From ef3edc185dcae0d5c3185253431f005c8ad75420 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 25 Oct 2018 19:49:35 -0600
Subject: [PATCH] Update 2fa, logout user after two failed attempts

---
 app/Http/Controllers/AccountController.php | 6 ++++++
 app/Http/Middleware/TwoFactorAuth.php      | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php
index 2090f599e..dd4af3eee 100644
--- a/app/Http/Controllers/AccountController.php
+++ b/app/Http/Controllers/AccountController.php
@@ -321,6 +321,12 @@ class AccountController extends Controller
             $request->session()->push('2fa.session.active', true);
             return redirect('/');
         } else {
+            if($request->session()->has('2fa.attempts')) {
+                $count = (int) $request->session()->has('2fa.attempts');
+                $request->session()->push('2fa.attempts', $count + 1);
+            } else {
+                $request->session()->push('2fa.attempts', 1);
+            }
             return redirect()->back()->withErrors([
                 'code' => 'Invalid code'
             ]);
diff --git a/app/Http/Middleware/TwoFactorAuth.php b/app/Http/Middleware/TwoFactorAuth.php
index 9eb742e61..e5392281e 100644
--- a/app/Http/Middleware/TwoFactorAuth.php
+++ b/app/Http/Middleware/TwoFactorAuth.php
@@ -24,6 +24,9 @@ class TwoFactorAuth
                 if($request->session()->has('2fa.session.active') !== true && !$request->is($checkpoint))
                 {
                     return redirect('/i/auth/checkpoint');
+                } elseif($request->session()->has('2fa.attempts') || (int) $request->session()->get('2fa.attempts') > 3) {
+                    $request->session()->pull('2fa.attempts');
+                    Auth::logout();
                 }
             }
         }