Adjust RFC6283 getTokenCode to only show one token at a time.

Remove the tokens from client_logins.php and replace with a mouseover/hover to show mechanism using ajax.php
2022-04-24 13:48:27 +01:00 · 2022-04-24 13:48:27 +01:00 · fda40055f8
parent dcd772c5f6
commit fda40055f8
3 changed files with 39 additions and 14 deletions
--- a/ajax.php
+++ b/ajax.php
@ -9,6 +9,7 @@
 include("config.php");
 include("functions.php");
 include("check_login.php");
+require_once("rfc6238.php");

 /*
 * Fetches SSL certificates from remote hosts & returns the relevant info (issuer, expiry, public key)
@ -304,4 +305,14 @@ if(isset($_GET['scheduled_ticket_get_json_details'])){

  echo json_encode($response);

+}
+
+/*
+ * Dynamic TOTP for client login page
+ * When provided with a TOTP secret, returns a 6-digit code
+ */
+if(isset($_GET['get_totp_token'])){
+  $otp = TokenAuth6238::getTokenCode($_GET['totp_secret']);
+
+  echo json_encode($otp);
 }
--- a/client_logins.php
+++ b/client_logins.php
@ -1,7 +1,5 @@
 <?php

-require_once("rfc6238.php");
-
 if(!empty($_GET['sb'])){
  $sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
 }else{
@ -84,11 +82,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
            }
            $login_password = htmlentities(decryptLoginEntry($row['login_password']));
            $login_otp_secret = $row['login_otp_secret'];
+            $login_id_with_secret = '"' . $row['login_id'] . '","' . $row['login_otp_secret'] . '"';
            if(empty($login_otp_secret)){
              $otp_display = "-";
            }else{
-              $otp = TokenAuth6238::getTokenCode($login_otp_secret,$rangein30s = 3);
-              $otp_display = "<i class='far fa-clock text-secondary'></i> $otp<button class='btn btn-sm clipboardjs' data-clipboard-text='$otp'><i class='far fa-copy text-secondary'></i></button>";
+              $otp_display = "<span onmouseover='showOTP($login_id_with_secret)'><i class='far fa-clock'></i> <span id='otp_$login_id'><i>Hover..</i></span></span>";
            }
            $login_note = $row['login_note'];
            $login_contact_id = $row['login_contact_id'];
@ -141,6 +139,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
  </div>
 </div>

+<script>
+    function showOTP(id, secret){
+        //Send a GET request to ajax.php as ajax.php?get_totp_token=true&totp_secret=SECRET
+        jQuery.get(
+            "ajax.php",
+            {get_totp_token: 'true', totp_secret: secret},
+            function(data){
+                //If we get a response from post.php, parse it as JSON
+                const token = JSON.parse(data);
+
+                document.getElementById("otp_" + id).innerText = token
+
+            }
+        );
+    }
+</script>
+
 <?php
 include("client_login_add_modal.php");
 include("share_modal.php");
--- a/rfc6238.php
+++ b/rfc6238.php
@ -24,18 +24,17 @@
 			}
 			return false;
 		}
-    public static function getTokenCode($secretkey,$rangein30s = 3) {
-                        $result = "";
+    public static function getTokenCode($secretkey) {
+      $result = "";
 			$key = base32static::decode($secretkey);
 			$unixtimestamp = time()/30;
-			
-			for($i=-($rangein30s); $i<=$rangein30s; $i++) {
-				$checktime = (int)($unixtimestamp+$i);
-				$thiskey = self::oath_hotp($key, $checktime);
-        $result = $result." # ".self::oath_truncate($thiskey,6);
-			}
-			
-			return $result;
+
+      $checktime = (int)($unixtimestamp);
+      $thiskey = self::oath_hotp($key, $checktime);
+      $result = $result . self::oath_truncate($thiskey,6);
+
+      $result = "000000" . $result;
+			return substr($result, -6);
    }
    public static function getTokenCodeDebug($secretkey,$rangein30s = 3) {
      $result = "";