From 01d1c5a98860dccb43caa8892277ba418835928a Mon Sep 17 00:00:00 2001 From: Hillel Coren Date: Sun, 31 Dec 2017 11:22:21 +0200 Subject: [PATCH] Don't change secret if enter wrong 2FA password --- app/Http/Controllers/TwoFactorController.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/app/Http/Controllers/TwoFactorController.php b/app/Http/Controllers/TwoFactorController.php index 165a530fe636..8b91af098cd0 100644 --- a/app/Http/Controllers/TwoFactorController.php +++ b/app/Http/Controllers/TwoFactorController.php @@ -16,9 +16,13 @@ class TwoFactorController extends Controller } $google2fa = new Google2FA(); - $secret = $google2fa->generateSecretKey(); - session(['2fa:secret' => $secret]); + if ($secret = session('2fa:secret')) { + // do nothing + } else { + $secret = $google2fa->generateSecretKey(); + session(['2fa:secret' => $secret]); + } $qrCode = $google2fa->getQRCodeGoogleUrl( APP_NAME, @@ -37,15 +41,16 @@ class TwoFactorController extends Controller public function enableTwoFactor() { $user = auth()->user(); - $secret = session()->pull('2fa:secret'); + $secret = session('2fa:secret'); $oneTimePassword = request('one_time_password'); if (! $secret || ! \Google2FA::verifyKey($secret, $oneTimePassword)) { - return redirect('settings/enable_two_factor')->withMessage(trans('texts.invalid_one_time_password')); + return redirect('settings/enable_two_factor')->withError(trans('texts.invalid_one_time_password')); } elseif (! $user->google_2fa_secret && $user->phone && $user->confirmed) { $user->google_2fa_secret = Crypt::encrypt($secret); $user->save(); + session()->forget('2fa:secret'); session()->flash('message', trans('texts.enabled_two_factor')); }