feat: implement TOTP

Author: dbohdan

README.md

@@ -277,6 +277,29 @@ pago cannot retrieve tables.
 
 If you show or clip a TOML entry without `--key`, the entire TOML document is returned.
 
+### TOTP
+
+pago can generate [time-based one-time passwords (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) from a [TOML entry](#toml-entries).
+To use this feature, store the `otpauth://` URI in a key named `otp`.
+
+```shell
+pago add -m services/my-service <<EOF
+user = "jdoe"
+otp = "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example"
+EOF
+```
+
+When you use `show` or `clip` with the key `otp`, pago will generate and output a TOTP code.
+
+```shell
+# Show the TOTP code.
+pago show -k otp services/my-service
+# => 123456
+
+# Copy the TOTP code to the clipboard.
+pago clip -k otp services/my-service
+```
+
 ### Agent
 
 The agent keeps your identities in memory to avoid repeated password prompts.

cmd/pago/main.go

@@ -37,6 +37,8 @@ import (
 	"github.com/alecthomas/repr"
 	"github.com/anmitsu/go-shlex"
 	gitConfig "github.com/go-git/go-git/v5/config"
+	"github.com/pquerna/otp"
+	"github.com/pquerna/otp/totp"
 )
 
 type CLI struct {
@@ -295,6 +297,62 @@ func englishPlural(singular, plural string, count int) string {
 	return plural
 }
 
+func decryptEntry(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name string) (string, error) {
+	if agentSocket == "" {
+		return crypto.DecryptEntry(identities, passwordStore, name)
+	}
+
+	file, err := pago.EntryFile(passwordStore, name)
+	if err != nil {
+		return "", err
+	}
+
+	encryptedData, err := os.ReadFile(file)
+	if err != nil {
+		return "", fmt.Errorf("failed to read password file: %v", err)
+	}
+
+	if err := agent.Ping(agentSocket); err != nil {
+		// Ping failed.
+		// Attempt to start the agent.
+		identitiesText, err := crypto.DecryptIdentities(identities)
+		if err != nil {
+			return "", err
+		}
+
+		if err := agent.StartProcess(agentExecutable, agentExpire, agentMemlock, agentSocket, identitiesText); err != nil {
+			return "", fmt.Errorf("failed to start agent: %v", err)
+		}
+	}
+
+	content, err := agent.Decrypt(agentSocket, encryptedData)
+	if err != nil {
+		return "", err
+	}
+
+	return content, nil
+}
+
+func getOTP(otpURL string) (string, error) {
+	otpKey, err := otp.NewKeyFromURL(otpURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse otpauth URL: %w", err)
+	}
+
+	opts := totp.ValidateOpts{
+		Period:    uint(otpKey.Period()),
+		Digits:    otpKey.Digits(),
+		Algorithm: otpKey.Algorithm(),
+	}
+
+	code, err := totp.GenerateCodeCustom(otpKey.Secret(), time.Now(), opts)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate TOTP code: %w", err)
+	}
+
+	return code, nil
+}
+
 func getPassword(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name, key string) (string, error) {
 	content, err := decryptEntry(agentExecutable, agentExpire, agentMemlock, agentSocket, identities, passwordStore, name)
 	if err != nil {
@@ -322,7 +380,13 @@ func getPassword(agentExecutable string, agentExpire time.Duration, agentMemlock
 		return "", fmt.Errorf("key %q in entry %q is a table", key, name)
 
 	case reflect.String:
-		return v.String(), nil
+		s := v.String()
+
+		if key == "otp" {
+			return getOTP(s)
+		}
+
+		return s, nil
 	}
 
 	var buf bytes.Buffer
@@ -334,42 +398,6 @@ func getPassword(agentExecutable string, agentExpire time.Duration, agentMemlock
 	return buf.String(), nil
 }
 
-func decryptEntry(agentExecutable string, agentExpire time.Duration, agentMemlock bool, agentSocket, identities, passwordStore, name string) (string, error) {
-	if agentSocket == "" {
-		return crypto.DecryptEntry(identities, passwordStore, name)
-	}
-
-	file, err := pago.EntryFile(passwordStore, name)
-	if err != nil {
-		return "", err
-	}
-
-	encryptedData, err := os.ReadFile(file)
-	if err != nil {
-		return "", fmt.Errorf("failed to read password file: %v", err)
-	}
-
-	if err := agent.Ping(agentSocket); err != nil {
-		// Ping failed.
-		// Attempt to start the agent.
-		identitiesText, err := crypto.DecryptIdentities(identities)
-		if err != nil {
-			return "", err
-		}
-
-		if err := agent.StartProcess(agentExecutable, agentExpire, agentMemlock, agentSocket, identitiesText); err != nil {
-			return "", fmt.Errorf("failed to start agent: %v", err)
-		}
-	}
-
-	content, err := agent.Decrypt(agentSocket, encryptedData)
-	if err != nil {
-		return "", err
-	}
-
-	return content, nil
-}
-
 func (cmd *ClipCmd) Run(config *Config) error {
 	if config.Verbose {
 		printRepr(cmd)

go.mod

@@ -15,6 +15,8 @@ require (
 	github.com/charmbracelet/lipgloss v1.1.0
 	github.com/go-git/go-git/v5 v5.16.2
 	github.com/ktr0731/go-fuzzyfinder v0.9.0
+	github.com/pquerna/otp v1.5.0
+	github.com/stretchr/testify v1.10.0
 	github.com/tidwall/redcon v1.6.2
 	github.com/valkey-io/valkey-go v1.0.64
 	github.com/xlab/treeprint v1.2.0
@@ -29,13 +31,15 @@ require (
 	github.com/ProtonMail/go-crypto v1.3.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/charmbracelet/colorprofile v0.3.2 // indirect
 	github.com/charmbracelet/x/ansi v0.10.1 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/creack/pty v1.1.17 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/gdamore/encoding v1.0.1 // indirect
@@ -56,6 +60,7 @@ require (
 	github.com/nsf/termbox-go v1.1.1 // indirect
 	github.com/pjbgf/sha1cd v0.4.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/sergi/go-diff v1.4.0 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
@@ -68,4 +73,5 @@ require (
 	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -35,6 +35,8 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymanbagabas/go-udiff v0.2.0 h1:TK0fH4MteXUDspT88n8CKzvK0X9O2xu9yQjWpi6yML8=
 github.com/aymanbagabas/go-udiff v0.2.0/go.mod h1:RE4Ex0qsGkTAJoQdQQCA0uG+nAzJO/pI/QwceO5fgrA=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u6mfQdFs=
 github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg=
 github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGsK6et5taU=
@@ -126,6 +128,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
+github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -138,6 +142,7 @@ github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnB
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

test/e2e_test.go

@@ -777,6 +777,78 @@ qux = {"key" = "value"}
 	}
 }
 
+func TestShowOTP(t *testing.T) {
+	_, err := withPagoDir(func(dataDir string) (string, error) {
+		// Add a TOML entry with a 6-digit otpauth URI.
+		cmd := exec.Command(commandPago, "--dir", dataDir, "add", "otp-test-6digit", "--multiline")
+		// Example URI from https://github.com/google/google-authenticator/wiki/Key-Uri-Format
+		cmd.Stdin = strings.NewReader(`otp = "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example"`)
+		var stdout, stderr bytes.Buffer
+		cmd.Stdout = &stdout
+		cmd.Stderr = &stderr
+		err := cmd.Run()
+		if err != nil {
+			return stdout.String() + "\n" + stderr.String(), err
+		}
+
+		// Add another TOML entry with an 8-digit otpauth URI.
+		cmd = exec.Command(commandPago, "--dir", dataDir, "add", "otp-test-8digit", "--multiline")
+		cmd.Stdin = strings.NewReader(`otp = "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example&algorithm=sha256&digits=8"`)
+		cmd.Stdout = &stdout
+		cmd.Stderr = &stderr
+		err = cmd.Run()
+		if err != nil {
+			return stdout.String() + "\n" + stderr.String(), err
+		}
+
+		checkOTP := func(entryName, expectedPattern string) error {
+			var buf bytes.Buffer
+			c, err := expect.NewConsole()
+			if err != nil {
+				return fmt.Errorf("failed to create console: %w", err)
+			}
+			defer c.Close()
+
+			cmd := exec.Command(commandPago, "--dir", dataDir, "--socket", "", "show", "--key", "otp", entryName)
+			cmd.Stdin = c.Tty()
+			cmd.Stdout = &buf
+			cmd.Stderr = c.Tty()
+
+			err = cmd.Start()
+			if err != nil {
+				return fmt.Errorf("failed to start command for key 'otp': %w", err)
+			}
+
+			_, _ = c.ExpectString("Enter password")
+			_, _ = c.SendLine(password)
+
+			err = cmd.Wait()
+			if err != nil {
+				return fmt.Errorf("command failed for key 'otp': %w", err)
+			}
+
+			output := strings.TrimSpace(buf.String())
+			if matched, _ := regexp.MatchString(expectedPattern, output); !matched {
+				return fmt.Errorf("expected OTP matching %q, got %q", expectedPattern, output)
+			}
+			return nil
+		}
+
+		if err := checkOTP("otp-test-6digit", `^\d{6}$`); err != nil {
+			return "", err
+		}
+
+		if err := checkOTP("otp-test-8digit", `^\d{8}$`); err != nil {
+			return "", err
+		}
+
+		return "", nil
+	})
+	if err != nil {
+		t.Errorf("Command `show --key otp` failed: %v", err)
+	}
+}
+
 func TestShowTree(t *testing.T) {
 	output, err := withPagoDir(func(dataDir string) (string, error) {
 		for _, name := range []string{"foo", "bar", "baz"} {