Merge pull request #366 from corazzi/feature/destroy-used-recovery-codes

Destroy a recovery code when used – fixes #284
jeffgreco13 · Jun 9, 2024 · 5323369 · 5323369
2 parents dd43039 + e28b477
commit 5323369
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/src/Pages/TwoFactorPage.php b/src/Pages/TwoFactorPage.php
@@ -130,6 +130,11 @@ public function authenticate()
             return null;
         }
 
+        // If using a recovery code, unset it so it can only be used once
+        if ($this->usingRecoveryCode) {
+            filament('filament-breezy')->auth()->user()->destroyRecoveryCode($this->code);
+        }
+
         // If it makes it to the bottom, we're going to set the session var and send them to the dashboard.
         filament('filament-breezy')->auth()->user()->setTwoFactorSession();
 

diff --git a/src/Traits/TwoFactorAuthenticatable.php b/src/Traits/TwoFactorAuthenticatable.php
@@ -99,6 +99,15 @@ public function generateRecoveryCodes()
         })->all()));
     }
 
+    public function destroyRecoveryCode(string $recoveryCode): void
+    {
+        $unusedCodes = array_filter($this->two_factor_recovery_codes ?? [], fn ($code) => $code !== $recoveryCode);
+
+        $this->breezy_session->forceFill([
+            'two_factor_recovery_codes' => $unusedCodes ? encrypt(json_encode($unusedCodes)) : null,
+        ])->save();
+    }
+
     public function getTwoFactorQrCodeUrl()
     {
         return filament('filament-breezy')->getQrCodeUrl(