Keepassxc-browser: OTP not filling in websites

1) Select the credentials to normal inputs fields
2) Then fill the OTP

this is how i usually do it, does the OTP need to be on the same page?

No it doesn't. The selected credentials entry index will be saved so the correct OTP can be retrieved.

Ok, well it's not filling in. How can I gather more information?

Debug the content script via:

• Right mouse click on page -> Inspect/Inspect element
• Sources tab, choose Content scripts from the double arrow menu on the upper left
• Select KeePassXC-Browser from the left panel and keepasxc-browser.js
• Put a breakpoint to 1729 and fill the TOTP normally
• See the value of pos and the size of cip.credentials

I'm also having this issue. pos shows a value of 0, and cip.credentials has a single element, which include my username and password, but I don't see any reference to the TOTP.

Is KPH: {TOTP} still needed for TOTP to work properly?

My debug information:
KeePassXC - 2.3.4
keepassxc-browser - 1.2.0
Operating system: Linux
Browser: Firefox 62.0
Proxy used: NO

Yes it is. Key name = "KPH: {TOTP}", Value = "{TOTP}"

If I was following https://github.com/keepassxreboot/keepassxc/issues/1652 and https://github.com/keepassxreboot/keepassxc/pull/1850 correctly (granted, not a guaranteed situation), it appears that pull 1852 is supposed to remedy the need for the manual addition of the key in the DB. Is that not the case?

The extra attribute should not be needed anymore, but it still works because filling of possible custom string fields.

@varjolintu, therefore my (for example) GitHub entry shouldn't need a KPH: {TOTP} key in order for "Right Click -> KeepassXC Browser-> Fill TOTP" to work, correct?

@jstnchristian Yes. I haven't been able to reproduce this kind of situation where TOTP fails without the attribute.

@varjolintu I can provide examples of sites where the TOTP generation fails without manually adding that attribute:

• accounts.zoho.com
• www.amazon.com
• *.slack.com

I'll repeat my configuration:

Firefox 63.0b6 (64-Bit)
KeePassXC-Browser Version: 1.2.0
KeePassXC - Version 2.3.4
Revision: 6fe821c

Libraries:

• Qt 5.9.5
• libgcrypt 1.8.1

Operating system: Ubuntu 18.04.1 LTS
CPU architecture: x86_64
Kernel: linux 4.15.0-34-generic

Enabled extensions:

• Auto-Type
• Browser Integration
• Legacy Browser Integration (KeePassHTTP)
• SSH Agent
• YubiKey

@apiraino Thank you. I'll try to reproduce this with those sites, excluding Amazon because for me it has always worked.

@varjolintu, if you have some ideas for tracing, I am more than happy to try and help you get the data you need.

@jstnchristian Slack also worked with me. Just activated the 2FA for it and setuped the TOTP to KeePassXC without any problems.

I think this would actually need debugging of KeePassXC itself and see why it doesn't receive the TOTP for the entry.

Debug the content script via:
...
* Select KeePassXC-Browser from the left panel and keepasxc-browser.js
* Put a breakpoint to 1729 and fill the TOTP normally
...

@varjolintu I've tried some basic debugging like you suggested :+1:

If the attribute KPH: {TOTP} is missing, the variable stringfields at keepass-browser.js +1746 is undefined, thus the TOTP autofill won't work.

That is the cause for TOTP autofill not working for the websites I've reported in this issue.

IIRC In another issue (can't find where atm) it was suggested that the attribute KPH: {TOTP} is not mandatory, but I wonder how TOTP autofill can ever work without that attribute set. Can you help me a bit? Thanks!

@apiraino https://github.com/keepassxreboot/keepassxc-browser/blob/0231f2465aa77925af4f8d640aacd7749ef726ea/keepassxc-browser/keepassxc-browser.js#L1753
This is the point where it should go if the TOTP is found without any additions to attributes. So there should be a value inside cip.credentials[pos].totp.

And yes, the attribute is needed if autofill is used because it requires the input field saved as a custom string field (via Choose custom credential fields).

Hi,

I've the same problem: putting a breakpoint at the above line (1753) shows that there is no totp field in cip.credentials[pos].

I'm using KeePassXC Version: 2.3.4 and KeePassXC-Browser Version: 1.3.0. I do not add the KPH attribute (if I do, it works but, as I understand, this attribute should not be needed any more).

You still need the attribute in 2.3.4....

You still need the attribute in 2.3.4....

Then the documentation (https://github.com/varjolintu/keepassxc-browser/wiki/Connecting-the-database-with-keepassxc-browser#how-to-use-totp-time-based-one-time-passwords-with-keepassxc-browser) should be fixed as it mentions "Please note that this step is not necessary with KeePass 2.3.3 and later." ;-)

EDIT: Hum, it seems not to be the official documentation, I'm confused :-/

That documentation is not accurate, the PR that introduced the direct TOTP integration was https://github.com/keepassxreboot/keepassxc/pull/1850 and it was merged into the develop branch which is tracking for 2.4.0 currently. If you want this functionality you can use a snapshot of 2.4.0 found at https://snapshot.keepassxc.org.