From cdcd22ae6fb189749654ff05f080352d11eace71 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Wed, 18 Aug 2021 22:29:22 -0400 Subject: [PATCH] Added TOTP Key 2FA Function to client logins --- add_login_modal.php | 10 ++++++++++ blank.php | 34 ---------------------------------- client_logins.php | 9 ++++++++- db.sql | 7 ++++--- edit_login_modal.php | 10 ++++++++++ functions.php | 36 ++++++++++++++++++++++++++++++++++++ post.php | 6 ++++-- 7 files changed, 72 insertions(+), 40 deletions(-) diff --git a/add_login_modal.php b/add_login_modal.php index d7c25982..47884765 100644 --- a/add_login_modal.php +++ b/add_login_modal.php @@ -62,6 +62,16 @@ +
+ +
+
+ +
+ +
+
+
diff --git a/blank.php b/blank.php index b77d8502..bd06687b 100644 --- a/blank.php +++ b/blank.php @@ -16,40 +16,6 @@ Copy to clipboard - - - $otp"; + }else{ + $otp = "-"; + } $login_note = $row['login_note']; $vendor_id = $row['vendor_id']; $asset_id = $row['asset_id']; @@ -108,7 +115,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()")); - +
+
+ +
+
+ +
+ +
+
+
diff --git a/functions.php b/functions.php index 183169a2..940f50a0 100644 --- a/functions.php +++ b/functions.php @@ -218,4 +218,40 @@ function get_currency_symbol($cc = 'USD') } } +function get_otp($secret_seed) { + //TOTP seed (String representation) + $otp = ''; + //number of seconds of otp period + $time_window = 30; + + //time formating to epoch + $exact_time = microtime(true); + $rounded_time = floor($exact_time/$time_window); + + //binary represetation of time without padding + $packed_time = pack("N", $rounded_time); + + //binary representation of time with padding + $padded_packed_time = str_pad($packed_time,8, chr(0), STR_PAD_LEFT); + + //binary representation of seed + $packed_secret_seed = pack("H*", $secret_seed); + + //HMAC SHA1 hash (time + seed) + $hash = hash_hmac ('sha1', $padded_packed_time, $packed_secret_seed, true); + + $offset = ord($hash[19]) & 0xf; + $otp = ( + ((ord($hash[$offset+0]) & 0x7f) << 24 ) | + ((ord($hash[$offset+1]) & 0xff) << 16 ) | + ((ord($hash[$offset+2]) & 0xff) << 8 ) | + (ord($hash[$offset+3]) & 0xff) + ) % pow(10, 6); + + //adding pad to otp, in order to assure a "6" digits + $otp = str_pad($otp, 6, "0", STR_PAD_LEFT); + + return $otp; +} + ?> \ No newline at end of file diff --git a/post.php b/post.php index b2a37956..c9695cd3 100644 --- a/post.php +++ b/post.php @@ -3323,12 +3323,13 @@ if(isset($_POST['add_login'])){ $uri = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['uri']))); $username = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['username']))); $password = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['password']))); + $otp_secret = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['otp_secret']))); $note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note']))); $vendor_id = intval($_POST['vendor']); $asset_id = intval($_POST['asset']); $software_id = intval($_POST['software']); - mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_uri = '$uri', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_note = '$note', login_created_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id, client_id = $client_id, company_id = $session_company_id"); + mysqli_query($mysqli,"INSERT INTO logins SET login_name = '$name', login_uri = '$uri', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_otp_secret = '$otp_secret', login_note = '$note', login_created_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id, client_id = $client_id, company_id = $session_company_id"); //Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Created', log_description = '$name', log_created_at = NOW(), company_id = $session_company_id, user_id = $session_user_id"); @@ -3346,12 +3347,13 @@ if(isset($_POST['edit_login'])){ $uri = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['uri']))); $username = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['username']))); $password = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['password']))); + $otp_secret = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['otp_secret']))); $note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['note']))); $vendor_id = intval($_POST['vendor']); $asset_id = intval($_POST['asset']); $software_id = intval($_POST['software']); - mysqli_query($mysqli,"UPDATE logins SET login_name = '$name', login_uri = '$uri', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_note = '$note', login_updated_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id WHERE login_id = $login_id AND company_id = $session_company_id"); + mysqli_query($mysqli,"UPDATE logins SET login_name = '$name', login_uri = '$uri', login_username = '$username', login_password = AES_ENCRYPT('$password','$config_aes_key'), login_otp_secret = '$otp_secret', login_note = '$note', login_updated_at = NOW(), vendor_id = $vendor_id, asset_id = $asset_id, software_id = $software_id WHERE login_id = $login_id AND company_id = $session_company_id"); //Logging mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Modified', log_description = '$name', log_created_at = NOW(), company_id = $session_company_id, user_id = $session_user_id");