browserpass: add support for totp, and auto-unlock the secrets store on first run

note that one needs to manually enable the TOTP setting in the
browserpass settings for this to work -- TOTP parsing is disabled by
default

pkgs/browserpass/default.nix

@@ -1,7 +1,9 @@
 { pkgs
 , bash
 , fetchFromGitea
+, gnused
 , lib
+, sane-scripts
 , sops
 , stdenv
 , substituteAll
@@ -13,7 +15,8 @@ let
     version = "0.1.0";
     src = ./.;
 
-    inherit bash sops;
+    inherit bash gnused sops;
+    sane_scripts = sane-scripts;
     installPhase = ''
       mkdir -p $out/bin
       substituteAll ${./sops-gpg-adapter} $out/bin/gpg

pkgs/browserpass/sops-gpg-adapter

@@ -7,8 +7,13 @@ then
   exit 0
 fi
 
+# ensure the secret store is unlocked
+@sane_scripts@/bin/sane-secrets-unlock
+
 # using exec here forwards our stdin
 # browserpass parses the response in
 # <browserpass-extension/src/background.js#parseFields>
 # it cares about `key:value`, and ignores whatever doesn't fit that (or has an unknown key)
-exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin
+# browserpass understands the `totp` field to hold either secret tokens, or full URLs.
+# i use totp-b32 for the base-32-encoded secrets. renaming that field works OOTB.
+exec @sops@/bin/sops --input-type yaml -d --output-type yaml --config /dev/null /dev/stdin | @gnused@/bin/sed s/\^totp-b32:/totp:/

pkgs/overlay.nix

@@ -37,7 +37,7 @@
 
   gocryptfs = prev.callPackage ./gocryptfs { pkgs = prev; };
 
-  browserpass = prev.callPackage ./browserpass { pkgs = prev; };
+  browserpass = prev.callPackage ./browserpass { pkgs = prev; inherit sane-scripts; };
 
   #### TEMPORARY: PACKAGES WAITING TO BE UPSTREAMED
   kaiteki = prev.callPackage ./kaiteki { };