From 6a165591328847069f91d9d2c32c167d6d46a274 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Mon, 17 Feb 2020 23:16:44 -0700
Subject: [PATCH] Update DangerZone/Sudo middleware

---
 app/Http/Controllers/AccountController.php | 14 +++++++++++++-
 app/Http/Middleware/DangerZone.php         |  6 ++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php
index 37ccbba3f..dac8078a6 100644
--- a/app/Http/Controllers/AccountController.php
+++ b/app/Http/Controllers/AccountController.php
@@ -270,7 +270,6 @@ class AccountController extends Controller
 		return redirect()->back();
 	}
 
-
 	public function unblock(Request $request)
 	{
 		$this->validate($request, [
@@ -362,6 +361,13 @@ class AccountController extends Controller
 
 	public function sudoMode(Request $request)
 	{
+        if($request->session()->has('sudoModeAttempts') && $request->session()->get('sudoModeAttempts') >= 3) {
+        	$request->session()->pull('2fa.session.active');
+            $request->session()->pull('redirectNext');
+            $request->session()->pull('sudoModeAttempts');
+            Auth::logout();
+            return redirect(route('login'));
+        } 
 		return view('auth.sudo');
 	}
 
@@ -373,6 +379,12 @@ class AccountController extends Controller
 		$user = Auth::user();
 		$password = $request->input('password');
 		$next = $request->session()->get('redirectNext', '/');
+		if($request->session()->has('sudoModeAttempts')) {
+			$count = (int) $request->session()->get('sudoModeAttempts');
+			$request->session()->put('sudoModeAttempts', $count + 1);
+		} else {
+			$request->session()->put('sudoModeAttempts', 1);
+		}
 		if(password_verify($password, $user->password) === true) {
 			$request->session()->put('sudoMode', time());
 			return redirect($next);
diff --git a/app/Http/Middleware/DangerZone.php b/app/Http/Middleware/DangerZone.php
index d1a1b4afb..5a43d6e6b 100644
--- a/app/Http/Middleware/DangerZone.php
+++ b/app/Http/Middleware/DangerZone.php
@@ -16,6 +16,12 @@ class DangerZone
      */
     public function handle($request, Closure $next)
     {
+        if( $request->session()->get('sudoModeAttempts') > 3) {
+            $request->session()->pull('redirectNext');
+            $request->session()->pull('sudoModeAttempts');
+            Auth::logout();
+            return redirect(route('login'));
+        } 
         if(!Auth::check()) {
             return redirect(route('login'));
         }