Check against 2fa backup codes too in Login (#1366)

Co-authored-by: Boy132 <Boy132@users.noreply.github.com>
2025-05-19 17:34:45 +02:00 · 2025-05-12 16:14:09 +02:00 · 2025-05-12 16:14:09 +02:00 · e5cba893e4
commit e5cba893e4
parent fd49f472c3
2 changed files with 20 additions and 6 deletions
--- a/app/Filament/Pages/Auth/Login.php
+++ b/app/Filament/Pages/Auth/Login.php
@ -57,11 +57,22 @@ class Login extends BaseLogin
            return null;
        }

-        $isValidToken = $this->google2FA->verifyKey(
-            $user->totp_secret,
-            $token,
-            Config::integer('panel.auth.2fa.window'),
-        );
+        $isValidToken = false;
+        if (strlen($token) === $this->google2FA->getOneTimePasswordLength()) {
+            $isValidToken = $this->google2FA->verifyKey(
+                $user->totp_secret,
+                $token,
+                Config::integer('panel.auth.2fa.window'),
+            );
+        } else {
+            foreach ($user->recoveryTokens as $recoveryToken) {
+                if (password_verify($token, $recoveryToken->token)) {
+                    $isValidToken = true;
+                    $recoveryToken->delete();
+                    break;
+                }
+            }
+        }

        if (!$isValidToken) {
            // Buffer to prevent bruteforce
@ -108,7 +119,9 @@ class Login extends BaseLogin
    {
        return TextInput::make('2fa')
            ->label(trans('auth.two-factor-code'))
-            ->hidden(fn () => !$this->verifyTwoFactor)
+            ->hintIcon('tabler-question-mark')
+            ->hintIconTooltip(trans('auth.two-factor-hint'))
+            ->visible(fn () => $this->verifyTwoFactor)
            ->required()
            ->live();
    }
--- a/lang/en/auth.php
+++ b/lang/en/auth.php
@ -16,6 +16,7 @@ return [
    'failed' => 'These credentials do not match our records.',
    'failed-two-factor' => 'Incorrect 2FA Code',
    'two-factor-code' => 'Two Factor Code',
+    'two-factor-hint' => 'You may use backup codes if you lost access to your device.',
    'password' => 'The provided password is incorrect.',
    'throttle' => 'Too many login attempts. Please try again in :seconds seconds.',
    '2fa_must_be_enabled' => 'The administrator has required that 2-Factor Authentication must be enabled for your account in order to use the Panel.',