fix: Corrected the single use token time window

born05 · Feb 8, 2024 · 89d2339 · 89d2339
1 parent eb93bcb
commit 89d2339
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/src/services/Verify.php b/src/services/Verify.php
@@ -183,9 +183,7 @@ private function getUserRecord(User $user)
      */
     private function isTokenUsed($token, User $user): bool
     {
-        $settings = TwoFactorAuth::$plugin->getSettings();
-        $delay = is_int($settings->totpDelay) ? $settings->totpDelay : 0;
-        $start = new \DateTime("-$delay seconds");
+        $start = $this->getTotpStartTime();
 
         // Find the token used by user in the current window.
         $userTokenRecord = UserTokenRecord::find()
@@ -230,9 +228,7 @@ private function insertToken($token, User $user)
      */
     public function removeOldTokens(User $user)
     {
-        $settings = TwoFactorAuth::$plugin->getSettings();
-        $delay = is_int($settings->totpDelay) ? $settings->totpDelay : 0;
-        $start = new \DateTime("-$delay seconds");
+        $start = $this->getTotpStartTime();
 
         $userTokenRecords = UserTokenRecord::find()
             ->where([
@@ -245,4 +241,16 @@ public function removeOldTokens(User $user)
             $userTokenRecord->delete();
         }
     }
+
+    /**
+     * Get TOTP start time
+     * @return \DateTime
+     */
+    private function getTotpStartTime(): \DateTime
+    {
+        $settings = TwoFactorAuth::$plugin->getSettings();
+        $delay = is_int($settings->totpDelay) ? $settings->totpDelay : 0;
+        $window = 31 + $delay; // Default window is 30 seconds, but we add 1 second to be sure.
+        return new \DateTime("-$window seconds");
+    }
 }