Delete OTPs from incomplete attempts to set up 2FA

2025-07-31 13:20:11 +02:00 · 2024-07-04 13:53:07 +02:00
parent eba7cd2657
commit d2602121ab
1 changed files with 14 additions and 0 deletions
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -1869,6 +1869,20 @@ final class Auth extends UserManager {
 					catch (Error $e) {
 						throw new DatabaseError($e->getMessage());
 					}
+
+					// delete any one-time passwords for the user that were for (verification of) the old configuration
+					try {
+						$this->db->exec(
+							'DELETE FROM ' . $this->makeTableName('users_otps') . ' WHERE user_id = ? AND mechanism = ? AND expires_at IS NOT NULL',
+							[
+								$this->getUserId(),
+								$mechanism,
+							]
+						);
+					}
+					catch (Error $e) {
+						throw new DatabaseError($e->getMessage());
+					}
 				}
 				// if the existing configuration has been completed/enabled already
 				else {