From e0f2fc1e1b1892b5e11746c34b6277c9ac4124c8 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Mon, 4 May 2026 15:48:40 -0400
Subject: [PATCH] Enforce Client Access Restriction on ajax call
 get_totp_token_via_id

---
 agent/ajax.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/agent/ajax.php b/agent/ajax.php
index 0055774b..b9f2ef0c 100644
--- a/agent/ajax.php
+++ b/agent/ajax.php
@@ -403,6 +403,8 @@ if (isset($_GET['get_totp_token_via_id'])) {
     $totp_secret = $sql['credential_otp_secret'];
     $client_id = intval($sql['credential_client_id']);
 
+    enforceClientAccess();
+
     $otp = TokenAuth6238::getTokenCode(strtoupper($totp_secret));
     echo json_encode($otp);