Sultan
/
invoiceninja
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactor 2FA logic to support SHA512 algorithm 

Implement enhanced 2FA verification and replay attack prevention with SHA512 fallback. 

Signed-off-by: TechNoNerd87 <113461509+TechNoNerd87@users.noreply.github.com>
This commit is contained in:
TechNoNerd87 2025-11-24 13:43:15 -06:00 committed by GitHub
parent 328d0d7482
commit 66eccd2874
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
app/Http/Controllers/Auth/LoginController.php
View File

@ -131,9 +131,28 @@ class LoginController extends BaseController
//2FA
if ($user->google_2fa_secret && $request->has('one_time_password')) {
$google2fa = new Google2FA();
$otp = $request->input('one_time_password');
$secret = decrypt($user->google_2fa_secret);
$timestamp = false;
if (strlen($request->input('one_time_password')) == 0 || !$google2fa->verifyKey(decrypt($user->google_2fa_secret), $request->input('one_time_password'))) {
if (strlen($otp) > 0) {
// Try SHA512 first (new algorithm) with timestamp to prevent OTP reuse
$google2fa = new Google2FA();
$google2fa->setAlgorithm(\PragmaRX\Google2FA\Support\Constants::SHA512);
$timestamp = $google2fa->verifyKeyNewer($secret, $otp, $user->google_2fa_ts ?? 0);
// Fall back to SHA1 for existing users (backward compatibility)
if ($timestamp === false) {
$google2fa = new Google2FA();
$timestamp = $google2fa->verifyKeyNewer($secret, $otp, $user->google_2fa_ts ?? 0);
}
}
if ($timestamp !== false) {
// Update timestamp to prevent OTP reuse
$user->google_2fa_ts = $timestamp;
$user->save();
} else {
return response()
->json(['message' => ctrans('texts.invalid_one_time_password')], 401)
->header('X-App-Version', config('ninja.app_version'))