Jakach/jakach-login
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding ratelimiting with reddis db
Deploy / deploy (push) Failing after 3s
Details

Browse Source
This commit is contained in:
janis steiner
2026-05-06 09:27:02 +02:00
parent d82a08f77b
commit 5deb0e1056
16 changed files with 312 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app-code/api/account/update_2fa.php
+20 -5
View File
@@ -39,13 +39,28 @@ if(!isset($data->enable_2fa) || !is_bool($data->enable_2fa)){
exit();
}
if($data->enable_2fa==true){
//create 2fa secret key
$twofa_secret=generateBase32Secret();
$twofa_pin = trim((string)($data->twofa_pin ?? ""));
if ($twofa_pin === "") {
$twofa_secret=generateBase32Secret();
$_SESSION["pending_2fa_secret"]=$twofa_secret;
echo json_encode(['success' => true, 'pending' => true, 'message' => 'Scan this QR code, then enter the current 2FA code to confirm enrollment.', 'token' => $twofa_secret]);
exit();
}
check_rate_limit($conn, 'setup_2fa', 5, 10 * 60, (string)$id);
$twofa_secret = $_SESSION["pending_2fa_secret"] ?? "";
if ($twofa_secret === "" || !hash_equals(generateTOTP($twofa_secret), $twofa_pin)) {
echo json_encode(['success' => false, 'message' => 'Invalid 2FA code.']);
exit();
}
$sql="UPDATE users SET 2fa = ?, auth_method_enabled_2fa = 1, auth_method_required_2fa = 1 WHERE id = ?";
if ($update_stmt = $conn->prepare($sql)) {
$update_stmt->bind_param("si", $twofa_secret, $id);
if ($update_stmt->execute()) {
echo json_encode(['success' => true, 'message' => '2FA enabled. Your 2fa secret is: '.$twofa_secret.'', 'token' => $twofa_secret]);
unset($_SESSION["pending_2fa_secret"]);
clear_rate_limit($conn, 'setup_2fa', (string)$id);
echo json_encode(['success' => true, 'message' => '2FA enabled.']);
} else {
echo json_encode(['success' => false, 'message' => 'Failed to enable 2fa.']);
}
@@ -56,8 +71,8 @@ if($data->enable_2fa==true){
}
if($data->enable_2fa==false){
//create 2fa secret key
$sql="UPDATE users SET auth_method_enabled_2fa = 0, auth_method_required_2fa = 0 WHERE id = ?";
unset($_SESSION["pending_2fa_secret"]);
$sql="UPDATE users SET 2fa = '', auth_method_enabled_2fa = 0, auth_method_required_2fa = 0 WHERE id = ?";
if ($update_stmt = $conn->prepare($sql)) {
$update_stmt->bind_param("i",$id);
if ($update_stmt->execute()) {