From 7a32998b4c427344e68335d561260d16ea1d16bb Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Sat, 21 Nov 2020 21:46:31 +0100
Subject: [PATCH] Return only essentials attributes when a token is requested
 to back-end

---
 .../Controllers/TwoFAccountController.php     | 29 ++++++++++++++-----
 app/TwoFAccount.php                           |  2 +-
 resources/js/components/TokenDisplayer.vue    |  4 +--
 routes/api.php                                |  2 +-
 4 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/app/Http/Controllers/TwoFAccountController.php b/app/Http/Controllers/TwoFAccountController.php
index 12610c81..de3b44ba 100644
--- a/app/Http/Controllers/TwoFAccountController.php
+++ b/app/Http/Controllers/TwoFAccountController.php
@@ -164,13 +164,16 @@ public function preview(Request $request)
 
 
     /**
-     * Generate a TOTP
+     * Generate an OTP token
      *
      * @param  \Illuminate\Http\Request  $request
      * @return \Illuminate\Http\Response
      */
-    public function generateOTP(Request $request)
+    public function token(Request $request)
     {
+        // When the method is called during the process of creating/editing an HOTP account the 
+        // sensitive data have to be returned, because of the hotpCounter increment
+        $shouldResponseWithSensitiveData = false;
 
         if( $request->id ) {
 
@@ -182,14 +185,20 @@ public function generateOTP(Request $request)
             // The request data contain an uri
             $twofaccount = new TwoFAccount;
             $twofaccount->uri = $request->otp['uri'];
+            $shouldResponseWithSensitiveData = true;
         }
         else {
 
             // The request data should contain all otp parameter
             $twofaccount = new TwoFAccount;
             $twofaccount->populate($request->otp);
+            $shouldResponseWithSensitiveData = true;
         }
 
+        $response = [
+            'token' => $twofaccount->token,
+        ];
+
         if( $twofaccount->otpType === 'hotp' ) {
 
             // returned counter & uri will be updated
@@ -199,13 +208,19 @@ public function generateOTP(Request $request)
             if( $request->id ) {
                 $twofaccount->save();
             }
+
+            if( $shouldResponseWithSensitiveData ) {
+                $response['hotpCounter'] = $twofaccount->hotpCounter;
+                $response['uri'] = $twofaccount->uri;
+            }
+        }
+        else {
+
+            $response['totpPeriod'] = $twofaccount->totpPeriod;
+            $response['totpTimestamp'] = $twofaccount->totpTimestamp;
         }
 
-        if( $request->id ) {
-            return response()->json($twofaccount, 200);
-        }
-
-        return response()->json($twofaccount->makeVisible(['uri', 'secret', 'algorithm']), 200);
+        return response()->json($response, 200);
     }
 
 
diff --git a/app/TwoFAccount.php b/app/TwoFAccount.php
index d7962ad0..2b0922cd 100644
--- a/app/TwoFAccount.php
+++ b/app/TwoFAccount.php
@@ -49,7 +49,7 @@ class TwoFAccount extends Model implements Sortable
      *
      * @var array
      */
-    protected $hidden = ['uri', 'secret', 'algorithm', 'created_at', 'updated_at'];
+    protected $hidden = ['token', 'uri', 'secret', 'algorithm', 'created_at', 'updated_at'];
 
 
     /**
diff --git a/resources/js/components/TokenDisplayer.vue b/resources/js/components/TokenDisplayer.vue
index 947cc261..361d7eef 100644
--- a/resources/js/components/TokenDisplayer.vue
+++ b/resources/js/components/TokenDisplayer.vue
@@ -125,7 +125,7 @@
 
                 this.dotToDotCounter = 0
 
-                this.axios.post('/api/twofaccounts/otp', { id: this.id, otp: this.$props }).then(response => {
+                this.axios.post('/api/twofaccounts/token', { id: this.id, otp: this.$props }).then(response => {
 
                     let spacePosition = Math.ceil(response.data.token.length / 2);
                     
@@ -188,7 +188,7 @@
 
             getHOTP: function() {
 
-                this.axios.post('/api/twofaccounts/otp', { id: this.id, otp: this.$props }).then(response => {
+                this.axios.post('/api/twofaccounts/token', { id: this.id, otp: this.$props }).then(response => {
                     let spacePosition = Math.ceil(response.data.token.length / 2);
                     
                     this.token = response.data.token.substr(0, spacePosition) + " " + response.data.token.substr(spacePosition)
diff --git a/routes/api.php b/routes/api.php
index 1603c596..4b0b2f74 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -41,10 +41,10 @@
     Route::post('twofaccounts/preview', 'TwoFAccountController@preview');
     Route::get('twofaccounts/{twofaccount}/withSensitive', 'TwoFAccountController@showWithSensitive');
     Route::get('twofaccounts/count', 'TwoFAccountController@count');
+    Route::post('twofaccounts/token', 'TwoFAccountController@token');
     Route::apiResource('twofaccounts', 'TwoFAccountController');
     Route::patch('group/accounts', 'GroupController@associateAccounts');
     Route::apiResource('groups', 'GroupController');
-    Route::post('twofaccounts/otp', 'TwoFAccountController@generateOTP')->name('twofaccounts.generateOTP');
     Route::post('qrcode/decode', 'QrCodeController@decode');
     Route::get('qrcode/{twofaccount}', 'QrCodeController@show');
     Route::post('icon/upload', 'IconController@upload');