Don't reset TOTP key with each page reload

CatoTH · Nov 2, 2024 · 794e416 · 794e416
1 parent 0413c5d
commit 794e416
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/components/SecondFactorAuthentication.php b/components/SecondFactorAuthentication.php
@@ -48,7 +48,12 @@ public function createSecondFactorKey(User $user): TOTP
             $secret = trim((string) file_get_contents(__DIR__ . '/../tests/config/2fa.secret'));
             $otp = TOTP::createFromSecret($secret);
         } else {
-            $otp = TOTP::generate();
+            $data = $this->session->get(self::SESSION_KEY_2FA_SETUP_KEY);
+            if ($data && $data['user'] === $user->id && $data['time'] > time() - self::TIMEOUT_2FA_SESSION) {
+                $otp = TOTP::createFromSecret($data['secret']);
+            } else {
+                $otp = TOTP::generate();
+            }
         }
         $otp->setLabel(AntragsgruenApp::getInstance()->mailFromName ?: 'Antragsgrün');