question - how to support steam?

Steam Authenticator uses TOTP but with digits=5.

Is this something you're interested in supporting, somehow?

I'd love to see this as well!

It's not just digits=5, because the authenticator also shows alphabetic characters.

Here's an example implementation: https://github.com/ran-sama/python-steam-authenticator/blob/master/steam.py

Hi! I think I see how it would work, but I'm not sure how to expose it without yet another breaking change... Perhaps a 4rth option of the "Algorithm" enum? Possibly gated behind a "steam" feature? This would be the least breaking change. Obviously URL/QR generation wouldn't work on this algorithm. I have some implementation ideas. My phone isn't rooted so I can't really test this out Edit: Probably would work better with something similar to Rfc6238's API to instantiate that

@constantoine Just a small note, I was able to extract my Steam key without using Android (there's a desktop app and it stores the totp secret in a plaintext json file if you opt-out of "encryption". I think there's also a non-root Android method but I haven't tried. (I can't speak to the API changes, not experienced enough with writing Rust libs or using totp-rs to have thoughts!)

I also don't know enough about HOTP/TOTP, but if the Steam implementation of the actual underlying "math" is different, maybe it's not appropriate here, I'm not sure. I was hoping it was "same algorithm just with 5 instead of 6".

@colemickens huh, that's definetly interesting, I didn't know about that

It is actually the same maths, the only difference is once you get a numeric result, the way you display it is just a tad bit different

@constantoine I'd be happy to implement a Algorithm::Steam behind a steam feature. Should I give that a try?

By the way, I do have a rooted phone. Aegis outputs Steam as:

otpauth://steam/Steam%3Atimvisee?period=30&digits=5&algorithm=SHA1&secret=ABCDEFGHIJKLMNOPQRSTUVWXYZ234567&issuer=Steam

So that means:

a different path: steam
a : in the account name: `Steam:timvisee
5 digits
a different algorithm

The Issuer:AccountName part is nice/standard, so that won't be a problem

The Issuer:AccountName part is nice/standard, so that won't be a problem

Usage of : is currently prevented by this:

totp-rs/src/lib.rs

Lines 265 to 267 in d460bd2

    
           if account_name.contains(':') { 
        
               return Err(TotpUrlError::AccountName(account_name)); 
        
           }

I'll remove that then.

I see the confusion

When instanciating from the API, the lib asks for an Issuer and an AccountName

When parsing from a URL, it will need to be in the form of

otpauth://totp/Issuer:AccountName?issuer=Issuer

Since Issuer and AccountName are separated from a :, they can't contain : themselves

It seems that the account name is commonly encoded using URL encoding, which would mean it can contain a : as %3A, which is also what you see here: #45 (comment)

That means that the : check may be used in from_url. ~~And that TOTP::get_url() should encode the account name.~~ (edit: already done)

Hey @colemickens @timvisee, just a quick ping to tell you v4.1 has been released :)

	if account_name.contains(':') {
	return Err(TotpUrlError::AccountName(account_name));
	}