X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=src%2FWallabag%2FUserBundle%2FEntity%2FUser.php;fp=src%2FWallabag%2FUserBundle%2FEntity%2FUser.php;h=43fa6a80fc2bb47b40970b936a21a2612de0a59a;hb=4654a83b6438b88e3b7062a21d18999d9df2fb8e;hp=ab34e2bfc956d55cf1f3705ceb48cd3a535a22ef;hpb=7485a272ffbcc045e6002b4bf4ea289ce0a0f3b4;p=github%2Fwallabag%2Fwallabag.git

diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php
index ab34e2bf..43fa6a80 100644
--- a/src/Wallabag/UserBundle/Entity/User.php
+++ b/src/Wallabag/UserBundle/Entity/User.php
@@ -339,7 +339,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
      */
     public function isBackupCode(string $code): bool
     {
-        return \in_array($code, $this->backupCodes, true);
+        return false === $this->findBackupCode($code) ? false : true;
     }
 
     /**
@@ -347,7 +347,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
      */
     public function invalidateBackupCode(string $code): void
     {
-        $key = array_search($code, $this->backupCodes, true);
+        $key = $this->findBackupCode($code);
 
         if (false !== $key) {
             unset($this->backupCodes[$key]);
@@ -385,4 +385,24 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
             return $this->clients->first();
         }
     }
+
+    /**
+     * Try to find a backup code from the list of backup codes of the current user.
+     *
+     * @param string $code Given code from the user
+     *
+     * @return string|false
+     */
+    private function findBackupCode(string $code)
+    {
+        foreach ($this->backupCodes as $key => $backupCode) {
+            // backup code are hashed using `password_hash`
+            // see ConfigController->otpAppAction
+            if (password_verify($code, $backupCode)) {
+                return $key;
+            }
+        }
+
+        return false;
+    }
 }