Added TOTP Key 2FA Function to client logins

add_login_modal.php

@@ -62,6 +62,16 @@
                 </div>
               </div>
 
+              <div class="form-group">
+                <label>TOTP Key <strong class="text-danger">*</strong></label>
+                <div class="input-group">
+                  <div class="input-group-prepend">
+                    <span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
+                  </div>
+                  <input type="text" class="form-control" name="otp_secret" placeholder="Leave Blank if not sure">
+                </div>
+              </div>
+
               <div class="form-group">
                 <label>URL/Host</label>
                 <div class="input-group">

blank.php

@@ -16,40 +16,6 @@
     Copy to clipboard
 </button>
 
-
-<?php
-  
-// Function to generate OTP
-function generateNumericOTP($n) {
-      
-    // Take a generator string which consist of
-    // all numeric digits
-    $generator = "1357902468";
-  
-    // Iterate for n-times and pick a single character
-    // from generator and append it to $result
-      
-    // Login for generating a random character from generator
-    //     ---generate a random number
-    //     ---take modulus of same with length of generator (say i)
-    //     ---append the character at place (i) from generator to result
-  
-    $result = "";
-  
-    for ($i = 1; $i <= $n; $i++) {
-        $result .= substr($generator, (rand()%(strlen($generator))), 1);
-    }
-  
-    // Return result
-    return $result;
-}
-  
-// Main program
-$n = 6;
-print_r(generateNumericOTP($n));
-  
-?>
-
 <?php 
 
 echo "$session_permission_companies";

client_logins.php

@@ -91,6 +91,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
             }
             $login_username = $row['login_username'];
             $login_password = $row['login_password'];
+            $login_otp_secret = $row['login_otp_secret'];
+            if(!empty($login_otp_secret)){
+              $otp = get_otp($login_otp_secret);
+              $otp = "<i class='far fa-clock text-secondary'></i> $otp<button class='btn btn-sm' data-clipboard-text='$otp'><i class='far fa-copy text-secondary'></i></button>";
+            }else{
+              $otp = "-";
+            }
             $login_note = $row['login_note'];
             $vendor_id = $row['vendor_id'];
             $asset_id = $row['asset_id'];
@@ -108,7 +115,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
             <td><?php echo $login_username; ?><button class="btn btn-sm" data-clipboard-text="<?php echo $login_username; ?>"><i class="far fa-copy text-secondary"></i></button></td>
             <td><?php echo $login_password; ?><button class="btn btn-sm" data-clipboard-text="<?php echo $login_password; ?>"><i class="far fa-copy text-secondary"></i></button></td>
             </td>
-            <td><?php echo "-"; ?></td>
+            <td><?php echo $otp; ?></td>
             <td>
               <div class="dropdown dropleft text-center">
                 <button class="btn btn-secondary btn-sm" type="button" data-toggle="dropdown">

db.sql

@@ -1,8 +1,8 @@
--- MariaDB dump 10.19  Distrib 10.5.11-MariaDB, for debian-linux-gnu (x86_64)
+-- MariaDB dump 10.19  Distrib 10.5.12-MariaDB, for debian-linux-gnu (x86_64)
 --
 -- Host: localhost    Database: pittpc_crm
 -- ------------------------------------------------------
--- Server version	10.5.11-MariaDB-1:10.5.11+maria~focal
+-- Server version	10.5.12-MariaDB-1:10.5.12+maria~focal
 
 /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
 /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
@@ -505,6 +505,7 @@ CREATE TABLE `logins` (
   `login_uri` varchar(200) DEFAULT NULL,
   `login_username` varchar(200) NOT NULL,
   `login_password` varbinary(200) DEFAULT NULL,
+  `login_otp_secret` varchar(200) DEFAULT NULL,
   `login_note` text DEFAULT NULL,
   `login_created_at` datetime NOT NULL,
   `login_updated_at` datetime DEFAULT NULL,
@@ -1010,4 +1011,4 @@ CREATE TABLE `vendors` (
 /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
 /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
 
--- Dump completed on 2021-08-11 16:39:45
+-- Dump completed on 2021-08-18 22:28:45

edit_login_modal.php

@@ -65,6 +65,16 @@
                 </div>
               </div>
 
+              <div class="form-group">
+                <label>TOTP Key <strong class="text-danger">*</strong></label>
+                <div class="input-group">
+                  <div class="input-group-prepend">
+                    <span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
+                  </div>
+                  <input type="text" class="form-control" name="otp_secret" value="<?php echo $login_otp_secret; ?>" placeholder="Leave Blank if not sure">
+                </div>
+              </div>
+
               <div class="form-group">
                 <label>URL/Host</label>
                 <div class="input-group">

functions.php

@@ -218,4 +218,40 @@ function get_currency_symbol($cc = 'USD')
     }
 }
 
+function get_otp($secret_seed) {
+    //TOTP seed (String representation)
+    $otp = '';
+    //number of seconds of otp period
+    $time_window = 30;
+
+    //time formating to epoch
+    $exact_time = microtime(true);
+    $rounded_time = floor($exact_time/$time_window);
+
+    //binary represetation of time without padding
+    $packed_time = pack("N", $rounded_time);
+
+    //binary representation of time with padding
+    $padded_packed_time = str_pad($packed_time,8, chr(0), STR_PAD_LEFT);
+
+    //binary representation of seed
+    $packed_secret_seed = pack("H*", $secret_seed);
+
+    //HMAC SHA1 hash (time + seed)
+    $hash = hash_hmac ('sha1', $padded_packed_time, $packed_secret_seed, true);
+
+    $offset = ord($hash[19]) & 0xf;
+    $otp = (
+            ((ord($hash[$offset+0]) & 0x7f) << 24 ) |
+            ((ord($hash[$offset+1]) & 0xff) << 16 ) |
+            ((ord($hash[$offset+2]) & 0xff) << 8 ) |
+            (ord($hash[$offset+3]) & 0xff)
+    ) % pow(10, 6); 
+
+    //adding pad to otp, in order to assure a "6" digits
+    $otp = str_pad($otp, 6, "0", STR_PAD_LEFT);
+
+    return $otp;
+}
+
 ?>

post.php

@@ -3323,12 +3323,13 @@ if(isset($_POST['add_login'])){
     $uri = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['uri'])));
     $username = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['username'])));
     $password = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['password'])));
+    $otp_secret = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['otp_secret'])));
     $note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note'])));
     $vendor_id = intval($_POST['vendor']);
     $asset_id = intval($_POST['asset']);
     $software_id = intval($_POST['software']);
 
-    mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_uri = '$uri', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_note = '$note', login_created_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id, client_id = $client_id, company_id = $session_company_id");
+    mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_uri = '$uri', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_otp_secret = '$otp_secret', login_note = '$note', login_created_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id, client_id = $client_id, company_id = $session_company_id");
 
     //Logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Created', log_description = '$name', log_created_at = NOW(), company_id = $session_company_id, user_id = $session_user_id");
@@ -3346,12 +3347,13 @@ if(isset($_POST['edit_login'])){
     $uri = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['uri'])));
     $username = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['username'])));
     $password = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['password'])));
+    $otp_secret = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['otp_secret'])));
     $note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note'])));
     $vendor_id = intval($_POST['vendor']);
     $asset_id = intval($_POST['asset']);
     $software_id = intval($_POST['software']);
 
-    mysqli_query($mysqli,"UPDATE logins SET login_name = '$name', login_uri = '$uri', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_note = '$note', login_updated_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id WHERE login_id = $login_id AND company_id = $session_company_id");
+    mysqli_query($mysqli,"UPDATE logins SET login_name = '$name', login_uri = '$uri', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_otp_secret = '$otp_secret', login_note = '$note', login_updated_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id WHERE login_id = $login_id AND company_id = $session_company_id");
 
     //Logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Modified', log_description = '$name', log_created_at = NOW(), company_id = $session_company_id, user_id = $session_user_id");