oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-10-10 19:32:07 +00:00
Code Wiki Activity

Hash backup codes in the database using password_hash

Browse source
This commit is contained in:
Jeremy Benoist 2019-01-23 14:43:39 +01:00
parent 7485a272ff
commit 4654a83b64
No known key found for this signature in database
GPG key ID: BCA73962457ACC3C
4 changed files with 38 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/Wallabag/UserBundle/Entity/User.php
View file

@ -339,7 +339,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
*/
public function isBackupCode(string $code): bool
{
return \in_array($code, $this->backupCodes, true);
return false === $this->findBackupCode($code) ? false : true;
}
/**
@ -347,7 +347,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
*/
public function invalidateBackupCode(string $code): void
{
$key = array_search($code, $this->backupCodes, true);
$key = $this->findBackupCode($code);
if (false !== $key) {
unset($this->backupCodes[$key]);
@ -385,4 +385,24 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
return $this->clients->first();
}
}
/**
* Try to find a backup code from the list of backup codes of the current user.
*
* @param string $code Given code from the user
*
* @return string|false
*/
private function findBackupCode(string $code)
{
foreach ($this->backupCodes as $key => $backupCode) {
// backup code are hashed using `password_hash`
// see ConfigController->otpAppAction
if (password_verify($code, $backupCode)) {
return $key;
}
}
return false;
}
}