From a77526cab1d9d8a105bf819bf7261149fc33b3ea Mon Sep 17 00:00:00 2001
From: Torsten Dittmann <torsten.dittmann@googlemail.com>
Date: Fri, 2 Feb 2024 13:50:18 +0100
Subject: [PATCH] fix: backup codes

---
 app/controllers/api/account.php | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index b28f45739..ce6ad0b34 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -3788,9 +3788,19 @@ App::put('/v1/account/mfa/challenge')
             default => false
         };
 
-    if (!$success) {
-        throw new Exception(Exception::USER_INVALID_TOKEN);
-    }
+        if (!$success && $provider === 'totp') {
+            $backups = $user->getAttribute('mfaBackups', []);
+            if (in_array($otp, $backups)) {
+                $success = true;
+                $backups = array_diff($backups, [$otp]);
+                $user->setAttribute('mfaBackups', $backups);
+                $dbForProject->updateDocument('users', $user->getId(), $user);
+            }
+        }
+
+        if (!$success) {
+            throw new Exception(Exception::USER_INVALID_TOKEN);
+        }
 
         $dbForProject->deleteDocument('challenges', $challengeId);
         $dbForProject->purgeCachedDocument('users', $user->getId());