From 4654a83b6438b88e3b7062a21d18999d9df2fb8e Mon Sep 17 00:00:00 2001
From: Jeremy Benoist <jeremy.benoist@gmail.com>
Date: Wed, 23 Jan 2019 14:43:39 +0100
Subject: Hash backup codes in the database using `password_hash`

---
 .../CoreBundle/Controller/ConfigController.php     | 21 ++++++++++++-------
 .../views/themes/baggy/Config/otp_app.html.twig    |  2 +-
 .../views/themes/material/Config/otp_app.html.twig |  2 +-
 src/Wallabag/UserBundle/Entity/User.php            | 24 ++++++++++++++++++++--
 4 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/src/Wallabag/CoreBundle/Controller/ConfigController.php b/src/Wallabag/CoreBundle/Controller/ConfigController.php
index ed92c999..9257ab18 100644
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@@ -197,18 +197,25 @@ class ConfigController extends Controller
         }
 
         $user = $this->getUser();
+        $secret = $this->get('scheb_two_factor.security.google_authenticator')->generateSecret();
 
-        if (!$user->isGoogleTwoFactor()) {
-            $secret = $this->get('scheb_two_factor.security.google_authenticator')->generateSecret();
+        $user->setGoogleAuthenticatorSecret($secret);
+        $user->setEmailTwoFactor(false);
 
-            $user->setGoogleAuthenticatorSecret($secret);
-            $user->setEmailTwoFactor(false);
-            $user->setBackupCodes((new BackupCodes())->toArray());
+        $backupCodes = (new BackupCodes())->toArray();
+        $backupCodesHashed = array_map(
+            function ($backupCode) {
+                return password_hash($backupCode, PASSWORD_DEFAULT);
+            },
+            $backupCodes
+        );
 
-            $this->container->get('fos_user.user_manager')->updateUser($user, true);
-        }
+        $user->setBackupCodes($backupCodesHashed);
+
+        $this->container->get('fos_user.user_manager')->updateUser($user, true);
 
         return $this->render('WallabagCoreBundle:Config:otp_app.html.twig', [
+            'backupCodes' => $backupCodes,
             'qr_code' => $this->get('scheb_two_factor.security.google_authenticator')->getQRContent($user),
         ]);
     }
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig
index 2e4442e3..0919646e 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig
@@ -20,7 +20,7 @@
         <li>
             <p>{{ 'config.otp.app.two_factor_code_description_3'|trans }}</p>
 
-            <p><strong>{{ app.user.getBackupCodes|join("\n")|nl2br }}</strong></p>
+            <p><strong>{{ backupCodes|join("\n")|nl2br }}</strong></p>
         </li>
         <li>
             <p>{{ 'config.otp.app.two_factor_code_description_4'|trans }}</p>
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig
index 6aef355e..7875d787 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig
@@ -24,7 +24,7 @@
                         <li>
                             <p>{{ 'config.otp.app.two_factor_code_description_3'|trans }}</p>
 
-                            <p><strong>{{ app.user.getBackupCodes|join("\n")|nl2br }}</strong></p>
+                            <p><strong>{{ backupCodes|join("\n")|nl2br }}</strong></p>
                         </li>
                         <li>
                             <p>{{ 'config.otp.app.two_factor_code_description_4'|trans }}</p>
diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php
index ab34e2bf..43fa6a80 100644
--- a/src/Wallabag/UserBundle/Entity/User.php
+++ b/src/Wallabag/UserBundle/Entity/User.php
@@ -339,7 +339,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
      */
     public function isBackupCode(string $code): bool
     {
-        return \in_array($code, $this->backupCodes, true);
+        return false === $this->findBackupCode($code) ? false : true;
     }
 
     /**
@@ -347,7 +347,7 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
      */
     public function invalidateBackupCode(string $code): void
     {
-        $key = array_search($code, $this->backupCodes, true);
+        $key = $this->findBackupCode($code);
 
         if (false !== $key) {
             unset($this->backupCodes[$key]);
@@ -385,4 +385,24 @@ class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorI
             return $this->clients->first();
         }
     }
+
+    /**
+     * Try to find a backup code from the list of backup codes of the current user.
+     *
+     * @param string $code Given code from the user
+     *
+     * @return string|false
+     */
+    private function findBackupCode(string $code)
+    {
+        foreach ($this->backupCodes as $key => $backupCode) {
+            // backup code are hashed using `password_hash`
+            // see ConfigController->otpAppAction
+            if (password_verify($code, $backupCode)) {
+                return $key;
+            }
+        }
+
+        return false;
+    }
 }
-- 
cgit v1.2.3