Follow-up from the token problem found at T244308: PHP Notice: Undefined offset: 8 from TOTPKey.php.
I did a bit of analysis and came up with https://gerrit.wikimedia.org/r/c/mediawiki/extensions/OATHAuth/+/582945.
Please review and/or adjust accordingly so that similar bugs can be avoided in the future, and so that we have a better understanding of what this is meant to do.