feat: support create/drop totp_secret statement

[localvar]

Description

support create/dorp totp_secret statement.

Issue(s)

• Close/close/Fix/fix/Resolve/resolve: Issue Link

Checklist

Please check the items in the checklist if applicable.

• Is the user manual updated?
• Are the test cases passed and automated?
• Is there no significant decrease in test coverage?

[gemini-code-assist]

Summary of Changes

Hello @localvar, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances user security by introducing dedicated SQL statements for managing Time-based One-Time Password (TOTP) secrets, moving away from a deprecated user option. It also adds a new granular control for user resource allocation related to vnodes. These changes provide more robust authentication mechanisms and finer-grained resource management within the system.

Highlights

• TOTP Secret Management: Introduced new SQL statements: CREATE TOTP_SECRET FOR USER <user_name> to generate or update a user's TOTP secret, and DROP TOTP_SECRET FROM USER <user_name> to remove it, enhancing two-factor authentication capabilities.
• Deprecated TOTPSEED: The TOTPSEED option previously used in CREATE USER and ALTER USER statements is now deprecated, with the new CREATE/DROP TOTP_SECRET statements serving as the preferred method for managing TOTP secrets.
• New User Resource Control: Added a new user-level resource control option, VNODE_PER_CALL, to CREATE USER and ALTER USER statements, allowing administrators to limit the maximum number of vnodes a single call can involve.
• Documentation and Test Updates: The English and Chinese user manuals have been updated to reflect the new TOTP secret management commands and the VNODE_PER_CALL option. Client-side tests and shell auto-completion have also been adjusted accordingly.
• Secure Random Generation: Implemented taosSafeRandBytes to generate cryptographically secure random bytes for TOTP secrets, utilizing OS-specific secure random number generators.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for CREATE TOTP_SECRET and DROP TOTP_SECRET statements, which is a great enhancement for user security. The implementation spans across documentation, client, server, and parser components.

My review has identified a few issues, including two critical ones:

1. A security vulnerability in taosSafeRandBytes where it falls back to an insecure random number generator.
2. A memory corruption bug in the client-side message handler buildCreateTotpSecretBlock.

I've also found some minor issues like a typo in the English documentation and some inconsistencies. Please see the detailed comments.

A couple of other points:

• The PR description has a typo: "dorp" should be "drop".
• The changes related to VNODE_PER_CALL seem unrelated to this feature. It might be better to move them to a separate pull request to keep this one focused.

Overall, this is a good feature addition, but the critical issues must be addressed before merging.

[Copilot]

Pull request overview

This PR adds support for CREATE/DROP TOTP_SECRET statements to replace the deprecated TOTPSEED approach in TDengine. The changes introduce a new SQL syntax for managing TOTP secrets that provides better security and usability.

Key changes:

• Introduces CREATE TOTP_SECRET FOR USER <user_name> and DROP TOTP_SECRET FROM USER <user_name> statements
• Removes deprecated TOTPSEED user option and generate_totp_secret() function from autocomplete
• Implements secure random byte generation using system cryptographic functions
• Adds base32 encoding for TOTP secret display
• Updates documentation in both English and Chinese

Reviewed changes

Copilot reviewed 27 out of 27 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
tools/shell/src/shellEngine.c	Added display width handling for TOTP secret output
tools/shell/src/shellAuto.c	Removed deprecated TOTPSEED and generate_totp_secret from autocomplete, added new TOTP_SECRET statements
tools/shell/inc/shellInt.h	Defined SHELL_SHOW_TOTP_SECRET_DISPLAY_WIDTH constant
source/libs/parser/src/parTokenizer.c	Added TK_TOTP_SECRET token
source/libs/parser/src/parAstCreater.c	Implemented AST creation functions for CREATE/DROP TOTP_SECRET statements
source/libs/parser/inc/sql.y	Added grammar rules for CREATE/DROP TOTP_SECRET statements, moved ALTER DNODES RELOAD line
source/libs/parser/inc/parAst.h	Added function declarations for TOTP secret statement creators
source/libs/parser/src/parTranslater.c	Implemented translation functions and result schema extraction for TOTP secret operations
source/libs/nodes/src/nodesUtilFuncs.c	Added node type handling for CREATE/DROP_TOTP_SECRET_STMT
source/dnode/mnode/impl/src/mndUser.c	Implemented core TOTP secret management logic with base32 encoding
source/dnode/mnode/impl/src/mndTrans.c	Added transaction response handling for CREATE TOTP_SECRET
source/dnode/mnode/impl/src/mndPrivilege.c	Added stub privilege check function for community edition
source/dnode/mnode/impl/inc/mndUser.h	Added mndBuildSMCreateTotpSecretResp declaration
source/dnode/mnode/impl/inc/mndPrivilege.h	Added mndCheckTotpSecretPrivilege declaration
source/dnode/mgmt/mgmt_mnode/src/mmHandle.c	Registered message handlers for CREATE/DROP TOTP_SECRET
source/common/src/msg/tmsg.c	Implemented serialization/deserialization functions for TOTP secret messages
source/libs/scheduler/src/schRemote.c	Added response handling for CREATE TOTP_SECRET message type
source/client/src/clientMsgHandler.c	Implemented client-side response handling and result building for TOTP secret operations
source/client/test/clientTests.cpp	Added base32 decode function and updated TOTP test to use new CREATE TOTP_SECRET statement
source/os/src/osRand.c	Implemented taosSafeRandBytes for secure random byte generation
include/os/osRand.h	Added taosSafeRandBytes function declaration
include/libs/nodes/cmdnodes.h	Defined result constants and statement structures for TOTP secret operations
include/common/tmsgdef.h	Added TDMT_MND_CREATE_TOTP_SECRET and TDMT_MND_DROP_TOTP_SECRET message types
include/common/tmsg.h	Added TOTP secret request/response structures and node types
test/cases/81-Tools/02-Taos/test_tool_taos_cli.py	Updated test to use new CREATE TOTP_SECRET statement
docs/zh/14-reference/03-taos-sql/60-user.md	Added Chinese documentation for TOTP secret management and VNODE_PER_CALL parameter
docs/en/14-reference/03-taos-sql/60-user.md	Added English documentation for TOTP secret management and VNODE_PER_CALL parameter

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.