From 794e41638dd695637072516d589bdb64229f9617 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Ho=CC=88=C3=9Fl?= <tobias@hoessl.eu>
Date: Sat, 2 Nov 2024 13:37:57 +0100
Subject: [PATCH] Don't reset TOTP key with each page reload

---
 components/SecondFactorAuthentication.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/components/SecondFactorAuthentication.php b/components/SecondFactorAuthentication.php
index ce5545138..fd6879060 100644
--- a/components/SecondFactorAuthentication.php
+++ b/components/SecondFactorAuthentication.php
@@ -48,7 +48,12 @@ public function createSecondFactorKey(User $user): TOTP
             $secret = trim((string) file_get_contents(__DIR__ . '/../tests/config/2fa.secret'));
             $otp = TOTP::createFromSecret($secret);
         } else {
-            $otp = TOTP::generate();
+            $data = $this->session->get(self::SESSION_KEY_2FA_SETUP_KEY);
+            if ($data && $data['user'] === $user->id && $data['time'] > time() - self::TIMEOUT_2FA_SESSION) {
+                $otp = TOTP::createFromSecret($data['secret']);
+            } else {
+                $otp = TOTP::generate();
+            }
         }
         $otp->setLabel(AntragsgruenApp::getInstance()->mailFromName ?: 'Antragsgrün');