fix: backup codes

2024-06-28 19:20:25 +12:00 · 2024-02-02 13:50:18 +01:00 · 2024-02-02 13:50:18 +01:00 · a77526cab1
parent db321db0fb
commit a77526cab1
1 changed files with 13 additions and 3 deletions
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@ -3788,9 +3788,19 @@ App::put('/v1/account/mfa/challenge')
            default => false
        };

-    if (!$success) {
-        throw new Exception(Exception::USER_INVALID_TOKEN);
-    }
+        if (!$success && $provider === 'totp') {
+            $backups = $user->getAttribute('mfaBackups', []);
+            if (in_array($otp, $backups)) {
+                $success = true;
+                $backups = array_diff($backups, [$otp]);
+                $user->setAttribute('mfaBackups', $backups);
+                $dbForProject->updateDocument('users', $user->getId(), $user);
+            }
+        }
+
+        if (!$success) {
+            throw new Exception(Exception::USER_INVALID_TOKEN);
+        }

        $dbForProject->deleteDocument('challenges', $challengeId);
        $dbForProject->purgeCachedDocument('users', $user->getId());