example"

Original file line number	Diff line number	Diff line change
`@@ -180,6 +180,7 @@ fun PasswordContent(state: PasswordUiState, onEvent: (PasswordUiEvent) -> Unit)`
`180`	`180`	`DialogState.TotpParseError -> {`
`181`	`181`	`TotpParseErrorDialog(`
`182`	`182`	`onDismiss = { onEvent(PasswordUiEvent.OnTotpParseErrorDismiss) },`
	`183`	`+ modifier = Modifier.fillMaxWidth()`
`183`	`184`	`)`
`184`	`185`	`}`
`185`	`186`
`@@ -230,6 +231,7 @@ fun PasswordContent(state: PasswordUiState, onEvent: (PasswordUiEvent) -> Unit)`
`230`	`231`	`}`
`231`	`232`	`}`
`232`	`233`
	`234`	`+ // TODO: check permissions`
`233`	`235`	`if (state.scanning) {`
`234`	`236`	`QRScanner(`
`235`	`237`	`onClose = { onEvent(PasswordUiEvent.OnBackClick) },`