Make getGoogleAuthenticatorUsername and getTotpAuthenticationUsername nullable, #293

scheb · scheb · commit c90c6857fb36 · 2026-01-04T14:15:38.000+01:00
No need to return an empty string, can return null to have a record with issuer only in the TOTP app.
diff --git a/doc/providers/google.rst b/doc/providers/google.rst
@@ -76,7 +76,7 @@ Authenticator for a user, generate a secret code and persist it with the user en
                return null !== $this->googleAuthenticatorSecret;
            }
 
-           public function getGoogleAuthenticatorUsername(): string
+           public function getGoogleAuthenticatorUsername(): ?string
            {
                return $this->username;
            }
@@ -114,7 +114,7 @@ Authenticator for a user, generate a secret code and persist it with the user en
                return null !== $this->googleAuthenticatorSecret;
            }
 
-           public function getGoogleAuthenticatorUsername(): string
+           public function getGoogleAuthenticatorUsername(): ?string
            {
                return $this->username;
            }
diff --git a/src/google-authenticator/Model/Google/TwoFactorInterface.php b/src/google-authenticator/Model/Google/TwoFactorInterface.php
@@ -14,7 +14,7 @@ public function isGoogleAuthenticatorEnabled(): bool;
     /**
      * Return the user name. This is used in QR code generation to display the username in the TOTP app.
      */
-    public function getGoogleAuthenticatorUsername(): string;
+    public function getGoogleAuthenticatorUsername(): string|null;
 
     /**
      * Return the Google Authenticator secret
diff --git a/src/google-authenticator/Security/TwoFactor/Provider/Google/GoogleTotpFactory.php b/src/google-authenticator/Security/TwoFactor/Provider/Google/GoogleTotpFactory.php
@@ -9,6 +9,7 @@
 use Psr\Clock\ClockInterface;
 use Scheb\TwoFactorBundle\Model\Google\TwoFactorInterface;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Exception\TwoFactorProviderLogicException;
+use function assert;
 use function strlen;
 
 /**
@@ -34,13 +35,22 @@ public function createTotpForUser(TwoFactorInterface $user): TOTPInterface
         /** @psalm-suppress ArgumentTypeCoercion */
         $totp = TOTP::create($secret, 30, 'sha1', $this->digits, clock: $this->clock);
 
-        $userAndHost = $user->getGoogleAuthenticatorUsername().(null !== $this->server && $this->server ? '@'.$this->server : '');
+        $usernameLabel = $user->getGoogleAuthenticatorUsername() ?? '';
+        $serverLabel = $this->server ?? '';
+        $userAndHost = $usernameLabel.('' !== $usernameLabel && '' !== $serverLabel ? '@' : '').$serverLabel;
         if ('' !== $userAndHost) {
             $totp->setLabel($userAndHost);
         }
 
-        if (null !== $this->issuer && $this->issuer) {
+        if (null !== $this->issuer && '' !== $this->issuer) {
             $totp->setIssuer($this->issuer);
+
+            // Omit the issuer parameter, when the issuer is the only value set.
+            // Otherwise FreeOTP app will show the issuer name twice.
+            if (null === $totp->getLabel()) {
+                $totp = $totp->withIssuerIncludedAsParameter(false);
+                assert($totp instanceof TOTP);
+            }
         }
 
         return $totp;
diff --git a/src/totp/Model/Totp/TwoFactorInterface.php b/src/totp/Model/Totp/TwoFactorInterface.php
@@ -15,7 +15,7 @@ public function isTotpAuthenticationEnabled(): bool;
      * Return the user name. This is used in QR code generation to display the username in the TOTP app. Return an
      * empty string, if you don't want it to show up in the app.
      */
-    public function getTotpAuthenticationUsername(): string;
+    public function getTotpAuthenticationUsername(): string|null;
 
     /**
      * Return the configuration for TOTP authentication.
diff --git a/src/totp/Security/TwoFactor/Provider/Totp/TotpFactory.php b/src/totp/Security/TwoFactor/Provider/Totp/TotpFactory.php
@@ -9,6 +9,7 @@
 use Psr\Clock\ClockInterface;
 use Scheb\TwoFactorBundle\Model\Totp\TwoFactorInterface;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Exception\TwoFactorProviderLogicException;
+use function assert;
 use function strlen;
 
 /**
@@ -48,13 +49,22 @@ public function createTotpForUser(TwoFactorInterface $user): TOTPInterface
             clock: $this->clock,
         );
 
-        $userAndHost = $user->getTotpAuthenticationUsername().(null !== $this->server && $this->server ? '@'.$this->server : '');
+        $usernameLabel = $user->getTotpAuthenticationUsername() ?? '';
+        $serverLabel = $this->server ?? '';
+        $userAndHost = $usernameLabel.('' !== $usernameLabel && '' !== $serverLabel ? '@' : '').$serverLabel;
         if ('' !== $userAndHost) {
             $totp->setLabel($userAndHost);
         }
 
-        if (null !== $this->issuer && $this->issuer) {
+        if (null !== $this->issuer && '' !== $this->issuer) {
             $totp->setIssuer($this->issuer);
+
+            // Omit the issuer parameter, when the issuer is the only value set.
+            // Otherwise FreeOTP app will show the issuer name twice.
+            if (null === $totp->getLabel()) {
+                $totp = $totp->withIssuerIncludedAsParameter(false);
+                assert($totp instanceof TOTP);
+            }
         }
 
         foreach ($this->customParameters as $key => $value) {
diff --git a/tests/Security/TwoFactor/Provider/Google/GoogleTotpFactoryTest.php b/tests/Security/TwoFactor/Provider/Google/GoogleTotpFactoryTest.php
@@ -22,13 +22,13 @@ class GoogleTotpFactoryTest extends TestCase
     private const int CUSTOM_DIGITS = 8;
     private const int DEFAULT_DIGITS = 6;
 
-    private function createUserMock(string|null $secret = self::SECRET): MockObject&TwoFactorInterface
+    private function createUserMock(string|null $secret = self::SECRET, string|null $username = self::USER_NAME): MockObject&TwoFactorInterface
     {
         $user = $this->createMock(TwoFactorInterface::class);
         $user
             ->expects($this->any())
             ->method('getGoogleAuthenticatorUsername')
-            ->willReturn(self::USER_NAME);
+            ->willReturn($username);
         $user
             ->expects($this->any())
             ->method('getGoogleAuthenticatorSecret')
@@ -70,9 +70,9 @@ public function createTotpForUser_factoryCalled_returnTotpObject(): void
 
     #[Test]
     #[DataProvider('provideHostnameAndIssuer')]
-    public function getProvisioningUri_hostnameAndIssuerGiven_returnProvisioningUri(string|null $hostname, string|null $issuer, int $digits, string $expectedUrl): void
+    public function getProvisioningUri_hostnameAndIssuerGiven_returnProvisioningUri(string|null $username, string|null $hostname, string|null $issuer, int $digits, string $expectedUrl): void
     {
-        $user = $this->createUserMock();
+        $user = $this->createUserMock(username: $username);
         $totp = (new GoogleTotpFactory($hostname, $issuer, $digits))->createTotpForUser($user);
 
         $returnValue = $totp->getProvisioningUri();
@@ -85,11 +85,13 @@ public function getProvisioningUri_hostnameAndIssuerGiven_returnProvisioningUri(
     public static function provideHostnameAndIssuer(): array
     {
         return [
-            [null, null, self::DEFAULT_DIGITS, 'otpauth://totp/User%20Name?secret=SECRET'],
-            [self::SERVER, null, self::DEFAULT_DIGITS, 'otpauth://totp/User%20Name%40Server?secret=SECRET'],
-            [null, self::ISSUER, self::DEFAULT_DIGITS, 'otpauth://totp/Issuer%20Name%3AUser%20Name?issuer=Issuer%20Name&secret=SECRET'],
-            [self::SERVER, self::ISSUER, self::DEFAULT_DIGITS, 'otpauth://totp/Issuer%20Name%3AUser%20Name%40Server?issuer=Issuer%20Name&secret=SECRET'],
-            [self::SERVER, self::ISSUER, self::CUSTOM_DIGITS, 'otpauth://totp/Issuer%20Name%3AUser%20Name%40Server?digits=8&issuer=Issuer%20Name&secret=SECRET'],
+            [null, null, self::ISSUER, self::DEFAULT_DIGITS, 'otpauth://totp/Issuer%20Name?secret=SECRET'],
+            [null, self::SERVER, self::ISSUER, self::DEFAULT_DIGITS, 'otpauth://totp/Issuer%20Name%3AServer?issuer=Issuer%20Name&secret=SECRET'],
+            [self::USER_NAME, null, null, self::DEFAULT_DIGITS, 'otpauth://totp/User%20Name?secret=SECRET'],
+            [self::USER_NAME, self::SERVER, null, self::DEFAULT_DIGITS, 'otpauth://totp/User%20Name%40Server?secret=SECRET'],
+            [self::USER_NAME, null, self::ISSUER, self::DEFAULT_DIGITS, 'otpauth://totp/Issuer%20Name%3AUser%20Name?issuer=Issuer%20Name&secret=SECRET'],
+            [self::USER_NAME, self::SERVER, self::ISSUER, self::DEFAULT_DIGITS, 'otpauth://totp/Issuer%20Name%3AUser%20Name%40Server?issuer=Issuer%20Name&secret=SECRET'],
+            [self::USER_NAME, self::SERVER, self::ISSUER, self::CUSTOM_DIGITS, 'otpauth://totp/Issuer%20Name%3AUser%20Name%40Server?digits=8&issuer=Issuer%20Name&secret=SECRET'],
         ];
     }
 }
diff --git a/tests/Security/TwoFactor/Provider/Totp/TotpFactoryTest.php b/tests/Security/TwoFactor/Provider/Totp/TotpFactoryTest.php
@@ -29,13 +29,13 @@ class TotpFactoryTest extends TestCase
     private const int DIGITS = 8;
     private const string ALGORITHM = TotpConfiguration::ALGORITHM_SHA256;
 
-    private function createUserMock(bool $hasTotpConfiguration = true, string|null $secret = self::SECRET): MockObject&TwoFactorInterface
+    private function createUserMock(bool $hasTotpConfiguration = true, string|null $secret = self::SECRET, string|null $username = self::USER_NAME): MockObject&TwoFactorInterface
     {
         $user = $this->createMock(TwoFactorInterface::class);
         $user
             ->expects($this->any())
             ->method('getTotpAuthenticationUsername')
-            ->willReturn(self::USER_NAME);
+            ->willReturn($username);
 
         $config = $hasTotpConfiguration ? new TotpConfiguration($secret, self::ALGORITHM, self::PERIOD, self::DIGITS) : null;
         $user
@@ -86,9 +86,9 @@ public function createTotpForUser_factoryCalled_returnTotpObject(): void
      */
     #[Test]
     #[DataProvider('provideHostnameAndIssuer')]
-    public function getProvisioningUri_hostnameAndIssuerGiven_returnProvisioningUri(string|null $hostname, string|null $issuer, array $customParameters, string $expectedUrl): void
+    public function getProvisioningUri_hostnameAndIssuerGiven_returnProvisioningUri(string|null $username, string|null $hostname, string|null $issuer, array $customParameters, string $expectedUrl): void
     {
-        $user = $this->createUserMock();
+        $user = $this->createUserMock(username: $username);
         $totp = (new TotpFactory($hostname, $issuer, $customParameters))->createTotpForUser($user);
 
         $returnValue = $totp->getProvisioningUri();
@@ -101,12 +101,14 @@ public function getProvisioningUri_hostnameAndIssuerGiven_returnProvisioningUri(
     public static function provideHostnameAndIssuer(): array
     {
         return [
-            [null, null, [], 'otpauth://totp/User%20Name?algorithm=sha256&digits=8&period=20&secret=SECRET'],
-            [self::SERVER, null, [], 'otpauth://totp/User%20Name%40Server%20Name?algorithm=sha256&digits=8&period=20&secret=SECRET'],
-            [null, self::ISSUER, [], 'otpauth://totp/Issuer%20Name%3AUser%20Name?algorithm=sha256&digits=8&issuer=Issuer%20Name&period=20&secret=SECRET'],
-            [null, null, self::CUSTOM_PARAMETERS, 'otpauth://totp/User%20Name?algorithm=sha256&digits=8&image=logo.png&period=20&secret=SECRET'],
-            [self::SERVER, self::ISSUER, [], 'otpauth://totp/Issuer%20Name%3AUser%20Name%40Server%20Name?algorithm=sha256&digits=8&issuer=Issuer%20Name&period=20&secret=SECRET'],
-            [self::SERVER, self::ISSUER, self::CUSTOM_PARAMETERS, 'otpauth://totp/Issuer%20Name%3AUser%20Name%40Server%20Name?algorithm=sha256&digits=8&image=logo.png&issuer=Issuer%20Name&period=20&secret=SECRET'],
+            [null, null, self::ISSUER, [], 'otpauth://totp/Issuer%20Name?algorithm=sha256&digits=8&period=20&secret=SECRET'],
+            [null, self::SERVER, self::ISSUER, [], 'otpauth://totp/Issuer%20Name%3AServer%20Name?algorithm=sha256&digits=8&issuer=Issuer%20Name&period=20&secret=SECRET'],
+            [self::USER_NAME, null, null, [], 'otpauth://totp/User%20Name?algorithm=sha256&digits=8&period=20&secret=SECRET'],
+            [self::USER_NAME, self::SERVER, null, [], 'otpauth://totp/User%20Name%40Server%20Name?algorithm=sha256&digits=8&period=20&secret=SECRET'],
+            [self::USER_NAME, null, self::ISSUER, [], 'otpauth://totp/Issuer%20Name%3AUser%20Name?algorithm=sha256&digits=8&issuer=Issuer%20Name&period=20&secret=SECRET'],
+            [self::USER_NAME, null, null, self::CUSTOM_PARAMETERS, 'otpauth://totp/User%20Name?algorithm=sha256&digits=8&image=logo.png&period=20&secret=SECRET'],
+            [self::USER_NAME, self::SERVER, self::ISSUER, [], 'otpauth://totp/Issuer%20Name%3AUser%20Name%40Server%20Name?algorithm=sha256&digits=8&issuer=Issuer%20Name&period=20&secret=SECRET'],
+            [self::USER_NAME, self::SERVER, self::ISSUER, self::CUSTOM_PARAMETERS, 'otpauth://totp/Issuer%20Name%3AUser%20Name%40Server%20Name?algorithm=sha256&digits=8&image=logo.png&issuer=Issuer%20Name&period=20&secret=SECRET'],
         ];
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ Authenticator for a user, generate a secret code and persist it with the user en`
`76`	`76`	`return null !== $this->googleAuthenticatorSecret;`
`77`	`77`	`}`
`78`	`78`
`79`		`- public function getGoogleAuthenticatorUsername(): string`
	`79`	`+ public function getGoogleAuthenticatorUsername(): ?string`
`80`	`80`	`{`
`81`	`81`	`return $this->username;`
`82`	`82`	`}`
`@@ -114,7 +114,7 @@ Authenticator for a user, generate a secret code and persist it with the user en`
`114`	`114`	`return null !== $this->googleAuthenticatorSecret;`
`115`	`115`	`}`
`116`	`116`
`117`		`- public function getGoogleAuthenticatorUsername(): string`
	`117`	`+ public function getGoogleAuthenticatorUsername(): ?string`
`118`	`118`	`{`
`119`	`119`	`return $this->username;`
`120`	`120`	`}`