diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php index 2090f599e..dd4af3eee 100644 --- a/app/Http/Controllers/AccountController.php +++ b/app/Http/Controllers/AccountController.php @@ -321,6 +321,12 @@ class AccountController extends Controller $request->session()->push('2fa.session.active', true); return redirect('/'); } else { + if($request->session()->has('2fa.attempts')) { + $count = (int) $request->session()->has('2fa.attempts'); + $request->session()->push('2fa.attempts', $count + 1); + } else { + $request->session()->push('2fa.attempts', 1); + } return redirect()->back()->withErrors([ 'code' => 'Invalid code' ]); diff --git a/app/Http/Middleware/TwoFactorAuth.php b/app/Http/Middleware/TwoFactorAuth.php index 9eb742e61..e5392281e 100644 --- a/app/Http/Middleware/TwoFactorAuth.php +++ b/app/Http/Middleware/TwoFactorAuth.php @@ -24,6 +24,9 @@ class TwoFactorAuth if($request->session()->has('2fa.session.active') !== true && !$request->is($checkpoint)) { return redirect('/i/auth/checkpoint'); + } elseif($request->session()->has('2fa.attempts') || (int) $request->session()->get('2fa.attempts') > 3) { + $request->session()->pull('2fa.attempts'); + Auth::logout(); } } }