From d2124b92f14d08b0f7a9675a3144754e6923b84e Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 30 Jan 2023 18:55:30 +0000
Subject: [PATCH 1/5] Hide the username and password field (via CSS) when
 prompting for 2FA code

---
 login.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/login.php b/login.php
index f31af0b9..20663e7d 100644
--- a/login.php
+++ b/login.php
@@ -235,23 +235,23 @@ if (isset($_POST['login'])) {
         <div class="card-body login-card-body">
             <p class="login-box-msg"><?php if (isset($response)) { echo $response; } ?></p>
             <form method="post">
-                <div class="input-group mb-3">
-                    <input type="text" class="form-control" placeholder="Agent Email" name="email" value="<?php if(!empty($token_field)){ echo $email; }?>" required <?php if(empty($token_field)){ echo "autofocus"; } ?> >
+                <div class="input-group mb-3" <?php if (isset($token_field)) { echo "hidden"; } ?>>
+                    <input type="text" class="form-control" placeholder="Agent Email" name="email" value="<?php if(isset($token_field)){ echo $email; }?>" required <?php if(!isset($token_field)){ echo "autofocus"; } ?> >
                     <div class="input-group-append">
                         <div class="input-group-text">
                             <span class="fas fa-envelope"></span>
                         </div>
                     </div>
                 </div>
-                <div class="input-group mb-3">
-                    <input type="password" class="form-control" placeholder="Agent Password" name="password" value="<?php if(!empty($token_field)){ echo $password; } ?>" required>
+                <div class="input-group mb-3" <?php if (isset($token_field)) { echo "hidden"; } ?>>
+                    <input type="password" class="form-control" placeholder="Agent Password" name="password" value="<?php if(isset($token_field)){ echo $password; } ?>" required>
                     <div class="input-group-append">
                         <div class="input-group-text">
                             <span class="fas fa-lock"></span>
                         </div>
                     </div>
                 </div>
-                <?php if(!empty($token_field)){ echo $token_field; } ?>
+                <?php if (isset($token_field)) { echo $token_field; } ?>
 
                 <button type="submit" class="btn btn-primary btn-block mb-3" name="login">Sign In</button>
 

From 61e100c98bbfdb0dccd07dbe7849a70f1b88bcb8 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 30 Jan 2023 19:11:13 +0000
Subject: [PATCH 2/5] Adjusted the 2FA QR code generator for easier
 setup/identification in the 2FA app - Swap out username for full email - Add
 the configured app name (default: ITFlow) to the start of the token
 identifier

---
 rfc6238.php      | 4 ++--
 user_profile.php | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/rfc6238.php b/rfc6238.php
index 0468bde3..a4a7c0e5 100644
--- a/rfc6238.php
+++ b/rfc6238.php
@@ -58,10 +58,10 @@
       return $result;
     }
 
-    public static function getBarCodeUrl($username, $domain, $secretkey, $issuer) {
+    public static function getBarCodeUrl($app_name, $email, $secretkey, $issuer) {
       $url = "http://chart.apis.google.com/chart";
       $url = $url."?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/";
-      $url = $url.$username . "@" . $domain . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
+      $url = $url.$app_name . ": " . $email . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
 
       return $url;
     }
diff --git a/user_profile.php b/user_profile.php
index e8245fbb..7b9576be 100644
--- a/user_profile.php
+++ b/user_profile.php
@@ -111,7 +111,7 @@ $sql_recent_logs = mysqli_query($mysqli, "SELECT * FROM logs
                         if (!empty($session_token)) {
 
                             //Generate QR Code based off the generated key
-                            print sprintf('<img src="%s"/>',TokenAuth6238::getBarCodeUrl($session_name,' ',$session_token,$_SERVER['SERVER_NAME']));
+                            print sprintf('<img src="%s"/>',TokenAuth6238::getBarCodeUrl($config_app_name, $session_email, $session_token, $_SERVER['SERVER_NAME']));
 
                             echo "<p class='text-secondary'>$session_token</p>";
                         }

From f39098be0da7fc01a3ac25b09a057905e1b0951c Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 30 Jan 2023 19:18:37 +0000
Subject: [PATCH 3/5] URL encode the email

---
 rfc6238.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfc6238.php b/rfc6238.php
index a4a7c0e5..78b0e660 100644
--- a/rfc6238.php
+++ b/rfc6238.php
@@ -61,7 +61,7 @@
     public static function getBarCodeUrl($app_name, $email, $secretkey, $issuer) {
       $url = "http://chart.apis.google.com/chart";
       $url = $url."?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/";
-      $url = $url.$app_name . ": " . $email . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
+      $url = $url.$app_name . ": " . rawurlencode($email) . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
 
       return $url;
     }

From 6eaba3440b6bdebbc96b6752fd46313390874121 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 30 Jan 2023 19:30:38 +0000
Subject: [PATCH 4/5] Revert "URL encode the email"

This reverts commit f39098be0da7fc01a3ac25b09a057905e1b0951c.
---
 rfc6238.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rfc6238.php b/rfc6238.php
index 78b0e660..a4a7c0e5 100644
--- a/rfc6238.php
+++ b/rfc6238.php
@@ -61,7 +61,7 @@
     public static function getBarCodeUrl($app_name, $email, $secretkey, $issuer) {
       $url = "http://chart.apis.google.com/chart";
       $url = $url."?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/";
-      $url = $url.$app_name . ": " . rawurlencode($email) . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
+      $url = $url.$app_name . ": " . $email . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
 
       return $url;
     }

From a7e4c18fee2176b995e6137058eac176ee455deb Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 30 Jan 2023 19:31:00 +0000
Subject: [PATCH 5/5] Revert "Adjusted the 2FA QR code generator for easier
 setup/identification in the 2FA app"

This reverts commit 61e100c98bbfdb0dccd07dbe7849a70f1b88bcb8.
---
 rfc6238.php      | 4 ++--
 user_profile.php | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/rfc6238.php b/rfc6238.php
index a4a7c0e5..0468bde3 100644
--- a/rfc6238.php
+++ b/rfc6238.php
@@ -58,10 +58,10 @@
       return $result;
     }
 
-    public static function getBarCodeUrl($app_name, $email, $secretkey, $issuer) {
+    public static function getBarCodeUrl($username, $domain, $secretkey, $issuer) {
       $url = "http://chart.apis.google.com/chart";
       $url = $url."?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/";
-      $url = $url.$app_name . ": " . $email . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
+      $url = $url.$username . "@" . $domain . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
 
       return $url;
     }
diff --git a/user_profile.php b/user_profile.php
index 7b9576be..e8245fbb 100644
--- a/user_profile.php
+++ b/user_profile.php
@@ -111,7 +111,7 @@ $sql_recent_logs = mysqli_query($mysqli, "SELECT * FROM logs
                         if (!empty($session_token)) {
 
                             //Generate QR Code based off the generated key
-                            print sprintf('<img src="%s"/>',TokenAuth6238::getBarCodeUrl($config_app_name, $session_email, $session_token, $_SERVER['SERVER_NAME']));
+                            print sprintf('<img src="%s"/>',TokenAuth6238::getBarCodeUrl($session_name,' ',$session_token,$_SERVER['SERVER_NAME']));
 
                             echo "<p class='text-secondary'>$session_token</p>";
                         }