fix/2445 HOTP (and 2426 TOTP) type errors#2620
Merged
Merged
Conversation
C85297
previously approved these changes
Jul 3, 2026
Member
|
@alleria173 I think there is a merge conflict which needs resolving - otherwise, looks good! |
e92ed04 to
7726c3a
Compare
Contributor
Author
Thank you @C85297, I've rebased the branch follow the previous pulls that affected HOTP/TOTP and resolved the merge conflict. |
C85297
approved these changes
Jul 3, 2026
Member
|
Thank you for your contribution! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #2445 and fixes #2426 which reports that entering non-base32 characters (e.g.
|,,,;) into the Generate HOTP secret field produces a cryptic error referencing an internal blob URL:The base32 input format is correct by design — the otpauth URI format requires the
secretparameter to be base32-encoded (RFC 4648, characters A–Z and 2–7). The bug is in error handling: whenOTPAuth.Secret.fromBase32()encounters an invalid character it throws a rawTypeError, not anOperationError. Recipe.mjs only silencesOperationError; any other error type propagates with its blob URL filename attached, producing the unhelpful message.GenerateTOTP.mjsshares identical secret-handling code and has the same bug, so both operations are fixed together. Additionally, both had a pre-existing issue where blank input calledSecret.fromBase32("")(producing an empty secret) rather thannew OTPAuth.Secret()(random secret), contradicting the description's "leave it blank for a random secret to be generated" promise.The fix wraps
fromBase32()in a try-catch in both operations and throws a user-friendlyOperationErroron failure. The operation descriptions are also updated to make the base32 requirement explicit.src/core/operations/GenerateHOTP.mjsAdded
import OperationError from "../errors/OperationError.mjs". Replaced the barefromBase32()call with a try-catch block:Updated
descriptionto append: "The secret must be a valid base32 string (characters A–Z and 2–7)."src/core/operations/GenerateTOTP.mjsIdentical changes — same import, same try-catch, same description update, same empty-input fix.
Existing Issue
#2445
Screenshots
N/A — no visual changes.
AI disclosure
Claude Code (claude.ai/code) was used to diagnose the root cause and generate test cases. All other code was added by the submitter.
Test Coverage
Two new test cases added to
tests/operations/tests/OTP.mjs, one per operation, verifying that invalid base32 input produces the friendlyOperationErroroutput rather than a blob TypeError:"Generate HOTP - invalid base32 secret rejected"— input"not,valid|base32;input", expected output"Invalid secret. The input must be a valid base32 string (characters A–Z and 2–7).""Generate TOTP - invalid base32 secret rejected"— same input and expected outputAll 2058 operation tests pass (
npm test).