From e5cba893e47d65b6d20ee53ef9cf68684566d71c Mon Sep 17 00:00:00 2001
From: MartinOscar <40749467+rmartinoscar@users.noreply.github.com>
Date: Mon, 12 May 2025 16:14:09 +0200
Subject: [PATCH] Check against 2fa backup codes too in `Login` (#1366)

Co-authored-by: Boy132 <Boy132@users.noreply.github.com>
---
 app/Filament/Pages/Auth/Login.php | 25 +++++++++++++++++++------
 lang/en/auth.php                  |  1 +
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/app/Filament/Pages/Auth/Login.php b/app/Filament/Pages/Auth/Login.php
index 60179fff1..832a12087 100644
--- a/app/Filament/Pages/Auth/Login.php
+++ b/app/Filament/Pages/Auth/Login.php
@@ -57,11 +57,22 @@ class Login extends BaseLogin
             return null;
         }
 
-        $isValidToken = $this->google2FA->verifyKey(
-            $user->totp_secret,
-            $token,
-            Config::integer('panel.auth.2fa.window'),
-        );
+        $isValidToken = false;
+        if (strlen($token) === $this->google2FA->getOneTimePasswordLength()) {
+            $isValidToken = $this->google2FA->verifyKey(
+                $user->totp_secret,
+                $token,
+                Config::integer('panel.auth.2fa.window'),
+            );
+        } else {
+            foreach ($user->recoveryTokens as $recoveryToken) {
+                if (password_verify($token, $recoveryToken->token)) {
+                    $isValidToken = true;
+                    $recoveryToken->delete();
+                    break;
+                }
+            }
+        }
 
         if (!$isValidToken) {
             // Buffer to prevent bruteforce
@@ -108,7 +119,9 @@ class Login extends BaseLogin
     {
         return TextInput::make('2fa')
             ->label(trans('auth.two-factor-code'))
-            ->hidden(fn () => !$this->verifyTwoFactor)
+            ->hintIcon('tabler-question-mark')
+            ->hintIconTooltip(trans('auth.two-factor-hint'))
+            ->visible(fn () => $this->verifyTwoFactor)
             ->required()
             ->live();
     }
diff --git a/lang/en/auth.php b/lang/en/auth.php
index b995376f7..d88b09397 100644
--- a/lang/en/auth.php
+++ b/lang/en/auth.php
@@ -16,6 +16,7 @@ return [
     'failed' => 'These credentials do not match our records.',
     'failed-two-factor' => 'Incorrect 2FA Code',
     'two-factor-code' => 'Two Factor Code',
+    'two-factor-hint' => 'You may use backup codes if you lost access to your device.',
     'password' => 'The provided password is incorrect.',
     'throttle' => 'Too many login attempts. Please try again in :seconds seconds.',
     '2fa_must_be_enabled' => 'The administrator has required that 2-Factor Authentication must be enabled for your account in order to use the Panel.',