1
0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2024-11-08 20:22:42 +01:00

Don't change secret if enter wrong 2FA password

This commit is contained in:
Hillel Coren 2017-12-31 11:22:21 +02:00
parent 80cae5f0b3
commit 01d1c5a988

View File

@ -16,9 +16,13 @@ class TwoFactorController extends Controller
}
$google2fa = new Google2FA();
$secret = $google2fa->generateSecretKey();
session(['2fa:secret' => $secret]);
if ($secret = session('2fa:secret')) {
// do nothing
} else {
$secret = $google2fa->generateSecretKey();
session(['2fa:secret' => $secret]);
}
$qrCode = $google2fa->getQRCodeGoogleUrl(
APP_NAME,
@ -37,15 +41,16 @@ class TwoFactorController extends Controller
public function enableTwoFactor()
{
$user = auth()->user();
$secret = session()->pull('2fa:secret');
$secret = session('2fa:secret');
$oneTimePassword = request('one_time_password');
if (! $secret || ! \Google2FA::verifyKey($secret, $oneTimePassword)) {
return redirect('settings/enable_two_factor')->withMessage(trans('texts.invalid_one_time_password'));
return redirect('settings/enable_two_factor')->withError(trans('texts.invalid_one_time_password'));
} elseif (! $user->google_2fa_secret && $user->phone && $user->confirmed) {
$user->google_2fa_secret = Crypt::encrypt($secret);
$user->save();
session()->forget('2fa:secret');
session()->flash('message', trans('texts.enabled_two_factor'));
}