Adjust RFC6283 getTokenCode to only show one token at a time.

Remove the tokens from client_logins.php and replace with a mouseover/hover to show mechanism using ajax.php

ajax.php

@@ -9,6 +9,7 @@
 include("config.php");
 include("functions.php");
 include("check_login.php");
+require_once("rfc6238.php");
 
 /*
  * Fetches SSL certificates from remote hosts & returns the relevant info (issuer, expiry, public key)
@@ -305,3 +306,13 @@ if(isset($_GET['scheduled_ticket_get_json_details'])){
   echo json_encode($response);
 
 }
+
+/*
+ * Dynamic TOTP for client login page
+ * When provided with a TOTP secret, returns a 6-digit code
+ */
+if(isset($_GET['get_totp_token'])){
+  $otp = TokenAuth6238::getTokenCode($_GET['totp_secret']);
+
+  echo json_encode($otp);
+}

client_logins.php

@@ -1,7 +1,5 @@
 <?php
 
-require_once("rfc6238.php");
-
 if(!empty($_GET['sb'])){
   $sb = mysqli_real_escape_string($mysqli,$_GET['sb']);
 }else{
@@ -84,11 +82,11 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
             }
             $login_password = htmlentities(decryptLoginEntry($row['login_password']));
             $login_otp_secret = $row['login_otp_secret'];
+            $login_id_with_secret = '"' . $row['login_id'] . '","' . $row['login_otp_secret'] . '"';
             if(empty($login_otp_secret)){
               $otp_display = "-";
             }else{
-              $otp = TokenAuth6238::getTokenCode($login_otp_secret,$rangein30s = 3);
+              $otp_display = "<span onmouseover='showOTP($login_id_with_secret)'><i class='far fa-clock'></i> <span id='otp_$login_id'><i>Hover..</i></span></span>";
-              $otp_display = "<i class='far fa-clock text-secondary'></i> $otp<button class='btn btn-sm clipboardjs' data-clipboard-text='$otp'><i class='far fa-copy text-secondary'></i></button>";
             }
             $login_note = $row['login_note'];
             $login_contact_id = $row['login_contact_id'];
@@ -141,6 +139,23 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
   </div>
 </div>
 
+<script>
+    function showOTP(id, secret){
+        //Send a GET request to ajax.php as ajax.php?get_totp_token=true&totp_secret=SECRET
+        jQuery.get(
+            "ajax.php",
+            {get_totp_token: 'true', totp_secret: secret},
+            function(data){
+                //If we get a response from post.php, parse it as JSON
+                const token = JSON.parse(data);
+
+                document.getElementById("otp_" + id).innerText = token
+
+            }
+        );
+    }
+</script>
+
 <?php
 include("client_login_add_modal.php");
 include("share_modal.php");

rfc6238.php

@@ -24,18 +24,17 @@
 			}
 			return false;
 		}
-    public static function getTokenCode($secretkey,$rangein30s = 3) {
+    public static function getTokenCode($secretkey) {
-                        $result = "";
+      $result = "";
 			$key = base32static::decode($secretkey);
 			$unixtimestamp = time()/30;
 
-			for($i=-($rangein30s); $i<=$rangein30s; $i++) {
+      $checktime = (int)($unixtimestamp);
-				$checktime = (int)($unixtimestamp+$i);
+      $thiskey = self::oath_hotp($key, $checktime);
-				$thiskey = self::oath_hotp($key, $checktime);
+      $result = $result . self::oath_truncate($thiskey,6);
-        $result = $result." # ".self::oath_truncate($thiskey,6);
-			}
 
-			return $result;
+      $result = "000000" . $result;
+			return substr($result, -6);
     }
     public static function getTokenCodeDebug($secretkey,$rangein30s = 3) {
       $result = "";