From 0bb7d24e07f6660bb82c9103b9243d60dad6c1de Mon Sep 17 00:00:00 2001
From: wrongecho <marcus@itflow.org>
Date: Wed, 15 Oct 2025 10:18:44 +0100
Subject: [PATCH] Allow importing TOTP credential info

---
 agent/post/credential.php | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/agent/post/credential.php b/agent/post/credential.php
index ce41fa56..a701d125 100644
--- a/agent/post/credential.php
+++ b/agent/post/credential.php
@@ -388,7 +388,7 @@ if (isset($_POST["import_credentials_csv"])) {
     //(Else)Check column count
     $f = fopen($file_name, "r");
     $f_columns = fgetcsv($f, 1000, ",");
-    if (!$error & count($f_columns) != 5) {
+    if (!$error & count($f_columns) != 6) {
         $error = true;
         flash_alert("Bad column count.", 'error');
     }
@@ -401,31 +401,40 @@ if (isset($_POST["import_credentials_csv"])) {
         $duplicate_count = 0;
         while(($column = fgetcsv($file, 1000, ",")) !== false){
             $duplicate_detect = 0;
+            // Name
             if (isset($column[0])) {
                 $name = sanitizeInput($column[0]);
                 if (mysqli_num_rows(mysqli_query($mysqli,"SELECT * FROM credentials WHERE credential_name = '$name' AND credential_client_id = $client_id")) > 0){
                     $duplicate_detect = 1;
                 }
             }
+            // Desc
             if (isset($column[1])) {
                 $description = sanitizeInput($column[1]);
             }
+            // User
             if (isset($column[2])) {
                 $username = sanitizeInput(encryptCredentialEntry($column[2]));
             }
+            // Pass
             if (isset($column[3])) {
                 $password = sanitizeInput(encryptCredentialEntry($column[3]));
             }
+            // OTP
             if (isset($column[4])) {
-                $uri = sanitizeInput($column[4]);
+                $totp = sanitizeInput($column[4]);
+            }
+            // URL
+            if (isset($column[4])) {
+                $uri = sanitizeInput($column[5]);
             }
 
             // Check if duplicate was detected
             if ($duplicate_detect == 0){
                 //Add
-                mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_username = '$username', credential_password = '$password', credential_client_id = $client_id");
+                mysqli_query($mysqli,"INSERT INTO credentials SET credential_name = '$name', credential_description = '$description', credential_uri = '$uri', credential_username = '$username', credential_password = '$password', credential_otp_secret = '$totp', credential_client_id = $client_id");
                 $row_count = $row_count + 1;
-            }else{
+            } else {
                 $duplicate_count = $duplicate_count + 1;
             }
         }
@@ -453,7 +462,7 @@ if (isset($_GET['download_credentials_csv_template'])) {
     $f = fopen('php://memory', 'w');
 
     //set column headers
-    $fields = array('Name', 'Description', 'Username', 'Password', 'URI');
+    $fields = array('Name', 'Description', 'Username', 'Password', 'TOTP', 'URI');
     fputcsv($f, $fields, $delimiter);
 
     //move back to beginning of file