From bb8c7602783521bab5d3deb5a5926afdb6baffaf Mon Sep 17 00:00:00 2001
From: Davide <keeshux@gmail.com>
Date: Wed, 30 Oct 2024 17:07:59 +0100
Subject: [PATCH] OpenVPN OTP is persisted with the password (#785)

Encode OpenVPN password + OTP in tunnel rather than in the app.

Encoding them upfront in the app ends up persisting the profile with the
combined password. Update the library with a new OTP field in
OpenVPN.Credentials, so that the password encoding is performed [on the
fly in the
tunnel](https://github.com/passepartoutvpn/passepartoutkit-source/pull/398).
Similar to how provider modules are generated.

This is likely a regression caused by migrating to NEProfileRepository,
because starting a connection causes the profile to be saved to NE with
the encoded password. Later, the profile is restored from NE and
therefore contains the encoded password.
---
 .../xcshareddata/swiftpm/Package.resolved     |  2 +-
 Passepartout/Library/Package.swift            |  2 +-
 .../Modules/OpenVPNView+Credentials.swift     | 28 +++++++++++--------
 3 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/Passepartout.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved b/Passepartout.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
index 1d9cd400..4c11ccbe 100644
--- a/Passepartout.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
+++ b/Passepartout.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
@@ -41,7 +41,7 @@
       "kind" : "remoteSourceControl",
       "location" : "git@github.com:passepartoutvpn/passepartoutkit-source",
       "state" : {
-        "revision" : "7426954e8ec84e6ddf6c8cd415bfa2c5c7064534"
+        "revision" : "8b4c47f716120fab3f219593cf4ae0e6e2c86677"
       }
     },
     {
diff --git a/Passepartout/Library/Package.swift b/Passepartout/Library/Package.swift
index 617f4611..34334ec7 100644
--- a/Passepartout/Library/Package.swift
+++ b/Passepartout/Library/Package.swift
@@ -36,7 +36,7 @@ let package = Package(
     ],
     dependencies: [
 //        .package(url: "git@github.com:passepartoutvpn/passepartoutkit-source", from: "0.9.0"),
-        .package(url: "git@github.com:passepartoutvpn/passepartoutkit-source", revision: "7426954e8ec84e6ddf6c8cd415bfa2c5c7064534"),
+        .package(url: "git@github.com:passepartoutvpn/passepartoutkit-source", revision: "8b4c47f716120fab3f219593cf4ae0e6e2c86677"),
 //        .package(path: "../../../passepartoutkit-source"),
         .package(url: "git@github.com:passepartoutvpn/passepartoutkit-source-openvpn-openssl", from: "0.9.1"),
 //        .package(url: "git@github.com:passepartoutvpn/passepartoutkit-source-openvpn-openssl", revision: "031863a1cd683962a7dfe68e20b91fa820a1ecce"),
diff --git a/Passepartout/Library/Sources/AppUIMain/Views/Modules/OpenVPNView+Credentials.swift b/Passepartout/Library/Sources/AppUIMain/Views/Modules/OpenVPNView+Credentials.swift
index ecad9426..cfe22b22 100644
--- a/Passepartout/Library/Sources/AppUIMain/Views/Modules/OpenVPNView+Credentials.swift
+++ b/Passepartout/Library/Sources/AppUIMain/Views/Modules/OpenVPNView+Credentials.swift
@@ -25,6 +25,7 @@
 
 import PassepartoutKit
 import SwiftUI
+import UtilsLibrary
 
 extension OpenVPNView {
     struct CredentialsView: View {
@@ -43,9 +44,6 @@ extension OpenVPNView {
         @State
         private var builder = OpenVPN.Credentials.Builder()
 
-        @State
-        private var otp = ""
-
         @State
         private var paywallReason: PaywallReason?
 
@@ -60,16 +58,17 @@ extension OpenVPNView {
             .navigationTitle(Strings.Modules.Openvpn.credentials)
             .onLoad {
                 builder = credentials?.builder() ?? OpenVPN.Credentials.Builder()
+                builder.otp = nil
             }
             .onChange(of: builder) {
-                if isEligibleForInteractiveLogin, isAuthenticating {
-                    credentials = $0.buildForAuthentication(otp: otp)
+                var copy = $0
+                if isEligibleForInteractiveLogin {
+                    copy.otp = copy.otp?.nilIfEmpty
                 } else {
-                    credentials = $0.build()
+                    copy.otpMethod = .none
+                    copy.otp = nil
                 }
-            }
-            .onChange(of: otp) {
-                credentials = builder.buildForAuthentication(otp: $0)
+                credentials = copy.build()
             }
             .modifier(PaywallModifier(reason: $paywallReason))
         }
@@ -135,9 +134,13 @@ private extension OpenVPNView.CredentialsView {
             ThemeSecureField(title: Strings.Global.password, text: $builder.password, placeholder: Strings.Placeholders.secret)
                 .textContentType(.password)
 
-            if isEligibleForInteractiveLogin, isAuthenticating && builder.otpMethod != .none {
-                ThemeSecureField(title: Strings.Unlocalized.otp, text: $otp, placeholder: Strings.Placeholders.secret)
-                    .textContentType(.oneTimeCode)
+            if isEligibleForInteractiveLogin, isAuthenticating, builder.otpMethod != .none {
+                ThemeSecureField(
+                    title: Strings.Unlocalized.otp,
+                    text: $builder.otp ?? "",
+                    placeholder: Strings.Placeholders.secret
+                )
+                .textContentType(.oneTimeCode)
             }
         }
         .themeSection(footer: inputFooter)
@@ -146,6 +149,7 @@ private extension OpenVPNView.CredentialsView {
     var inputFooter: String? {
         if isAuthenticating {
             return builder.otpMethod.localizedDescription(style: .approachDescription)
+                .nilIfEmpty
         }
         return nil
     }