From f1528b9e95d703ecebf33ca57957b7cb7284e417 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sun, 17 Mar 2024 19:32:49 +0000
Subject: [PATCH] Guest login sharing - OTP

Bugfix: Fix guests not being able to see the 2FA/TOTP token via the sharing link
https://forum.itflow.org/d/646-shared-login-with-otp
---
 guest_ajax.php      | 8 ++++++++
 guest_view_item.php | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/guest_ajax.php b/guest_ajax.php
index b80560d5..7bc84ff3 100644
--- a/guest_ajax.php
+++ b/guest_ajax.php
@@ -10,6 +10,8 @@ require_once "config.php";
 
 require_once "functions.php";
 
+require_once "rfc6238.php";
+
 
 /*
  * Creates & Returns a Stripe Payment Intent for a particular invoice ID
@@ -119,3 +121,9 @@ if (isset($_GET['stripe_create_pi'])) {
     }
 
 }
+
+if (isset($_GET['get_totp_token'])) {
+    $otp = TokenAuth6238::getTokenCode(strtoupper($_GET['totp_secret']));
+
+    echo json_encode($otp);
+}
diff --git a/guest_view_item.php b/guest_view_item.php
index 82e4150d..2352dc46 100644
--- a/guest_view_item.php
+++ b/guest_view_item.php
@@ -201,9 +201,9 @@ if ($item_type == "Document") {
 
     <script>
         function showOTP(id, secret) {
-            //Send a GET request to ajax.php as ajax.php?get_totp_token=true&totp_secret=SECRET
+            //Send a GET request to ajax.php as guest_ajax.php?get_totp_token=true&totp_secret=SECRET
             jQuery.get(
-                "ajax.php",
+                "guest_ajax.php",
                 {get_totp_token: 'true', totp_secret: secret},
                 function(data) {
                     //If we get a response from post.php, parse it as JSON