opnsense
hide otp
#7911 hide the OTP seed after it has been generated. Tested in a vm. Not a big deal if this gets swept up in migration for #7904. I'd be happy to help chip away on that
Wouldn't it be easier to move the OTP seed to the QR code unhide button by clustering the sections together?
I tried to move the OTP seed into the otp_qrcode div
https://github.com/opnsense/core/blob/b49b935bb9f80e34358f13dc380e63e0a54eff27/src/www/system_usermanager.php#L933-L945
like so
<tr>
<td><a id="help_for_otp_code" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('OTP QR code') ?></td>
<td>
<label class="btn btn-primary" id="otp_unhide"><?= gettext('Click to unhide') ?></label>
<div style="display:none;" id="otp_qrcode">
<td rowspan="3"><a id="help_for_otp_seed" href="#" class="showhelp" style="display;none;"><i class="fa fa-info-circle"></i></a> <?= gettext('OTP seed') ?></td>
<td>
<input id="otp_seed" name="otp_seed" value="<?=$pconfig['otp_seed'];?>"/>
<small ><?= gettext('Generate new secret (160 bit)') ?></small>
<div class="hidden" data-for="help_for_otp_seed"><?=gettext("OTP (base32) seed to use when a one time password authenticator is used");?><br/></div>
</td>
</div>
<script>
$('#otp_qrcode').qrcode('<?= $otp_url ?>');
</script>
<div class="hidden" data-for="help_for_otp_code">
<?= gettext('Scan this QR code for easy setup with external apps.') ?>
</div>
</td>
</tr>
but i guess when $('#otp_qrcode').qrcode() creates the QR code image and inserts a canvas into the same otp_qrcode div all of the OTP seed nodes get moved outside the div.
There is another problem. When a new user is created the OTP field is gone entirely from the form and can no longer be generated. The only way I see around this is to allow generating an OTP seed at user creation, but then the field would only appear IFF the user has an OTP seed at creation.
I think we can close this PR, our new usermanager (https://github.com/opnsense/core/pull/8046) hides the seed by default:
