From 3a38c7386b48e2a24f476a74f810b41c67c86bed Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 27 Dec 2018 21:34:51 -0700 Subject: [PATCH] Update AccountController, allow 2FA backup codes --- app/Http/Controllers/AccountController.php | 32 ++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php index 87423c5aa..980dd4dcd 100644 --- a/app/Http/Controllers/AccountController.php +++ b/app/Http/Controllers/AccountController.php @@ -339,6 +339,11 @@ class AccountController extends Controller $request->session()->push('2fa.session.active', true); return redirect('/'); } else { + + if($this->twoFactorBackupCheck($request, $code, $user)) { + return redirect('/'); + } + if($request->session()->has('2fa.attempts')) { $count = (int) $request->session()->has('2fa.attempts'); $request->session()->push('2fa.attempts', $count + 1); @@ -350,4 +355,31 @@ class AccountController extends Controller ]); } } + + protected function twoFactorBackupCheck($request, $code, User $user) + { + $backupCodes = $user->{'2fa_backup_codes'}; + if($backupCodes) { + $codes = json_decode($backupCodes, true); + foreach ($codes as $c) { + if(hash_equals($c, $code)) { + // remove code + $codes = array_flatten(array_diff($codes, [$code])); + $user->{'2fa_backup_codes'} = json_encode($codes); + $user->save(); + $request->session()->push('2fa.session.active', true); + return true; + } else { + return false; + } + } + } else { + return false; + } + } + + public function accountRestored(Request $request) + { + // + } }