From d2602121abe375a128d5e458c288df26d01a977c Mon Sep 17 00:00:00 2001
From: Marco <marco@delight.im>
Date: Thu, 4 Jul 2024 13:53:07 +0200
Subject: [PATCH] Delete OTPs from incomplete attempts to set up 2FA

---
 src/Auth.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/Auth.php b/src/Auth.php
index 0769f2e..acfb597 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -1869,6 +1869,20 @@ final class Auth extends UserManager {
 					catch (Error $e) {
 						throw new DatabaseError($e->getMessage());
 					}
+
+					// delete any one-time passwords for the user that were for (verification of) the old configuration
+					try {
+						$this->db->exec(
+							'DELETE FROM ' . $this->makeTableName('users_otps') . ' WHERE user_id = ? AND mechanism = ? AND expires_at IS NOT NULL',
+							[
+								$this->getUserId(),
+								$mechanism,
+							]
+						);
+					}
+					catch (Error $e) {
+						throw new DatabaseError($e->getMessage());
+					}
 				}
 				// if the existing configuration has been completed/enabled already
 				else {