limpkin
commented
1 month ago that's a very good point you bring up :)
Closed barathrm closed 1 month ago
limpkin
commented
1 month ago that's a very good point you bring up :)
Missing feature
The Get TOTP Code message requires a login to be provided, whereas the Get Credential message allows passing 0xFFFF as the login index to signal that the minible should prompt the user if there are multiple credentials for a service, or, if there's only one, automatically prompt for the only login for that service.
In other words, the get totpt code message does not seem to allow the same "auto-prompting" as the get credential message.
Justification
When developing applications which want to automatically ask the minible for a password for a given service (url, host etc) but which don't know the login the user might have, they need to ask for the service-only. This is already what the browser plugin does.
I'm trying to do the same for a terminal-based application, but I noticed that the same is not possible for getting TOTP codes. The application needs to somehow figure out (ask the user) for the login name, or reuse the response to a previous request for the regular credential.
It would be nice if the minible simply handled the requests in the same way, meaning fewer special cases in code and allowing more versatile usage.
Example use case
There's already an example use-case where the browser plugin might want this. When you're logged in to github, there are some actions which require you to "sudo" in github, so you will be prompted for a TOTP code even though you're already logged in. I don't think the browser plugin can handle this currently, since it does not immediately follow a regular login.
Workarounds
The application developer may first use the "get credential" message to get the login a user might choose for a given service (even if the application does not need the password), and then reuse the login returned in the response for that message to craft a "get totp code" message. However, this means that two prompts must be answered by the user on the minible, instead of just one, if all the application needs is the TOTP code.