From 9e81c31e5a5f262662cb448f92ac0aafdae97698 Mon Sep 17 00:00:00 2001
From: Jonathan White <support@dmapps.us>
Date: Thu, 1 Sep 2022 06:54:34 -0400
Subject: [PATCH] Fix OPVault import when there are multiple OTP fields

* Fix #8371 - store multiple OTP fields as `otp_#` instead of silently discarding them.
---
 src/format/OpVaultReaderSections.cpp | 11 ++++++++++-
 tests/TestOpVaultReader.cpp          | 10 ++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/format/OpVaultReaderSections.cpp b/src/format/OpVaultReaderSections.cpp
index 610f997ec..661b9d6c3 100644
--- a/src/format/OpVaultReaderSections.cpp
+++ b/src/format/OpVaultReaderSections.cpp
@@ -84,7 +84,16 @@ void OpVaultReader::fillFromSectionField(Entry* entry, const QString& sectionNam
     auto kind = field["k"].toString();
 
     if (attrName.startsWith("TOTP_")) {
-        if (attrValue.startsWith("otpauth://")) {
+        if (entry->hasTotp()) {
+            // Store multiple TOTP definitions as additional otp attributes
+            int i = 0;
+            QString name("otp");
+            auto attributes = entry->attributes()->keys();
+            while (attributes.contains(name)) {
+                name = QString("otp_%1").arg(++i);
+            }
+            entry->attributes()->set(name, attrValue);
+        } else if (attrValue.startsWith("otpauth://")) {
             QUrlQuery query(attrValue);
             // at least as of 1Password 7, they don't append the digits= and period= which totp.cpp requires
             if (!query.hasQueryItem("digits")) {
diff --git a/tests/TestOpVaultReader.cpp b/tests/TestOpVaultReader.cpp
index aa95880a0..a5d05e9b0 100644
--- a/tests/TestOpVaultReader.cpp
+++ b/tests/TestOpVaultReader.cpp
@@ -24,6 +24,7 @@
 #include "format/OpVaultReader.h"
 #include "totp/totp.h"
 
+#include <QJsonObject>
 #include <QList>
 #include <QStringList>
 #include <QTest>
@@ -110,6 +111,15 @@ void TestOpVaultReader::testReadIntoDatabase()
     QCOMPARE(totpSettings->digits, static_cast<unsigned int>(8));
     QCOMPARE(totpSettings->step, static_cast<unsigned int>(45));
 
+    // Add another OTP to this entry to confirm it doesn't overwrite the existing one
+    auto field = QJsonObject::fromVariantMap({{"n", "TOTP_SETTINGS"}, {"v", "otpauth://test.url?digits=6"}});
+    reader.fillFromSectionField(entry, "", field);
+    QVERIFY(entry->hasTotp());
+    totpSettings = entry->totpSettings();
+    QCOMPARE(totpSettings->digits, static_cast<unsigned int>(8));
+    QCOMPARE(totpSettings->step, static_cast<unsigned int>(45));
+    QVERIFY(entry->attributes()->contains("otp_1"));
+
     // Confirm trashed entries are sent to the recycle bin
     auto recycleBin = db->metadata()->recycleBin();
     QVERIFY(recycleBin);