! This is a one-time password. Let's make sure the password is indeed…

… used only once! Signed-off-by:Thorsten Eurich <thorsten@eurich.de>
elkarte · May 2, 2016 · d5884ce · d5884ce
1 parent d6b6bce
commit d5884ce
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 4 deletions.
diff --git a/install/install_1-1.php b/install/install_1-1.php
@@ -1651,6 +1651,7 @@ public function table_members()
 				array('name' => 'receive_from',         'type' => 'tinyint', 'size' => 4, 'unsigned' => true, 'default' => 1),
 				array('name' => 'otp_secret',           'type' => 'varchar', 'size' => 16, 'default' => ''),
 				array('name' => 'enable_otp',           'type' => 'tinyint', 'size' => 1, 'default' => 0),
+				array('name' => 'otp_used',             'type' => 'int', 'size' => 6, 'default' => 0),
 			),
 			array(
 				array('name' => 'id_member',            'columns' => array('id_member'), 'type' => 'primary'),

diff --git a/install/upgrade_1-1.php b/install/upgrade_1-1.php
@@ -115,6 +115,16 @@ public function adding_opt($title = false)
 						array(),
 						'ignore'
 					);
+					$db_table->db_add_column('{db_prefix}members',
+						array(
+							'name' => 'otp_used',
+							'type' => 'int',
+							'size' => 6,
+							'default' => 0,
+						),
+						array(),
+						'ignore'
+					);
 				}
 			)
 		);

diff --git a/sources/controllers/Auth.controller.php b/sources/controllers/Auth.controller.php
@@ -228,6 +228,12 @@ public function action_login2()
 				$context['login_errors'] = array($txt['invalid_otptoken']);
 				return false;
 			}
+			// OTP already used? Sorry, but this is a ONE TIME password..
+			if ($user_settings['otp_used'] == $_POST['otp_token'])
+			{
+				$context['login_errors'] = array($txt['otp_used']);
+				return false;
+			}
 		}
 
 		// Let them try again, it didn't match anything...
@@ -349,6 +355,12 @@ public function action_login2()
 			updateMemberData($user_settings['id_member'], array('password_salt' => $user_settings['password_salt']));
 		}
 
+		// Let's track the last used one-time password.
+		if (!empty($_POST['otp_token']))
+		{
+			require_once(SUBSDIR . '/Members.subs.php');
+			updateMemberData($user_settings['id_member'], array('otp_used' => $_POST['otp_token']));
+		}
 		// Check their activation status.
 		if (!checkActivation())
 			return false;

diff --git a/sources/subs/Auth.subs.php b/sources/subs/Auth.subs.php
@@ -836,7 +836,7 @@ function loadExistingMember($name, $is_id = false)
 	{
 		$request = $db->query('', '
 			SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt,
-				openid_uri, passwd_flood, otp_secret, enable_otp
+				openid_uri, passwd_flood, otp_secret, enable_otp, otp_used
 			FROM {db_prefix}members
 			WHERE id_member = {int:id_member}
 			LIMIT 1',
@@ -850,7 +850,7 @@ function loadExistingMember($name, $is_id = false)
 		// Try to find the user, assuming a member_name was passed...
 		$request = $db->query('', '
 			SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt,
-				openid_uri, passwd_flood, otp_secret, enable_otp
+				openid_uri, passwd_flood, otp_secret, enable_otp, otp_used
 			FROM {db_prefix}members
 			WHERE ' . (defined('DB_CASE_SENSITIVE') ? 'LOWER(member_name) = LOWER({string:user_name})' : 'member_name = {string:user_name}') . '
 			LIMIT 1',
@@ -865,7 +865,7 @@ function loadExistingMember($name, $is_id = false)
 
 			$request = $db->query('', '
 				SELECT passwd, id_member, id_group, lngfile, is_activated, email_address, additional_groups, member_name, password_salt, openid_uri,
-				passwd_flood, otp_secret, enable_otp
+				passwd_flood, otp_secret, enable_otp, otp_used
 				FROM {db_prefix}members
 				WHERE email_address = {string:user_name}
 				LIMIT 1',

diff --git a/sources/subs/Members.subs.php b/sources/subs/Members.subs.php
@@ -2414,7 +2414,8 @@ function updateMemberData($members, $data)
 		'date_registered', 'posts', 'id_group', 'last_login', 'personal_messages', 'unread_messages', 'mentions',
 		'new_pm', 'pm_prefs', 'hide_email', 'show_online', 'pm_email_notify', 'receive_from', 'karma_good', 'karma_bad',
 		'notify_announcements', 'notify_send_body', 'notify_regularity', 'notify_types',
-		'id_theme', 'is_activated', 'id_msg_last_visit', 'id_post_group', 'total_time_logged_in', 'warning', 'likes_given', 'likes_received', 'enable_otp'
+		'id_theme', 'is_activated', 'id_msg_last_visit', 'id_post_group', 'total_time_logged_in', 'warning', 'likes_given',
+		'likes_received', 'enable_otp', 'otp_used'
 	);
 	$knownFloats = array(
 		'time_offset',

diff --git a/themes/default/languages/english/index.english.php b/themes/default/languages/english/index.english.php
@@ -923,5 +923,6 @@
 $txt['otp_token'] = 'Time-based One-time Password';
 $txt['otp_enabled'] = 'Enable two factor authentication';
 $txt['invalid_otptoken'] = 'Time-based One-time Password is invalid';
+$txt['otp_used'] = 'Time-based One-time Password already used.<br /> Please wait a moment and use the next code.';
 $txt['otp_generate'] = 'Generate';
 $txt['otp_show_qr'] = 'Show QR-Code';