From fda40055f8663aa3ad5c1f0d247a44f6b13c550a Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sun, 24 Apr 2022 13:48:27 +0100
Subject: [PATCH] Adjust RFC6283 getTokenCode to only show one token at a time.
 Remove the tokens from client_logins.php and replace with a mouseover/hover
 to show mechanism using ajax.php

---
 ajax.php          | 11 +++++++++++
 client_logins.php | 23 +++++++++++++++++++----
 rfc6238.php       | 19 +++++++++----------
 3 files changed, 39 insertions(+), 14 deletions(-)

diff --git a/ajax.php b/ajax.php
index d5e212c2..26a33637 100644
--- a/ajax.php
+++ b/ajax.php
@@ -9,6 +9,7 @@
 include("config.php");
 include("functions.php");
 include("check_login.php");
+require_once("rfc6238.php");
 
 /*
  * Fetches SSL certificates from remote hosts & returns the relevant info (issuer, expiry, public key)
@@ -304,4 +305,14 @@ if(isset($_GET['scheduled_ticket_get_json_details'])){
 
   echo json_encode($response);
 
+}
+
+/*
+ * Dynamic TOTP for client login page
+ * When provided with a TOTP secret, returns a 6-digit code
+ */
+if(isset($_GET['get_totp_token'])){
+  $otp = TokenAuth6238::getTokenCode($_GET['totp_secret']);
+
+  echo json_encode($otp);
 }
\ No newline at end of file
diff --git a/client_logins.php b/client_logins.php
index 74c7bd52..db90e544 100644
--- a/client_logins.php
+++ b/client_logins.php
@@ -1,7 +1,5 @@
 <?php
 
-require_once("rfc6238.php");
-
 if(!empty($_GET['sb'])){
   $sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
 }else{
@@ -84,11 +82,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
             }
             $login_password = htmlentities(decryptLoginEntry($row['login_password']));
             $login_otp_secret = $row['login_otp_secret'];
+            $login_id_with_secret = '"' . $row['login_id'] . '","' . $row['login_otp_secret'] . '"';
             if(empty($login_otp_secret)){
               $otp_display = "-";
             }else{
-              $otp = TokenAuth6238::getTokenCode($login_otp_secret,$rangein30s = 3);
-              $otp_display = "<i class='far fa-clock text-secondary'></i> $otp<button class='btn btn-sm clipboardjs' data-clipboard-text='$otp'><i class='far fa-copy text-secondary'></i></button>";
+              $otp_display = "<span onmouseover='showOTP($login_id_with_secret)'><i class='far fa-clock'></i> <span id='otp_$login_id'><i>Hover..</i></span></span>";
             }
             $login_note = $row['login_note'];
             $login_contact_id = $row['login_contact_id'];
@@ -141,6 +139,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
   </div>
 </div>
 
+<script>
+    function showOTP(id, secret){
+        //Send a GET request to ajax.php as ajax.php?get_totp_token=true&totp_secret=SECRET
+        jQuery.get(
+            "ajax.php",
+            {get_totp_token: 'true', totp_secret: secret},
+            function(data){
+                //If we get a response from post.php, parse it as JSON
+                const token = JSON.parse(data);
+
+                document.getElementById("otp_" + id).innerText = token
+
+            }
+        );
+    }
+</script>
+
 <?php
 include("client_login_add_modal.php");
 include("share_modal.php");
diff --git a/rfc6238.php b/rfc6238.php
index 25d868b2..e3c3ae6b 100644
--- a/rfc6238.php
+++ b/rfc6238.php
@@ -24,18 +24,17 @@
 			}
 			return false;
 		}
-    public static function getTokenCode($secretkey,$rangein30s = 3) {
-                        $result = "";
+    public static function getTokenCode($secretkey) {
+      $result = "";
 			$key = base32static::decode($secretkey);
 			$unixtimestamp = time()/30;
-			
-			for($i=-($rangein30s); $i<=$rangein30s; $i++) {
-				$checktime = (int)($unixtimestamp+$i);
-				$thiskey = self::oath_hotp($key, $checktime);
-        $result = $result." # ".self::oath_truncate($thiskey,6);
-			}
-			
-			return $result;
+
+      $checktime = (int)($unixtimestamp);
+      $thiskey = self::oath_hotp($key, $checktime);
+      $result = $result . self::oath_truncate($thiskey,6);
+
+      $result = "000000" . $result;
+			return substr($result, -6);
     }
     public static function getTokenCodeDebug($secretkey,$rangein30s = 3) {
       $result = "";