6 years ago · 137788b00c
--- a/app/Http/Controllers/AccountController.php
+++ b/app/Http/Controllers/AccountController.php
@@ -339,6 +339,11 @@ class AccountController extends Controller
 
				             $request->session()->push('2fa.session.active', true);
			
 
				             return redirect('/');
			
 
				         } else {
			
 
				+
			
 
				+            if($this->twoFactorBackupCheck($request, $code, $user)) {
			
 
				+                return redirect('/');
			
 
				+            }
			
 
				+
			
 
				             if($request->session()->has('2fa.attempts')) {
			
 
				                 $count = (int) $request->session()->has('2fa.attempts');
			
 
				                 $request->session()->push('2fa.attempts', $count + 1);
			
@@ -350,4 +355,31 @@ class AccountController extends Controller
 
				             ]);
			
 
				         }
			
 
				     }
			
 
				+
			
 
				+    protected function twoFactorBackupCheck($request, $code, User $user)
			
 
				+    {
			
 
				+            $backupCodes = $user->{'2fa_backup_codes'};
			
 
				+            if($backupCodes) {
			
 
				+                $codes = json_decode($backupCodes, true);
			
 
				+                foreach ($codes as $c) {
			
 
				+                    if(hash_equals($c, $code)) {
			
 
				+                        // remove code
			
 
				+                        $codes = array_flatten(array_diff($codes, [$code]));
			
 
				+                        $user->{'2fa_backup_codes'} = json_encode($codes);
			
 
				+                        $user->save();
			
 
				+                        $request->session()->push('2fa.session.active', true);
			
 
				+                        return true;
			
 
				+                    } else {
			
 
				+                        return false;
			
 
				+                    }
			
 
				+                }
			
 
				+            } else {
			
 
				+                return false;
			
 
				+            }  
			
 
				+    }
			
 
				+
			
 
				+    public function accountRestored(Request $request)
			
 
				+    {
			
 
				+        //
			
 
				+    }
			
 
				 }
			
--- a/app/Http/Controllers/Settings/SecuritySettings.php
+++ b/app/Http/Controllers/Settings/SecuritySettings.php
@@ -110,6 +110,19 @@ trait SecuritySettings
 
				 		return view('settings.security.2fa.recovery-codes', compact('user', 'codes'));
			
 
				 	}
			
 
				 
			
 
				+	public function securityTwoFactorRecoveryCodesRegenerate(Request $request)
			
 
				+	{
			
 
				+		$user = Auth::user();
			
 
				+
			
 
				+		if(!$user->{'2fa_enabled'} || !$user->{'2fa_secret'}) {
			
 
				+			abort(403);
			
 
				+		}
			
 
				+		$backups = $this->generateBackupCodes();
			
 
				+		$user->{'2fa_backup_codes'} = json_encode($backups);
			
 
				+		$user->save();
			
 
				+		return redirect(route('settings.security.2fa.recovery'));
			
 
				+	}
			
 
				+
			
 
				 	public function securityTwoFactorUpdate(Request $request)
			
 
				 	{
			
 
				 		$user = Auth::user();
			
--- a/config/pixelfed.php
+++ b/config/pixelfed.php
@@ -23,7 +23,7 @@ return [
 
				     | This value is the version of your PixelFed instance.
			
 
				     |
			
 
				     */
			
 
				-    'version' => '0.7.5',
			
 
				+    'version' => '0.7.6',
			
 
				 
			
 
				     /*
			
 
				     |--------------------------------------------------------------------------
			
--- a/resources/views/settings/security/2fa/recovery-codes.blade.php
+++ b/resources/views/settings/security/2fa/recovery-codes.blade.php
@@ -7,16 +7,26 @@
 
				   </div>
			
 
				 
			
 
				   <hr>
			
 
				-  
			
 
				-  <p class="lead pb-3">
			
 
				-  	Each code can only be used once.
			
 
				-  </p>
			
 
				-
			
 
				-  <p class="lead"></p>
			
 
				-  <ul class="list-group">
			
 
				-  	@foreach($codes as $code)
			
 
				-  	<li class="list-group-item"><code>{{$code}}</code></li>
			
 
				-  	@endforeach
			
 
				-  </ul>
			
 
				+    @if(count($codes) > 0)
			
 
				+      <p class="lead pb-3">
			
 
				+      	Each code can only be used once.
			
 
				+      </p>
			
 
				+      <ul class="list-group">
			
 
				+      	@foreach($codes as $code)
			
 
				+      	<li class="list-group-item"><code>{{$code}}</code></li>
			
 
				+      	@endforeach
			
 
				+      </ul>
			
 
				+    @else
			
 
				+    <div class="pt-5">
			
 
				+      <h4 class="font-weight-bold">You are out of recovery codes</h4>
			
 
				+      <p class="lead">Generate more recovery codes and store them in a safe place.</p>
			
 
				+      <p>
			
 
				+        <form method="post">
			
 
				+          @csrf
			
 
				+          <button type="submit" class="btn btn-primary font-weight-bold">Generate Recovery Codes</button>
			
 
				+        </form>
			
 
				+      </p>
			
 
				+    </div>
			
 
				+    @endif
			
 
				 
			
 
				 @endsection
			
--- a/routes/web.php
+++ b/routes/web.php
@@ -166,6 +166,10 @@ Route::domain(config('pixelfed.domain.app'))->middleware(['validemail', 'twofact
 
				                 '2fa/recovery-codes',
			
 
				                 'SettingsController@securityTwoFactorRecoveryCodes'
			
 
				             )->name('settings.security.2fa.recovery');
			
 
				+            Route::post(
			
 
				+                '2fa/recovery-codes',
			
 
				+                'SettingsController@securityTwoFactorRecoveryCodesRegenerate'
			
 
				+            );
			
 
				         });
			
 
				 
			
 
				         Route::get('applications', 'SettingsController@applications')->name('settings.applications');