From ee4ab7694b25907ee82ca4c41a44b0770a9b24d2 Mon Sep 17 00:00:00 2001
From: Herman van Rink <rink@initfour.nl>
Date: Fri, 11 Mar 2022 22:50:41 +0100
Subject: [PATCH] Keep otp_recovery out of the session

---
 interface/web/login/index.php | 1 -
 interface/web/login/otp.php   | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/interface/web/login/index.php b/interface/web/login/index.php
index b5b86be615..7be4e2c365 100644
--- a/interface/web/login/index.php
+++ b/interface/web/login/index.php
@@ -148,7 +148,6 @@ function process_login_request(app $app, &$error, $conf, $module)
 				$_SESSION['otp']['session_attempts'] = 0;
 				$_SESSION['otp']['type'] = $user['otp_type'];
 				$_SESSION['otp']['data'] = $user['otp_data'];
-				$_SESSION['otp']['recovery'] = $user['otp_recovery'];
 
 				//* Redirect to otp script
 				header('Location: otp.php');
diff --git a/interface/web/login/otp.php b/interface/web/login/otp.php
index 44f3d2fed2..8312d6dc53 100644
--- a/interface/web/login/otp.php
+++ b/interface/web/login/otp.php
@@ -76,10 +76,10 @@ function finish_2fa_success($msg = '') {
 }
 
 //* Handle recovery code
-if(isset($_POST['code']) && strlen($_POST['code']) == $otp_recovery_code_length && $_SESSION['otp']['recovery']) {
+if(isset($_POST['code']) && strlen($_POST['code']) == $otp_recovery_code_length) {
 	//* TODO Recovery code handling
 
-	$user = $app->db->queryOneRecord('SELECT otp_attempts FROM sys_user WHERE userid = ?',$_SESSION['s_pending']['user']['userid']);
+	$user = $app->db->queryOneRecord('SELECT otp_attempts, otp_recovery FROM sys_user WHERE userid = ?',$_SESSION['s_pending']['user']['userid']);
 
 	//* We allow one more try to enter recovery code
 	if($user['otp_attempts'] > $max_global_code_retry + 1) {
-- 
GitLab