cli: ask for passphrase when removing or renaming label

Even though rename does not read the encrypted secret, as long as the
private key is in use, it should ask for passphrase.

The remove operation allow only the one that know the private key can
modify the issuer.

2 files changed, 16 insertions, 0 deletions

diff --git a/cli.go b/cli.go
index e3b6d77..34127ca 100644
--- a/cli.go
+++ b/cli.go
@@ -205,6 +205,11 @@ func (cli *Cli) Remove(label string) (err error) {
 		return fmt.Errorf(`%s: %q not exist`, logp, label)
 	}
 
+	err = cli.cfg.loadPrivateKey()
+	if err != nil {
+		return fmt.Errorf(`%s: %w`, logp, err)
+	}
+
 	delete(cli.cfg.Issuers, label)
 
 	err = cli.cfg.save()
@@ -285,6 +290,11 @@ func (cli *Cli) Rename(label, newLabel string) (err error) {
 		ok       bool
 	)
 
+	err = cli.cfg.loadPrivateKey()
+	if err != nil {
+		return fmt.Errorf(`%s: %w`, logp, err)
+	}
+
 	label = strings.TrimSpace(label)
 	label = strings.ToLower(label)
 	rawValue, ok = cli.cfg.Issuers[label]
diff --git a/cli_test.go b/cli_test.go
index 9b24196..2c57d58 100644
--- a/cli_test.go
+++ b/cli_test.go
@@ -415,6 +415,9 @@ func testGetWithPassphrase(t *testing.T, tdata *test.Data, cli *Cli) {
 }
 
 func testRemoveWithPassphrase(t *testing.T, tdata *test.Data, cli *Cli) {
+	var pass = string(tdata.Input[`gotp.pass`]) + "\r\n"
+	mockTermrw.BufRead.WriteString(pass)
+
 	var err = cli.Remove(`test-sha512`)
 	if err != nil {
 		t.Fatal(err)
@@ -427,6 +430,9 @@ func testRemoveWithPassphrase(t *testing.T, tdata *test.Data, cli *Cli) {
 
 // The Rename method does not require private key.
 func testRenameWithPassphrase(t *testing.T, tdata *test.Data, cli *Cli) {
+	var pass = string(tdata.Input[`gotp.pass`]) + "\r\n"
+	mockTermrw.BufRead.WriteString(pass)
+
 	var err = cli.Rename(`test-sha1`, `renamed-sha1`)
 	if err != nil {
 		t.Fatal(err)