From b1c032fcca9b3d48d247a9daf45db70894ee0839 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Willms Date: Wed, 23 Apr 2025 08:35:20 +0000 Subject: 2fa: test all valid periods for tokens of type email, fixes #5364 Closes #5364 Merge request studip/studip!4128 --- lib/models/TFASecret.php | 40 +++++++++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/lib/models/TFASecret.php b/lib/models/TFASecret.php index 12d1ae2..d415e3c 100644 --- a/lib/models/TFASecret.php +++ b/lib/models/TFASecret.php @@ -175,23 +175,37 @@ class TFASecret extends SimpleORMap $window = null; } - if ($this->getTOTP()->verify($token, $timestamp, $window)) { - if (!$this->confirmed) { - $this->confirmed = true; - $this->store(); - } + if ($this->type === 'email') { + // Test for "window" number of "period" (this will ensure that old + // tokens are validated correctly) + $period = self::TYPES[$this->type]['period']; + + $i = 0; + do { + $verified = $this->getTOTP()->verify($token, $timestamp - $i * $period, $window); + $i += 1; + } while (!$verified && $i < self::TYPES[$this->type]['window']); + } else { + $verified = $this->getTOTP()->verify($token, $timestamp, $window); + } - if (!$allow_reuse) { - TFAToken::create([ - 'user_id' => $this->user_id, - 'token' => $token, - ]); - } + if (!$verified) { + return false; + } + + if (!$this->confirmed) { + $this->confirmed = true; + $this->store(); + } - return true; + if (!$allow_reuse) { + TFAToken::create([ + 'user_id' => $this->user_id, + 'token' => $token, + ]); } - return false; + return true; } /** -- cgit v1.0