Add option to otp-cache to create custom aliases about nitrocli HOT 4 OPEN

Thanks for your quick replies! I'm very happy to see that you support this idea!

In my opinion the override approach is a good solution for the issue of too short slot names described in #179 (comment).

Nevertheless, I think ideally we would have both overrides and aliases as they solve different problems:

In my situation I would still want to be able to use the get command on both slot-names, so e.g. nitrocli otp-cache get aws and nitrocli otp-cache get arn:aws:iam::123456123456:mfa/testuser. The reason for this being that it would be very tedious to type out the whole override name and it is only needed for technical interoperability with aws-vault. In a list view I would therefore also prefer aws to the long slot name.

Still, I think it would make sense to start with the override function and eventually add the alias approach later on.

Regarding the implementation: I currently have little time and have never used rust before but I will give it a shot and see how far I get.

from nitrocli.

On second thought, there is another aspect to this question: I would like to see the alias in the output of nitrocli otp-cache list because I use that to open a dmenu that lets me choose the PWS slot. The term alias implies that I can have multiple aliases for the original name, and that the original name is valid too. So we would probably have to list only the original name, or the original name and all aliases.

I think it might be better to use a 1:1 relation between aliases and original names, clearly intended to provide a workaround for the short slot length (and not as a generic alias feature). In this case, we would only use the alias in the UI and would no longer accept the original name as a valid slot name. Maybe name override or name replacement would be a more appropriate term for this kind of feature, clearly indicating that the original name is replaced.

from nitrocli.

Thank you for bringing this up!

Do you think it would be possible/useful to have a feature for persistent aliases in nitrocli otp-cache?

Yes, I think so. I try to use the FQDN of a service as slot name, but even that isn’t possible for some longer domains. It always bugged me that I have to abbreviate the slot names, but I didn’t think of this elegant solution.

I don’t like storing the aliases in the cache file. It is semantically wrong, and it makes the update process more complicated. For example, if the name for slot 0 changes from aws to aws-testuser – should we keep the alias?

My suggestion would be to have an aliases section in the configuration file (.config/nitrocli-opt-cache/config.toml) instead.

[aliases.0xdeadbeef]
"arn:aws:iam::123456123456:mfa/testuser" = "aws"
"some.long.name.example.org" = "s.l.n.example.o"

We could also have a default section for all devices, but I think that might do more harm than good.

One open question is what we should do if for an alias foo = "bar" both foo and bar are valid slot names. My first thought would be to return an error.

from nitrocli.

Good to see someone else use extensions :-)

I agree with Robin's sentiment that a 1:1 relationship would be nice. So basically, we'd have:

In .config/nitrocli-opt-cache/config.toml:

[override.aws]
name = "arn:aws:iam::123456123456:mfa/testuser"

In .cache/nitrocli-otp-cache/<serial>.toml:

[[totp]]
name = "aws"
id = 0

[[totp]]
name = "github.com"
id = 1

Results in:

$ nitrocli otp-cache list
alg     slot    name
totp    0       arn:aws:iam::123456123456:mfa/testuser
totp    1       github.com

@trevor87 does this sound reasonable to you? Will you take a stab at the implementation?

from nitrocli.