No TOTP code entered or copied
Closed this issue · 26 comments
Issue:
When I use the keyboard shortcut for TOTP codes or the full auto entry no code is entered or in my clipboard for me to paste.
Other details:
I selfhost with vaultwarden.
The codes are displayed when I access BW CLI directly.
Example of a test entry I created in my vault:
{ClearField}{Username}{SmartTab}{Password}{Enter}{Wait 500}{TOTP}{SmartTab}{Enter}
The value I set for auto-type seems to be read, and I have tested in Notepad++.
This is the output:
(to be clear, that is the correct password and it is random and unique for this test so not an issue to share)
You can see the tabs and enters but the spot where the TOTP code should be is blank.
(Sorry to create more issues for you, this is a really cool tool and I'm thankful for it, keep up the good work)
I can confirm the error. I also use vaultwarden and the TOTP is not inserted
I also get this error and I don't selfhost
I couldn't replicate this behavior, however in the latest release this portion of the code got a considerable amount of modifications.
specifically I get this with XivLauncher, I got it all setup in the vault to detect the program so no "no matches found" pop up, I do the ctrl alt O for totp but nothing goes in my clipboard, so nothing to paste
If a "No match found" message appears, means that no entry in the vault matches the current window so there won't be anything to be copied to the Clipboard or typed.
If a "No match found" message appears, means that no entry in the vault matches the current window so there won't be anything to be copied to the Clipboard or typed.
no I'm saying it does NOT appear, so that there IS an entry but it does NOT copy it for final fantasy XIV when asked to enter OTP I do CTRL ALT O and then CTRL V, nothing
I'm still having issues.
I briefly tested last night, and thought I got the totp code in my clipboard once, but I couldn't repeat it. The username and password would autotype but I never got the totp to autotype.
When you tested did you use the development branch or the compiled exe?
I also have never seen any "no match" message
I tried several combinations and all of them seem to work, even with elevated apps (running as administrator). Please bear in mind that for auto-type to work with applications running as administrator you either need the setup version or run the portable version elevated.
This is the entry in the vault:
This is the testing window:
Notifications:
And the app settings (which are the defaults):
I know the issue was reported with the previews version and that the latest release had a bumpy start with Bitwarden blocking logins from the app, but if you can detail a bit more the steps and issues you are facing I can try and replicate.
I tried with notepad as well, however it wouldn't even paste anything I did the default sequence and had added a match for notepad, and it did nothing just types á for me lol using UK keyboard layout, run as admin and not, I also just tested with something that used to work default sequence wise(steam) and it doesn't do anything now.
I'm using the autohotkey version not the setup.exe
the steps are, I login, open program to auto type, click the keybinds for it, nothing happens
(Please reopen this issue)
A few interesting things (maybe)
- I have never seen a Windows Auto-type notification for TOTP (only sync notifications)
- I run on a non admin account most of the time but tested with my admin account and didn't have different behavior.
- I have clipboard history disabled
There have been a couple times that a six digit code shows up in my clipboard, but when I have tried to check it, it is wrong, likely out of date. It never is updated and never shows a notification. And if I put something else in the clipboard nothing is changed again.
My settings,
Also in the settings.ini under GENERAL totp = 1.
I do not have an installation of Autohotkey.
The steps I took:
- Download the setup.exe
- Install auto-type
- Open it once (not sign in)
- Close it
- Open settings.ini point it to my self hosted instance
- Open auto-type and sign in
- Open Notepad
- Press Ctrl+Alt+A
- Get only the username and password
(no TOTP, but the items after it as inserted, and nothing in the clipboard.)
As testing this I was able to get a TOTP notification, but it is blank:
and I can only get it for Notepad.exe, when I test with Notepad++ or Word as I was originally I still get no notifications.
Also I get no notification for Ctrl+Alt+O at all and nothing in the clipboard.
Let me know if you want me to try something, I can probably fire up a VM or get on discord and stream my screen.
I created a new Bitwarden account, logged into the app and I after I got a "No auto-type match found" I sync'd and worked just fine. And by no means is necessary to run the app as administrator, that's why the setup version exists.... to avoid the UAC prompt while still be able to interact with elevated apps.
In the current state of the develop branch I added some error reporting to the TOTP generation (plus a couple of enhancements recommended by @KnightTim) that can be used to debug this issue, but coding wise its been stable for quite a while now.
Thanks a lot for all the input.
I just used the debug version and the issue seems to be the format, it won't accept anything not in otpauth but since I don't do QR scans on my pc(obviously) they are all just the secret key code for my totp and steam is ofc its completely own version
Bitwarden only supports a properly formatted Key Uri:
https://github.com/bitwarden/jslib/blob/master/common/src/services/totp.service.ts#L23
As for Steam, (I just saw in the source of Bitwarden) they use the same algorithm but with a non-standard length of 5 digits ¯\_(ツ)_/¯
The specification states either 6 or 8 digits. The RFC Test Vectors are also capped at 8 but ambiguously enough don't mention any min/max length. MS Authenticator, Google's or Authy don't allow a length change... so as always is a big gray area.
Now, if Bitwarden doesn't support base32 secret only in the TOTP field, why you have it like that? You just need to edit your entries and add the proper format for both Bitwarden and Auto-Type to generate a TOTP:
otpauth://totp/?secret=BASE32_SECRET
And depending on the browser you use there's extensions to read QR codes. That said, I'm not a purist so I'll edit it to suit your needs given that might be beneficial for others (plus I can include Steam processing), but I'd like to hear @KnightTim input to see what his issue might be.
I'm not on my computer, I'll test the debug version later.
I have most of my totp secrets stored as just a 32 character string. It works fine, even if that isn't per the spec. Most of the time I'm on the desktop and just copy the text from the website and often just the 32 character secret is displayed without any URI.
Edit: I was looking on the desktop, it looks like it isn't technically a 32 character string, but they mostly do not have otpauth://totp/?secret= in front of them
Bitwarden only supports a properly formatted Key Uri:
https://github.com/bitwarden/jslib/blob/master/common/src/services/totp.service.ts#L23
I just looked at the source, they are checking if the beginning of the key string is 'otpauth://', if the string doesn't not contain 'otpauth://' the indexOf function will return a 0. So either 'otpauth://' needs to be at the beginning of the key or the key cannot contain it.
Just tested the debug version on my computer, if the TOTP secret contains 'otpauth://' everything works as expected.
Note 1) If you have a non default sequence defined in the custom text (auto-type) field the TOTP code will not be placed in the clipboard. This was a little unexpected based on how I read the comments for the TOTP config in the settings.ini, since it is working and I can add a code to manually put the TOTP code in the clipboard I don't think this is an issue.
Note 2) I somehow got the debug unsigned version of auto-type so it wasn't responding to key presses. Once I restarted it, it worked. But I'm not sure what was going on.
Bitwarden only supports a properly formatted Key Uri:
https://github.com/bitwarden/jslib/blob/master/common/src/services/totp.service.ts#L23
As for Steam, (I just saw in the source of Bitwarden) they use the same algorithm but with a non-standard length of 5 digits ¯_(ツ)_/¯
The specification states either 6 or 8 digits. The RFC Test Vectors are also capped at 8 but ambiguously enough don't mention any min/max length. MS Authenticator, Google's or Authy don't allow a length change... so as always is a big gray area.
Now, if Bitwarden doesn't support base32 secret only in the TOTP field, why you have it like that? You just need to edit your entries and add the proper format for both Bitwarden and Auto-Type to generate a TOTP:
otpauth://totp/?secret=BASE32_SECRETAnd depending on the browser you use there's extensions to read QR codes. That said, I'm not a purist so I'll edit it to suit your needs given that might be beneficial for others (plus I can include Steam processing), but I'd like to hear @KnightTim input to see what his issue might be.
uh what? it absolutely supports without lol all my totp is without and they are 100% correct in website vault, browser extension and windows program so that definitely is NOT true lol
and as for steam they need you to make it steam://TOTPKEY not otpauth and as knight said, no site displays the otpauth code when you are given just the code, hell not even bitwarden does it when you add totp to your account its just the secret key code nothing else, you may get otpauth if you did QR scan but thats it.
@KnightTim Thanks a lot for the thorough testing. And yes, the secret is a Base32 encoded string, not necessarily 32 characters long. Most sites use a 16 length and others 32 (AWS uses a ridiculously long 64 and on top of that adds unnecessary padding).
The lengthier the harder to input when not using QR codes, if you ask me there's no point given the nature of the algorithm and the fact that is time-sensitive.
@Nypheena Having a Key Uri-only is totally an oversight on my account.
Side note: In the settings, If you enable Authenticator unlocking, shows a QR:
The example above:
otpauth://totp/Auto-Type Unlock?issuer=Bitwarden&secret=RHXB2AOC
There's also the option to show the secret for manual input, so yeah... I was aware that was a possibility but I had the idea Bitwarden only supported proper Key Uris, again my bad.
Both: Cannot express my gratitude for your input and now that I actually read Bitwarden's code rather than skim trough it I see the lines above (lines 19-22) first set the defaults and use whole field contents as the key, then it if a Key Uri is found it proceeds to splitting the contents.
As for Steam uses the defaults with a 5 digit length so there's no problems there, I'll add it alongside the fix.
I guess after stacking up so many hours in my daily job doing side projects is ill-advised :P
@anonymous1184 no worries, thank you for keeping at it on this issue bitwarden has made me actually start to use totp in more places as I always hated relying on checking phone then manually writing it in every time
thank you for updating, tho it still doesn't seem to accept it too well
For final fantasy the secret I got is 4 characters 8 times with space and doesn't seem to be accepted but bitwarden does
I have entries formatted like Nypheena's as well,
Example for Adobe below:
Would there be an option to fall back to try to get the TOTP code from the bw-cli?
I also noticed an issue with TOTP for steam.
Likely you need to define a different character set for steam, similar to what bitwarden is doing here:
https://github.com/bitwarden/jslib/blob/542852a3be13328acac8019a5b358e2608883a43/common/src/services/totp.service.ts#L10
Also I think generation would be slightly different, probably something like this:
https://github.com/bitwarden/jslib/blob/1016bbfb9eb28c220de8d2ab86d1f2757328f254/common/src/services/totp.service.ts#L84
Seems about right, the space is not a valid BASE32 character, but I see the how for readability vendors present the string instead of visually separated with added spaces and then users just copy it without cleaning it.
Thanks for the heads up.
gonna release the update with the fix so can be used?
Since it was an edge case I was waiting for either Bitwarden (login issue) or AutoHotkey (includes issue) bug fixes, but given that Bitwarden was recently updated and the behavior is still the same I guess it is an anti-bot mechanism that will be left as is.
So is just a matter of merging the dev branch with master and a release, I'll do so as soon as possible.