With this change the "Add" button in the "Add account" page is not enabled
until the entered account name and details are valid. Additionally, the UI
for entering the token secret now uses a password field with appropriate
hints for input methods.
This change fixes input validation for the following cases:
- Check that entered account names are still available
- Working validation for time steps (input mask was completely broken)
- Allow longer tokens: liboath is no longer used, Keysmith can handle it
Additionally the QML code is refactored significantly:
- Extracted the main accounts overview page
- Extracted the add an account page
- Completed the internal renaming of "Oath" to "Keysmith" for QML types
This change is a workaround for behaviour of QML controls: when fixup is
called during input validation, the `acceptableInput` property is not
updated correctly.
Provide a building block towards re-implementing the HOTP/TOTP
algorithms without using oath-toolkit: see issue #9.
The hmac::compute function trades simplicity (having to pre-allocate
a scratch buffer) for avoding accidental leaks of key material
(security).
This particular trade-off will help with resolving issue #6.
Provide a custom base32 implementation; relates to issues: #9 and #6.
In particular being able to control memory allocation prior to
decoding base32 will help with resolving issue #6 in a (more) secure
fashion.
* do cmake_minimum_required as first thing, as recommended
* bump KF to 5.37, first release with Kirigami (Qt 5.7 matching min dep)
* use KF5_MIN_VERSION also with ECM
* include KDE CMake settings as first
* remove unused cmake includes
* remove duplicated enable_testing()
* use correct KDEInstallDirs variables
The account details page has a kind of modality:
- hide mode: in which the user is shown the account info but sensitive information such as secret keys should not be displayed openly visible.
- show mode: the same, but in this case all details are openly visible. This will be useful for showing QR codes explicitly.
- edit mode: in which the user may edit account details (all except the name).
- Add a new static library "validator_lib" covering the "validators" namespace in C++
- Introduce the Base32Validator to perform input field validation with fixup support
Due to our use of liboath for generating the actual tokens, we also support only a limited range of valid token lengths.
This means that it is more user friendly to express those limits directly in the UI through a SpinBox instead of allowing the user type in values we do not currently support.
It uses the oath-toolkit[1] provided library liboath to generate the 2FA
codes, both TOTP and HOTP based. Currently it is largely untested. From
initial rough testing it seems that auto-refreshing of code is not
working. Also button to refresh token for HOTP is also dummy at moment.
Some todo items include,
- Verify the generated oath code is correct
- Make refreshing token work
- QR code scanning
- Backup and Restore of accounts
- Clipboard support to automatically copy code.
- Encrypted storage of the secret token
This code is largely based on the authenticator-ng[2] application by the
Rodney Dawes and Michael Zanetti for the Ubuntu Touch.
[1] https://www.nongnu.org/oath-toolkit/
[2] https://github.com/dobey/authenticator-ng
Johan Ouwerkerk
Yuri Chornoivan
Nicolas Fella
Bhushan Shah
Friedrich W. H. Kossebau