More often than not, services provide the URI for TOTP and not the raw secret. While it's easy to manually extract the secret from the querystring, teach totp how to do that on behalf of the user. Manpage bits will follow. Discussed with heph.

no need to take an explicit length parameter when we can just advance the string until a NUL byte. base32 doesn't allow NUL bytes.