Do not include any padding in the otpauth URI

csware · csware · commit da4704f380da · 2025-11-08T22:22:48.000+01:00
The IETF draft-linuxgemini-otpauth-uri-02 recommends to not include the padding in Section 3.3.1. cf. https://www.ietf.org/archive/id/draft-linuxgemini-otpauth-uri-02.html#section-3.3.1 (fixes issue #12540) Signed-off-by: Sven Strickroth <email@cs-ware.de>
diff --git a/src/core/Totp.cpp b/src/core/Totp.cpp
@@ -26,6 +26,7 @@
 #include <QUrlQuery>
 #include <QVariant>
 #include <QtEndian>
+#include <QRegularExpression>
 
 #include <cmath>
 
@@ -180,7 +181,7 @@ QString Totp::writeSettings(const QSharedPointer<Totp::Settings>& settings,
         auto urlstring = QString("otpauth://totp/%1:%2?secret=%3&period=%4&digits=%5&issuer=%1")
                              .arg(title.isEmpty() ? "KeePassXC" : QString(QUrl::toPercentEncoding(title)),
                                   username.isEmpty() ? "none" : QString(QUrl::toPercentEncoding(username)),
-                                  QString(QUrl::toPercentEncoding(Base32::sanitizeInput(settings->key.toLatin1()))),
+                                  QString(Base32::sanitizeInput(settings->key.toLatin1())).remove(QRegularExpression("=+$")),
                                   QString::number(settings->step),
                                   QString::number(settings->digits));
 
diff --git a/tests/TestTotp.cpp b/tests/TestTotp.cpp
@@ -107,6 +107,18 @@ void TestTotp::testParseSecret()
     QVERIFY(settings.isNull());
 }
 
+void TestTotp::testTotpWriteSettings()
+{
+    auto settings1 = Totp::createSettings("GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ", Totp::DEFAULT_DIGITS, Totp::DEFAULT_STEP);
+    QCOMPARE(Totp::writeSettings(settings1, "ACME Co", "john", true), "otpauth://totp/ACME%20Co:john?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ&period=30&digits=6&issuer=ACME%20Co");
+
+    auto settings2 = Totp::createSettings("63BEDWCQZKTQWPESARIERL5DTTQFCJTK", 3, 25);
+    QCOMPARE(Totp::writeSettings(settings2, "ACME Co", "", true), "otpauth://totp/ACME%20Co:none?secret=63BEDWCQZKTQWPESARIERL5DTTQFCJTK&period=25&digits=3&issuer=ACME%20Co");
+
+    auto settings3 = Totp::createSettings("HXDMVJECJJWSRBY", Totp::DEFAULT_DIGITS, Totp::DEFAULT_STEP);
+    QCOMPARE(Totp::writeSettings(settings3, "", "john", true), "otpauth://totp/KeePassXC:john?secret=HXDMVJECJJWSRBY&period=30&digits=6&issuer=KeePassXC");
+}
+
 void TestTotp::testTotpCode()
 {
     // Test vectors from RFC 6238
diff --git a/tests/TestTotp.h b/tests/TestTotp.h
@@ -28,6 +28,7 @@ class TestTotp : public QObject
 private slots:
     void initTestCase();
     void testParseSecret();
+    void testTotpWriteSettings();
     void testTotpCode();
     void testSteamTotp();
     void testEntryHistory();
