From 2f7aff3a44a85f36acbd94fa0b2eb2a8c735d845 Mon Sep 17 00:00:00 2001
From: Steven Nguyen <1477010+stnguyen90@users.noreply.github.com>
Date: Tue, 16 Apr 2024 23:44:46 -0700
Subject: [PATCH] fix(auth): fix challenge type check

The factor parameter is case insensitive so we need to make sure
comparing the parameter to the constant is case insensitive too.
---
 app/controllers/api/account.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index 360babbb1..b85d947c3 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -4069,7 +4069,7 @@ App::put('/v1/account/mfa/challenge')
         $recoveryCodeChallenge = function (Document $challenge, Document $user, string $otp) use ($dbForProject) {
             if (
                 $challenge->isSet('type') &&
-                $challenge->getAttribute('type') === Type::RECOVERY_CODE
+                $challenge->getAttribute('type') === \strtolower(Type::RECOVERY_CODE)
             ) {
                 $mfaRecoveryCodes = $user->getAttribute('mfaRecoveryCodes', []);
                 if (in_array($otp, $mfaRecoveryCodes)) {
@@ -4091,7 +4091,7 @@ App::put('/v1/account/mfa/challenge')
             Type::TOTP => Challenge\TOTP::challenge($challenge, $user, $otp),
             Type::PHONE => Challenge\Phone::challenge($challenge, $user, $otp),
             Type::EMAIL => Challenge\Email::challenge($challenge, $user, $otp),
-            Type::RECOVERY_CODE => $recoveryCodeChallenge($challenge, $user, $otp),
+            \strtolower(Type::RECOVERY_CODE) => $recoveryCodeChallenge($challenge, $user, $otp),
             default => false
         });