Wrong otp secrets when importing from 1pux file

[double-square]

Overview

When importing data from 1pux file, keepassxc import otp string like this
otpauth://totp/credential:email?secret=otpauthtotpcredentialemailsecretACTUAL_SECRET&period=30&digits=6&issuer=issuer_name
and this leads to wrong otp codes

Steps to Reproduce

1. Export 1pux file from 1password that contains credential with totp
2. Import 1pux file into KeepassXc 2.7.7
3. Check otp field in Advanced tab

Expected Behavior

The line in the otp field should be identical to that in 1password

Actual Behavior

The otp line from 1password appears in the secret option in the keepassxc otp line

Debug Information

KeePassXC - Version 2.7.7
Revision: 68e2dd8

Qt 5.15.11
Debugging mode is disabled.

Operating system: macOS 14.3
CPU architecture: arm64
Kernel: darwin 23.3.0

Enabled extensions:

• Auto-Type
• Browser Integration
• Passkeys
• SSH Agent
• KeeShare
• YubiKey
• Quick Unlock

Cryptographic libraries:

• Botan 3.1.1

Operating System: macOS

[droidmonkey]

can you explain what is wrong about it?

[double-square]

So keepassxc uses whole otp string(including issuer name and all the atributes) from 1password as secret value

[droidmonkey]

your 1Password exports an otp string?? Unfortunately they don't document the totp field: https://support.1password.com/1pux-format/. I had to guess based on using 1Password trial and exporting a bunch of created entries.

Unfortunately for now you will just have to manually change the otp string

[droidmonkey]

My test export looks like this for an entry with two TOTP fields defined, DFDFDF... is the totp secret:

"sections": [
  {
    "title": "Extra Data",
    "name": "add more",
    "fields": [
      {
        "title": "one-time password",
        "id": "TOTP_yod37o45gdg4juy3ojwqm7cpfy",
        "value": {
          "totp": "DFDFDEF"
        },
        "indexAtSource": 0,
        "guarded": false,
        "multiline": false,
        "dontGenerate": false,
        "inputTraits": {
          "keyboard": "default",
          "correction": "no",
          "capitalization": "none"
        }
      },
      {
        "title": "one-time password",
        "id": "TOTP_neajzkinxpmbr3bq2ftyosgovy",
        "value": {
          "totp": "DFDFDEFDEF"
        },
        "indexAtSource": 1,
        "guarded": false,
        "multiline": false,
        "dontGenerate": false,
        "inputTraits": {
          "keyboard": "default",
          "correction": "no",
          "capitalization": "none"
        }
      },

[double-square]

Yeah. Like half of my credentials contain otpauth://totp/ string instead of secret

[double-square]

So I fixed this bug, can I open a pull request?

[droidmonkey]

Sure can!