Re: New package for NonGNU ELPA : totp-auth

[Michael Albinus <michael.albinus@gmx.de>]

Vivek Das Mohapatra <vivek@etla.org> writes:

> Hi

Hi Vivek,

> I've recently made a package that implements RFC6238 TOTP and was
> wondering if nongnu elpa would consider carrying it:

Thanks for the offer. It looks like your package is already available
via MELPA, so I'm using this for review. First of all, could you pls
explain what's the relation of your package and the package totp, also
available via MELPA? Similarities and differences?

And a short search shows also the package emacs-totp
on Github, how is the relation whith that package?

Some comments on first test. I've naively installed the package from
MELPA. In a new Emacs session, I've called 'M-x totp-auth RET RET'. This
returns

--8<---------------cut here---------------start------------->8---
Error running timer ‘totp-auth-update-token-notification’: (wrong-type-argument char-or-string-p nil) [nn times]
--8<---------------cut here---------------end--------------->8---

Well, likely due to a missing secret. Should be told to me.

So I call the following 'M-x totp-auth-add-secret RET 1234567890 RET RET
RET'. The secret I've entered was visible in clear text - bad. You
shouldn't use read-string for this job, but let auth-source-search and
its :create feature do the job. If you really want to read the password
on your own, use password-read instead of read-string .

I was asked for Service, User, and Size. Since I didn't get any hint
what it means, I've entered RET, hoping for defaults. Well, in the GNOME
passwords I could see now a new item in the Login collection, w/o a label
and with the secret "otpauth://totp/?secret=1234567890;digits=6".  Looks
like related, but without a label it isn't useful I guess. I've deleted
it.

Next approach: 'M-x totp-auth-add-secret RET 1234567890 RET foo RET
RET RET'. Voila, that works! There's now a new item in the Login
collection labelled "foo", with the same secret. Promising.

I recommend to enhance your documentation, in the Commentary section of
totp-auth.el and/or via tooltips.

Now ruuning again 'M-x totp-auth RET foo RET'. "foo" is offered for
completion, good. But I get the error message

--8<---------------cut here---------------start------------->8---
Error running timer ‘totp-auth-update-token-notification’: (error "Invalid base32 payload length: 10") [73 times]
--8<---------------cut here---------------end--------------->8---

So the default length (6) does not match the real length (10). Should be
handled by the package.

Adding a new secret, 'M-x totp-auth-add-secret RET 0987654321 RET bla
RET RET 10 RET'. But 'M-x totp-auth RET bla RET' shows the same error.

Last check: Using 6 digits via 'M-x totp-auth-add-secret RET 123456 RET
baz RET RET RET'. 'M-x totp-auth RET baz RET' shows now

--8<---------------cut here---------------start------------->8---
Error running timer ‘totp-auth-update-token-notification’: (args-out-of-range "\267\316\370\0" 5) [76 times]
--8<---------------cut here---------------end--------------->8---

Stopping my tests. Pls fix the package (still in MELPA, no problem) that
it is useful for uninitiated users. I will continue to check then.

Best regards, Michael.