From 0dce4fc843d883c82fd0dbc336d52c043ae6b36a Mon Sep 17 00:00:00 2001
From: Hillel Coren <hillelcoren@gmail.com>
Date: Mon, 20 Aug 2018 20:52:54 +0300
Subject: [PATCH] 2FA check for mobile app

---
 app/Http/Controllers/AccountApiController.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/app/Http/Controllers/AccountApiController.php b/app/Http/Controllers/AccountApiController.php
index a0197fb56968..9de71390b967 100644
--- a/app/Http/Controllers/AccountApiController.php
+++ b/app/Http/Controllers/AccountApiController.php
@@ -69,6 +69,15 @@ class AccountApiController extends BaseAPIController
         }
 
         if (Auth::attempt(['email' => $request->email, 'password' => $request->password])) {
+            // TODO remove token_name check once legacy apps are deactivated
+            if ($user->google_2fa_secret && strpos($request->token_name, 'invoice-ninja-') !== false) {
+                $secret = \Crypt::decrypt($user->google_2fa_secret);
+                if (! $request->one_time_password) {
+                    return $this->errorResponse(['message' => 'OTP_REQUIRED'], 401);
+                } elseif (! \Google2FA::verifyKey($secret, $request->one_time_password)) {
+                    return $this->errorResponse(['message' => 'Invalid one time password'], 401);
+                }
+            }
             if ($user && $user->failed_logins > 0) {
                 $user->failed_logins = 0;
                 $user->save();