smrqdt
commented
2 weeks ago After adding additional accounts I encountered something worse:
I have and Posteo.de mail account, and every time the Label is something like Some Service:foo.bar@posteo.de (the mail address correctly in the accountname part), 2FAS selects Posteo as brand and overwrites the Name.
Here is an example:
otpauth://totp/example.com:foo.bar@posteo.de?secret=ABCDEF00&algorithm=SHA1&digits=6&period=30&issuer=example.com
elliotwutingfeng
Bug type
Other
App version
5.4.5
Device environment
Android 11
Bug description
When adding at a self-hosted service (e.g. authentik) the user might have access to multiple instances of that service with different credentials.
Given the following otpauth URLs (note the different issuers):
otpauth://totp/example.com authentik:JohnDoe?secret=FFFFFFFF&algorithm=SHA1&digits=6&period=30&issuer=example.com authentikotpauth://totp/authentik of ACME Inc:JohnDoe?secret=ABABABAB&algorithm=SHA1&digits=6&period=30&issuer=authentik of ACME IncAfter importing the entries look like this:
2FAS sees the authentik substring and selects the authentik brand, which I generally like, because it adds the icon. But the brand will also overwrite the issuer, which contains information about which authentik instance the token belongs to. If the user has access to multiple authentik instances with the same username, the services become indistinguishable, because they’re all named "authentik".
authentik is just an example, different self-hosted applications might use different issuers. authentik uses the instance brand name as issuer, so depending on if the installation uses the word authentik in the instance brand name, this problem will occur, but other applications might enforce such a naming scheme.
Solution
Do not overwrite the issuer name provided by the otpauth URL by the brand name, or introduce a special flag for self-hosted brands, to not do so.
Additional context
103 might be partly related
Acknowledgements