I would prefer opening this as a modal dialog (sheet on OS X) with open(). Then you also don't need Qt::WindowStaysOnTopHint.

Actually I was trying to do this before but couldn't find how since I have no experience with QT. Looks even better now :)

return here does nothing.

Spaces around operator missing.

Space after if missing.

I don't think <b>…</b> should be part of the translatable string. Also add spaces around operators.

Spaces.

Some "copy and close" functionality could be useful (just a suggestion).

Since this adds a new dependency, adding a -DWITH_XC_TOTP CMake option would be useful to optionally compile KeePassXC without TOTP support.

Should I set it ON by default?

@droidmonkey @TheZ3ro What do you think?

Are the libraries readily available on both MinGW and OSX? If so I say leave it as-is and update the wiki. This should be treated like core capability and not a plugin.

Shouldn't this be spelled "Timed one-time password"?

@weslly This list is sorted alphabetically. This line should go further down.

@weslly this list is also sorted alphabetically.

This variable name is ambiguous, recommend renaming to "result"

Is the intention of having this as a separate if statement to also catch errors from oath_totp_generate? Seems like a different error message should be displayed, no?

One more thing I just noticed here: isn't this over-allocated? According to the docs, this should have a size of the number of digits + 1 (for the \0 character).

I would also much prefer if you saved the intended number of digits in a constant numDigits (const unsigned), used a C99 dynamic array here to allocate the buffer with length numDigits + 1 and then passed this constant as a parameter to oath_totp_generate(). That way we avoid possible buffer overflows if someone changes the number of output digits, but doesn't adjust the buffer size or the like.

You may also want to use names for the other parameters ofoath_totp_generate() instead of magic numbers.

Does this even work? The documentation of oath_base32_decode() says

If out is NULL, then *outlen will be set to what would have been the length of *out on successful encoding.

So as I understand it, result would still be NULL. If for some reason, the docs are wrong, though, it would mean that result had been allocated dynamically and would need to be deallocated again.

I'm also not a huge fan of using the NULL define in C++ code (even when using a C API). You should instead use nullptr.

I believe this is interested in the address of the pointer container itself (hence the reference to a pointer). After this call, it will be pointing to the allocated data made in the function.

There may be a memory leak, however, because result is never deleted.

Which is not what the docs says. That's why I'm asking. But if it gets allocated, there is a memory leak for sure.

If out is NULL, then *outlen will be set to what would have been the length of *out on successful encoding.

out contains the address of the variable result and not null...

@rockihack Yes, you're right. oath_base32_decode() is being given &result as parameter, not result. So there is no dynamic allocation. However, result is a nullptr and not an allocated char array. This means we have a nice multi-byte buffer overflow here.

Yes. Correct way to convert to char array is:

QByteArray seedBytes = seed.toLatin1();
const char* secret = seedBytes.constData();

This is not the fault of C code, the developer didn't read the documentation.

It kind of is. With a clean C++ API, we wouldn't need to convert to raw C strings at all. But the statement was also more targeted towards the memory leak. C does not do RAII.

C++ std strings and different character encodings are even worse.
BTW you should replace strlen() with seed.length().

The encoding should be pretty fixed in this case. That would be a non-issue here.

seed.length() and strlen are equivalent. Since what goes into the C function is actually secret and not seed, I find usage of strlen(seed) consistent, although using the length of the QByteArray directly is probably not the worst idea. But then I would prefer size() instead of length().

secret or seed whatever the name of the variable is.
strlen() runs in time O(n) and var.length() in O(1), so they are not equivalent.

Alright, that's an argument, although basically irrelevant with a fixed string length of 6 bytes. Still would prefer size() over length(), though.

I believe this is interested in the address of the pointer container itself (hence the reference to a pointer). After this call, it will be pointing to the allocated data made in the function.

There may be a memory leak, however, because result is never deleted.

This variable should be renamed to: secret_decoded

You still need to free() secret_decoded.

The * belongs to the type, not the identifier.

Return value not checked.

Missing a call to oath_done().

Missing calls to free(secret_decoded) and oath_done().

Redundant. oath_done() is called twice when rc != OATH_OK.

oath_done is never called twice, however its called even if oath_init fails.
This method should be refactored.

True. I shouldn't review code so late in the night.

You should check the return value after this or not save it all and wrap the call in Q_UNUSED().

You are wrong. Q_UNUSED should only wrap unused parameters and not return values.

Q_UNUSED only adds (void) in front of the line which can also be used to suppress "unchecked return value" warnings.

It doesn't matter what Q_UNUSED does. Don't try to be smarter than the qt developers if you use their api. Implementations are prone to change.
https://doc.qt.io/qt-5/qtglobal.html#Q_UNUSED

The Qt guys themselves sometimes use it for non-parameter expressions.

Do you have an example? Where do they use it for return values?

This seems like the easiest, most cross-platform way to accomplish a true "ignore return value"

template<typename T>
inline void ignore_result(T /* unused result */) {}

Allegedly (void) casting is going out of vogue...

I've seen it being used directly on a static_cast expression (e.g. here https://github.com/qt/qtbase/blob/6bceb4a8a9292ce9f062a38d6fe143460b54370e/tests/auto/corelib/tools/qscopedpointer/tst_qscopedpointer.cpp#L200) and what you find extremely often is this:

int foo = bar();
Q_UNUSED(foo);

IMHO you can shorten that by directly using it on the rvalue of the function return, but in either case, that's not a function parameter.

@droidmonkey That creates unnecessary stack operations and pollutes the namespace, though. You also still need some extra mechanism inside ignore_result() (which would probably be void casting again or some useless operation on the parameter).

Alright they use it to prevent unused parameter AND unused local variable warnings, but I doubt that they use it for return values.

There is virtually no difference. If you really want to be sure that it doesn't break if they change it to something that doesn't work with rvalues (highly unlikely, would also break their own static_cast code), you can always make an lvalue from it before using Q_UNUSED. The point is just that we don't want compiler warnings about ignored return values and Q_UNUSED can get rid of them. Whether you apply it directly to the function call or create an lvalue first, I don't care.

Use nullptr instead of NULL.

Should also be wrapped in Q_UNUSED(), since it returns an integer.

No it shouldn't, see above.

Is this trailing whitespace accidental?

Yes, it is. Thanks, I'll fix on next commit