github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-03-14 14:16:23 -05:00
Code Issues 144 Packages Projects Releases 116 Wiki Activity

URL is not stripped when scanning a OTP QR Code #1323

New Issue
Closed
opened 2025-11-26 22:44:37 -06:00 by GiteaMirror · 4 comments
GiteaMirror commented 2025-11-26 22:44:37 -06:00
Owner
Copy Link

Originally created by @davidkassa on GitHub (Aug 3, 2021).

Describe the Bug

Scanning a QR code that contains a protocol prefix, such as NPM or Github fills the TOTP field with otpauth://totp/?secret=<OTP_Code>&issuer= with possibly some other variants. The expected result would be to fill it only with the secret.

Steps To Reproduce

  1. Go to NPMJS.com or google image search TOTP QR Codes
  2. Scan the QR Code while in the TOTP field
  3. See the mess
  4. Fuddle your way through to delete all the unnecessary bits.

Expected Result

The expected result would be to fill it only with the secret and strip all the other bits

Actual Result

Difficult and bad user experience

Screenshots or Videos

Environment

  • Device: [e.g. iPhone6] iPhone XS Max
  • Operating system: [e.g. iOS 8.1] iOS 14
  • Build Version (go to "Settings" → "About" in the app): [e.g. 2.3.0 (2221)]
  • Is this a Beta release? [Y/N] N

Additional Context

Bonus points if you get the protocol handler working so that when I scan it with my phone it auto-links into Bitwarden somehow. This seems to work with Microsoft Authenticator.

Originally created by @davidkassa on GitHub (Aug 3, 2021). <!-- Comment: Please do not submit feature requests. The [Community Forums][1] has a section for submitting, voting for, and discussing product feature requests. [1]: https://community.bitwarden.com --> ## Describe the Bug <!-- Comment: A clear and concise description of what the bug is. --> Scanning a QR code that contains a protocol prefix, such as NPM or Github fills the TOTP field with otpauth://totp/<app>?secret=<OTP_Code>&issuer=<issuer> with possibly some other variants. The expected result would be to fill it only with the secret. ## Steps To Reproduce <!-- Comment: How can we reproduce the behavior: --> 1. Go to NPMJS.com or google image search TOTP QR Codes 2. Scan the QR Code while in the TOTP field 3. See the mess 4. Fuddle your way through to delete all the unnecessary bits. ## Expected Result <!-- Comment: A clear and concise description of what you expected to happen. --> The expected result would be to fill it only with the secret and strip all the other bits ## Actual Result <!-- Comment: A clear and concise description of what is happening. --> Difficult and bad user experience ## Screenshots or Videos <!-- Comment: If applicable, add screenshots and/or a short video to help explain your problem. --> ## Environment - Device: [e.g. iPhone6] iPhone XS Max - Operating system: [e.g. iOS 8.1] iOS 14 - Build Version (go to "Settings" → "About" in the app): [e.g. 2.3.0 (2221)] - Is this a Beta release? [Y/N] N ## Additional Context <!-- Comment: Add any other context about the problem here. --> Bonus points if you get the protocol handler working so that when I scan it with my phone it auto-links into Bitwarden somehow. This seems to work with Microsoft Authenticator.
GiteaMirror commented 2025-11-26 22:44:38 -06:00
Author
Owner
Copy Link

@clayadams5226 commented on GitHub (Oct 28, 2021):

Hey @davidkassa, this was actually done by design and is working as intended. The Bitwarden Community Forums has a section for submitting, voting for, and discussing product feature requests like this one.

Please sign up on our forums and search to see if this request already exists. If so, you can vote for it and contribute to any discussions about it. If not, you can re-create the request there so that it can be properly tracked.

This issue will now be closed. Thanks!

@clayadams5226 commented on GitHub (Oct 28, 2021): Hey @davidkassa, this was actually done by design and is working as intended. The [Bitwarden Community Forums](https://community.bitwarden.com) has a section for submitting, voting for, and discussing product [feature requests](https://community.bitwarden.com/c/feature-requests) like this one. Please [sign up on our forums](https://community.bitwarden.com/signup) and search to see if this request already exists. If so, you can vote for it and contribute to any discussions about it. If not, you can re-create the request there so that it can be properly tracked. This issue will now be closed. Thanks!
GiteaMirror commented 2025-11-26 22:44:38 -06:00
Author
Owner
Copy Link

@davidkassa commented on GitHub (Oct 28, 2021):

By design? What is the use case where this design is the desired behavior? (I don't mean to sound confrontational- I'm honestly curious and can't think of one)

@davidkassa commented on GitHub (Oct 28, 2021): By design? What is the use case where this design is the desired behavior? (I don't mean to sound confrontational- I'm honestly curious and can't think of one)
GiteaMirror commented 2025-11-26 22:44:39 -06:00
Author
Owner
Copy Link

@kspearrin commented on GitHub (Oct 28, 2021):

@davidkassa The otpauth scheme provides the ability to set more parameters that control how TOTP codes are generated. Without the scheme we use the typical defaults, but it can change and the full URL allows us to parse that. See https://bitwarden.com/help/article/authenticator-keys/#support-for-more-parameters

@kspearrin commented on GitHub (Oct 28, 2021): @davidkassa The otpauth scheme provides the ability to set more parameters that control how TOTP codes are generated. Without the scheme we use the typical defaults, but it can change and the full URL allows us to parse that. See https://bitwarden.com/help/article/authenticator-keys/#support-for-more-parameters
GiteaMirror commented 2025-11-26 22:44:39 -06:00
Author
Owner
Copy Link

@davidkassa commented on GitHub (Oct 28, 2021):

oh, I see. You can actually save the entire scheme in the field and it will
work. That was not clear to me.

Thank you.

On Thu, Oct 28, 2021 at 9:17 AM Kyle Spearrin @.***>
wrote:

@davidkassa https://github.com/davidkassa The otpauth scheme provides
the ability to set more parameters that control how TOTP codes are
generated. Without the scheme we use the typical defaults, but it can
change and the full URL allows us to parse that. See
https://bitwarden.com/help/article/authenticator-keys/#support-for-more-parameters


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/bitwarden/mobile/issues/1486#issuecomment-953892037,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGG6AJL7W6L6DWYPVWS54DUJFLOJANCNFSM5BO6QRIQ
.

@davidkassa commented on GitHub (Oct 28, 2021): oh, I see. You can actually save the entire scheme in the field and it will work. That was not clear to me. Thank you. On Thu, Oct 28, 2021 at 9:17 AM Kyle Spearrin ***@***.***> wrote: > @davidkassa <https://github.com/davidkassa> The otpauth scheme provides > the ability to set more parameters that control how TOTP codes are > generated. Without the scheme we use the typical defaults, but it can > change and the full URL allows us to parse that. See > https://bitwarden.com/help/article/authenticator-keys/#support-for-more-parameters > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/bitwarden/mobile/issues/1486#issuecomment-953892037>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAGG6AJL7W6L6DWYPVWS54DUJFLOJANCNFSM5BO6QRIQ> > . >
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#1323
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?