From b8d70f881055095c92de0d601e785657d10f6d11 Mon Sep 17 00:00:00 2001
From: IanM <16573496+imorland@users.noreply.github.com>
Date: Tue, 6 Feb 2024 21:50:47 +0000
Subject: [PATCH] fix: impossible to login after incorrect otp entry when
 turnstile active (#26)

* fix: impossible to login after incorrect otp entry when turnstile active

* Apply fixes from StyleCI

---------

Co-authored-by: StyleCI Bot <bot@styleci.io>
---
 composer.json                                 |  8 +++--
 .../CreateTwoFactorTokenController.php        | 14 ++++++--
 .../Controller/TwoFactorLogInController.php   | 33 +++++++++++++------
 3 files changed, 40 insertions(+), 15 deletions(-)

diff --git a/composer.json b/composer.json
index 27e64cc..27e56a3 100644
--- a/composer.json
+++ b/composer.json
@@ -42,7 +42,10 @@
                 "name": "fas fa-shield-alt",
                 "color": "#fff",
                 "backgroundColor": "#0072e3"
-            }
+            },
+            "optional-dependencies": [
+                "blomstra/turnstile"
+            ]
         },
         "flarum-cli": {
             "modules": {
@@ -93,6 +96,7 @@
         "fof/oauth": "*",
         "flarum/phpstan": "^1.8",
         "blomstra/gdpr": "@beta",
-        "sycho/flarum-private-facade": "^0.1.16"
+        "sycho/flarum-private-facade": "^0.1.16",
+        "blomstra/turnstile": "*"
     }
 }
diff --git a/src/Api/Controller/CreateTwoFactorTokenController.php b/src/Api/Controller/CreateTwoFactorTokenController.php
index 6823da3..5e70e32 100644
--- a/src/Api/Controller/CreateTwoFactorTokenController.php
+++ b/src/Api/Controller/CreateTwoFactorTokenController.php
@@ -30,8 +30,12 @@ class CreateTwoFactorTokenController implements RequestHandlerInterface
 {
     use TwoFactorAuthenticationTrait;
 
-    public function __construct(protected TotpInterface $totp, protected UserRepository $users, protected BusDispatcher $bus, protected EventDispatcher $events)
-    {
+    public function __construct(
+        protected TotpInterface $totp,
+        protected UserRepository $users,
+        protected BusDispatcher $bus,
+        protected EventDispatcher $events
+    ) {
     }
 
     public function handle(ServerRequestInterface $request): ResponseInterface
@@ -50,9 +54,13 @@ public function handle(ServerRequestInterface $request): ResponseInterface
         if ($this->twoFactorActive($user)) {
             $token = $this->retrieveTwoFactorTokenFrom(Arr::get($body, 'twoFactorToken'));
 
-            if (! $this->isTokenActive($token, $user)) {
+            if (! $token) {
                 throw new ValidationException(['twoFactorToken' => 'two_factor_required']);
             }
+
+            if (! $this->isTokenActive($token, $user)) {
+                throw new ValidationException(['twoFactorToken' => 'two_factor_incorrect']);
+            }
         }
 
         if (Arr::get($body, 'remember')) {
diff --git a/src/Api/Controller/TwoFactorLogInController.php b/src/Api/Controller/TwoFactorLogInController.php
index a61a5ff..3cc75e5 100644
--- a/src/Api/Controller/TwoFactorLogInController.php
+++ b/src/Api/Controller/TwoFactorLogInController.php
@@ -11,32 +11,45 @@
 
 namespace IanM\TwoFactor\Api\Controller;
 
+use Flarum\Api\Client;
+use Flarum\Extension\ExtensionManager;
 use Flarum\Forum\Controller\LogInController;
+use Flarum\Forum\LogInValidator;
 use Flarum\Http\AccessToken;
 use Flarum\Http\RememberAccessToken;
+use Flarum\Http\Rememberer;
+use Flarum\Http\SessionAuthenticator;
 use Flarum\User\Event\LoggedIn;
+use Flarum\User\UserRepository;
+use Illuminate\Contracts\Events\Dispatcher;
 use Illuminate\Support\Arr;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface as Request;
 
 class TwoFactorLogInController extends LogInController
 {
+    public function __construct(
+        UserRepository $users,
+        Client $apiClient,
+        SessionAuthenticator $authenticator,
+        Dispatcher $events,
+        Rememberer $rememberer,
+        LogInValidator $validator,
+        protected ExtensionManager $extensions
+    ) {
+        parent::__construct($users, $apiClient, $authenticator, $events, $rememberer, $validator);
+    }
+
     public function handle(Request $request): ResponseInterface
     {
         $body = $request->getParsedBody();
-        $identification = Arr::get($body, 'identification');
-        $password = Arr::get($body, 'password');
-        $remember = Arr::get($body, 'remember');
-        $twoFactorToken = Arr::get($body, 'twoFactorToken');
 
-        $this->validator->assertValid($body);
+        if (! $this->extensions->isEnabled('blomstra-turnstile') && empty(Arr::get($body, 'twoFactorToken'))) {
+            $this->validator->assertValid($body);
+        }
 
         $response = $this->apiClient->withParentRequest($request)
-            ->withBody([
-                'identification' => $identification,
-                'password' => $password,
-                'remember' => $remember,
-                'twoFactorToken' => $twoFactorToken])
+            ->withBody($body)
             ->post('/token');
 
         if ($response->getStatusCode() === 200) {