From d1eeba67fc1f14012e8ccf15a42ac700b7ef40a8 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sat, 7 Feb 2026 18:42:53 -0500
Subject: [PATCH] Add bulk Fav / unfav creds and added fav creds to the client
 overview page

---
 agent/client_overview.php | 76 +++++++++++++++++++++++++++++++++++++++
 agent/credentials.php     | 11 ++++++
 agent/post/credential.php | 72 +++++++++++++++++++++++++++++++++++++
 3 files changed, 159 insertions(+)

diff --git a/agent/client_overview.php b/agent/client_overview.php
index 1851ebeb..ed1bfa64 100644
--- a/agent/client_overview.php
+++ b/agent/client_overview.php
@@ -32,6 +32,15 @@ $sql_favorite_assets = mysqli_query(
     ORDER BY asset_type ASC, asset_name ASC"
 );
 
+$sql_favorite_credentials = mysqli_query(
+    $mysqli,
+    "SELECT * FROM credentials
+    WHERE credential_client_id = $client_id
+        AND credential_favorite = 1
+        AND credential_archived_at IS NULL
+        ORDER BY credential_name ASC"
+);
+
 $sql_recent_tickets = mysqli_query(
     $mysqli,
     "SELECT * FROM tickets
@@ -338,6 +347,70 @@ $sql_asset_retired = mysqli_query(
 
     <?php } ?>
 
+    <?php if (mysqli_num_rows($sql_favorite_credentials) > 0) { ?>
+
+    <div class="col-md-4">
+
+        <div class="card card-dark mb-3">
+            <div class="card-header">
+                <h5 class="card-title"><i class="fas fa-fw fa-star mr-2"></i>Favorite Credentials</h5>
+            </div>
+            <div class="card-body p-2">
+                <table class="table table-borderless table-sm">
+                    <?php
+
+                    while ($row = mysqli_fetch_assoc($sql_favorite_credentials)) {
+                        $credential_id = intval($row['credential_id']);
+                        $credential_name = nullable_htmlentities($row['credential_name']);
+                        $credential_description = nullable_htmlentities($row['credential_description']);
+                        $credential_uri = sanitize_url($row['credential_uri']);
+                        if (empty($credential_uri)) {
+                            $credential_uri_display = "-";
+                        } else {
+                            $credential_uri_display = "<a href='$credential_uri'>" . truncate($credential_uri,40) . "</a><button class='btn btn-sm clipboardjs' type='button' title='$credential_uri' data-clipboard-text='$credential_uri'><i class='far fa-copy text-secondary'></i></button>";
+                        }
+                        $credential_uri_2 = sanitize_url($row['credential_uri_2']);
+                        $credential_username = nullable_htmlentities(decryptCredentialEntry($row['credential_username']));
+                        if (empty($credential_username)) {
+                            $credential_username_display = "-";
+                        } else {
+                            $credential_username_display = "$credential_username<button class='btn btn-sm clipboardjs' type='button' data-clipboard-text='$credential_username'><i class='far fa-copy text-secondary'></i></button>";
+                        }
+                        $credential_password = nullable_htmlentities(decryptCredentialEntry($row['credential_password']));
+                        $credential_otp_secret = nullable_htmlentities($row['credential_otp_secret']);
+                        $credential_id_with_secret = '"' . $row['credential_id'] . '","' . $row['credential_otp_secret'] . '"';
+                        if (empty($credential_otp_secret)) {
+                            $otp_display = "-";
+                        } else {
+                            $otp_display = "<span onmouseenter='showOTPViaCredentialID($credential_id)'><i class='far fa-clock'></i> <span id='otp_$credential_id'><i>Hover..</i></span></span>";
+                        }
+
+                        ?>
+                        <tr>
+                            <td>
+                                <a href="#" class="ajax-modal"
+                                    data-modal-url="modals/credential/credential_edit.php?id=<?= $credential_id ?>">
+                                        <i class="fas fa-fw fa-key text-muted mr-2"></i><?= $credential_name ?>
+                                </a>
+                            </td>
+                            <td><?= $credential_username_display ?></td>
+                            <td class="text-nowrap">
+                                <button class="btn p-0" type="button" data-toggle="popover" data-trigger="focus" data-placement="top" data-content="<?php echo $credential_password; ?>"><i class="fas fa-2x fa-ellipsis-h text-secondary"></i><i class="fas fa-2x fa-ellipsis-h text-secondary"></i></button><button class="btn btn-sm clipboardjs" type="button" data-clipboard-text="<?php echo $credential_password; ?>"><i class="far fa-copy text-secondary"></i></button>
+                            </td>
+                            <td><?= $otp_display ?></td>
+                        </tr>
+                        <?php
+                    }
+                    ?>
+
+                </table>
+            </div>
+        </div>
+
+    </div>
+
+    <?php } ?>
+
     <?php if (mysqli_num_rows($sql_shared_items) > 0) { ?>
 
         <div class="col-md-4">
@@ -731,6 +804,9 @@ $sql_asset_retired = mysqli_query(
 
 </div>
 
+<!-- Include script to get TOTP code via the login ID -->
+<script src="js/credential_show_otp_via_id.js"></script>
+
 <script>
     function updateClientNotes(client_id) {
         var notes = document.getElementById("clientNotes").value;
diff --git a/agent/credentials.php b/agent/credentials.php
index 3c726835..4e65f9c8 100644
--- a/agent/credentials.php
+++ b/agent/credentials.php
@@ -232,7 +232,17 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                 <i class="fas fa-fw fa-layer-group mr-2"></i>Bulk Action (<span id="selectedCount">0</span>)
                             </button>
                             <div class="dropdown-menu">
+                                <button class="dropdown-item"
+                                    type="submit" form="bulkActions" name="bulk_favorite_credentials">
+                                    <i class="fas fa-fw fa-star text-warning mr-2"></i>Favorite
+                                </button>
+                                <div class="dropdown-divider"></div>
+                                <button class="dropdown-item"
+                                    type="submit" form="bulkActions" name="bulk_unfavorite_credentials">
+                                    <i class="far fa-fw fa-star mr-2"></i>Unfavorite
+                                </button>
                                 <?php if ($archived) { ?>
+                                <div class="dropdown-divider"></div>
                                 <button class="dropdown-item text-info"
                                     type="submit" form="bulkActions" name="bulk_unarchive_credentials">
                                     <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
@@ -243,6 +253,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                     <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                 </button>
                                 <?php } else { ?>
+                                <div class="dropdown-divider"></div>
                                 <a class="dropdown-item ajax-modal" href="#"
                                     data-modal-url="modals/credential/credential_bulk_assign_tags.php"
                                     data-bulk="true">
diff --git a/agent/post/credential.php b/agent/post/credential.php
index 4c326e36..b69595b1 100644
--- a/agent/post/credential.php
+++ b/agent/post/credential.php
@@ -187,6 +187,78 @@ if (isset($_POST['bulk_assign_credential_tags'])) {
 
 }
 
+if (isset($_POST['bulk_favorite_credentials'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_support', 2);
+
+    if (isset($_POST['credential_ids'])) {
+
+        $count = count($_POST['credential_ids']);
+
+        foreach ($_POST['credential_ids'] as $credential_id) {
+
+            $credential_id = intval($credential_id);
+
+            // Get Asset Name and Client ID for logging and alert message
+            $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
+            $row = mysqli_fetch_assoc($sql);
+            $credential_name = sanitizeInput($row['credential_name']);
+            $client_id = intval($row['credential_client_id']);
+
+            mysqli_query($mysqli,"UPDATE credentials SET credential_favorite = 1 WHERE credential_id = $credential_id");
+
+            logAction("Credential", "Edit", "$session_name marked credential $credential_name a favorite", $client_id, $credential_id);
+
+        }
+
+        logAction("Credential", "Bulk Edit", "$session_name favorited $count credentials", $client_id);
+
+        flash_alert("Favorited <strong>$count</strong> credential(s)");
+
+    }
+
+    redirect();
+
+}
+
+if (isset($_POST['bulk_unfavorite_credentials'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    enforceUserPermission('module_support', 2);
+
+    if (isset($_POST['credential_ids'])) {
+
+        $count = count($_POST['credential_ids']);
+
+        foreach ($_POST['credential_ids'] as $credential_id) {
+
+            $credential_id = intval($credential_id);
+
+            // Get Asset Name and Client ID for logging and alert message
+            $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
+            $row = mysqli_fetch_assoc($sql);
+            $credential_name = sanitizeInput($row['credential_name']);
+            $client_id = intval($row['credential_client_id']);
+
+            mysqli_query($mysqli,"UPDATE credentials SET credential_favorite = 0 WHERE credential_id = $credential_id");
+
+            logAction("Credential", "Edit", "$session_name unfavorited credential $credential_name", $client_id, $credential_id);
+
+        }
+
+        logAction("Crednetial", "Bulk Edit", "$session_name unfavorited $count credentials", $client_id);
+
+        flash_alert("Unfavorited <strong>$count</strong> credential(s)");
+
+    }
+
+    redirect();
+
+}
+
 if (isset($_POST['bulk_archive_credentials'])) {
 
     validateCSRFToken($_POST['csrf_token']);