Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firefox 122.0 no longer displays OTP codes #340

Closed
morciej opened this issue Jan 25, 2024 · 4 comments · Fixed by #361
Closed

Firefox 122.0 no longer displays OTP codes #340

morciej opened this issue Jan 25, 2024 · 4 comments · Fixed by #361

Comments

@morciej
Copy link

morciej commented Jan 25, 2024

General information

  • Linux Mint 21.3 Virginia
  • Firefox 122.0
  • Information about the host app:
    • Installed via a package manager
    • Browserpass host app version 3.1.0 (downloaded as binary)
  • Information about the browser extension:
    • How did you install it?
      Installed from Extensions
    • Browserpass extension version as reported by your browser: 3.8.0

If you are getting an error immediately after opening popup, have you followed the Configure browsers documentation section? Yes I did/N/A


Exact steps to reproduce the problem

  1. Upgrade to Firefox 122.0

  2. Go to any website requiring OTP that you have account on (e.g. Github)

  3. Open the extension and click on >

What should happen?

OTP number and seconds bar should appear

What happened instead?

"View Credentials" without OTP appears

I tried to disable and re-enable the OTP functionality a couple times to be sure. I also re-issued Make command for the host app. No luck.

I'll try to roll back the browser next.

@morciej
Copy link
Author

morciej commented Jan 25, 2024

Confirmed by downloading and running extension in Firefox 121.0

@spookyvision
Copy link

  • confirmed broken in FF 133.0 on Mac
  • pass otp on the command line works, so the pass entry seems well-formed
  • I think it was working for me some time earlier this year, but later than this issue was created. So maybe it's several problems that don't always manifest?

@raxod502
Copy link
Contributor

working for me some time earlier this year, but later than this issue was created

Agreed, it was working for me up until just today when I upgraded from Firefox 132.0.2+build2-0ubuntu0.24.04.1~mt1 to 133.0.3+build1-0ubuntu0.24.04.1~mt1 on Ubuntu 24.04. Also broken on Ubuntu 22.04 when I performed the same Firefox version upgrade (132 to 133).

The details menu for a password entry now shows the raw OTP string exactly as displayed in the password file contents, instead of the rotating OTP code.

As with previous commenter, command-line usage remains functional and is a workaround.

I did notice that Ubuntu has moved from pass-extension-otp to pass-otp as the name of the Pass extension, but I don't think the browser extension actually uses the command-line tool to generate OTPs (if it did, #358 wouldn't happen -_-), so I don't think that's the issue.

@raxod502
Copy link
Contributor

Okay, well, I checked Firefox 132 and Firefox 133, and there is a breaking change in the new URL constructor. Try this code:

new URL("otpauth://totp/github?secret=foobar&issuer=github")

In Firefox 132 it returns:

URL { href: "otpauth://totp/github?secret=foobar&issuer=github", origin: "null", protocol: "otpauth:", username: "", password: "", host: "", hostname: "", port: "", pathname: "//totp/github", search: "?secret=foobar&issuer=github" }

In Firefox 133 it returns:

URL { href: "otpauth://totp/github?secret=foobar&issuer=github", origin: "null", protocol: "otpauth:", username: "", password: "", host: "totp", hostname: "totp", port: "", pathname: "/github", search: "?secret=foobar&issuer=github" }

So, completely different. And the subsequent code in browserpass then of course gets the wrong result. Specifically params.type gets set to something that's not totp, here:

let url = new URL(login.fields.otp.toLowerCase());
let otpParts = url.pathname.split("/").filter((s) => s.trim());
login.fields.otp = {
raw: login.fields.otp,
params: {
type: otpParts[0] === "otp" ? "totp" : otpParts[0],

Therefore this check fails:

login.fields.otp.params.type === "totp"

and the OTP "snack" (whatever that is, lol) is not rendered:

Now I have to say the older behavior looks totally cursed so I'm guessing this is a bugfix and that is why I cannot find any reference to the change in the changelogs:

Probably this bug that was fixed: https://bugzilla.mozilla.org/show_bug.cgi?id=1507354

If we replace the custom protocol from otpauth:// to http:// before parsing, as a workaround, then the URL constructor works the same (correctly) in both Firefox versions. I'll submit a PR doing that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging a pull request may close this issue.

3 participants