Update AccountController, allow 2FA backup codes

This commit is contained in:
Daniel Supernault 2018-12-27 21:34:51 -07:00
parent f7c1801ab8
commit 3a38c7386b
No known key found for this signature in database
GPG key ID: 0DEF1C662C9033F7

View file

@ -339,6 +339,11 @@ class AccountController extends Controller
$request->session()->push('2fa.session.active', true);
return redirect('/');
} else {
if($this->twoFactorBackupCheck($request, $code, $user)) {
return redirect('/');
}
if($request->session()->has('2fa.attempts')) {
$count = (int) $request->session()->has('2fa.attempts');
$request->session()->push('2fa.attempts', $count + 1);
@ -350,4 +355,31 @@ class AccountController extends Controller
]);
}
}
protected function twoFactorBackupCheck($request, $code, User $user)
{
$backupCodes = $user->{'2fa_backup_codes'};
if($backupCodes) {
$codes = json_decode($backupCodes, true);
foreach ($codes as $c) {
if(hash_equals($c, $code)) {
// remove code
$codes = array_flatten(array_diff($codes, [$code]));
$user->{'2fa_backup_codes'} = json_encode($codes);
$user->save();
$request->session()->push('2fa.session.active', true);
return true;
} else {
return false;
}
}
} else {
return false;
}
}
public function accountRestored(Request $request)
{
//
}
}