1 files changed, 22 insertions, 2 deletions
diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php
index ab34e2bf..43fa6a80 100644
--- a/src/Wallabag/UserBundle/Entity/User.php
+++ b/src/Wallabag/UserBundle/Entity/User.php
@@ -339,7 +339,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
     */
    public function isBackupCode(string $code): bool
    {
-        return \in_array($code, $this->backupCodes, true);
+        return false === $this->findBackupCode($code) ? false : true;
    }
    /**
@@ -347,7 +347,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
     */
    public function invalidateBackupCode(string $code): void
    {
-        $key = array_search($code, $this->backupCodes, true);
+        $key = $this->findBackupCode($code);
        if (false !== $key) {
            unset($this->backupCodes[$key]);
@@ -385,4 +385,24 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
            return $this->clients->first();
        }
    }
+    /**
+     * Try to find a backup code from the list of backup codes of the current user.
+     *
+     * @param string $code Given code from the user
+     *
+     * @return string|false
+     */
+    private function findBackupCode(string $code)
+    {
+        foreach ($this->backupCodes as $key => $backupCode) {
+            // backup code are hashed using `password_hash`
+            // see ConfigController->otpAppAction
+            if (password_verify($code, $backupCode)) {
+                return $key;
+            }
+        }
+        return false;
+    }
 }

diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php index ab34e2bf..43fa6a80 100644 --- a/src/Wallabag/UserBundle/Entity/User.php +++ b/src/Wallabag/UserBundle/Entity/User.php
@@ -339,7 +339,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
339	*/	339	*/
340	public function isBackupCode(string $code): bool	340	public function isBackupCode(string $code): bool
341	{	341	{
342	return \in_array($code, $this->backupCodes, true);	342	return false === $this->findBackupCode($code) ? false : true;
343	}	343	}
344		344
345	/**	345	/**
@@ -347,7 +347,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
347	*/	347	*/
348	public function invalidateBackupCode(string $code): void	348	public function invalidateBackupCode(string $code): void
349	{	349	{
350	$key = array_search($code, $this->backupCodes, true);	350	$key = $this->findBackupCode($code);
351		351
352	if (false !== $key) {	352	if (false !== $key) {
353	unset($this->backupCodes[$key]);	353	unset($this->backupCodes[$key]);
@@ -385,4 +385,24 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
385	return $this->clients->first();	385	return $this->clients->first();
386	}	386	}
387	}	387	}
		388
		389	/**
		390	* Try to find a backup code from the list of backup codes of the current user.
		391	*
		392	* @param string $code Given code from the user
		393	*
		394	* @return string\|false
		395	*/
		396	private function findBackupCode(string $code)
		397	{
		398	foreach ($this->backupCodes as $key => $backupCode) {
		399	// backup code are hashed using `password_hash`
		400	// see ConfigController->otpAppAction
		401	if (password_verify($code, $backupCode)) {
		402	return $key;
		403	}
		404	}
		405
		406	return false;
		407	}
388	}	408	}