From eba7cd26577a8697820654fd9a2daeaddcb135fc Mon Sep 17 00:00:00 2001
From: Marco <marco@delight.im>
Date: Thu, 4 Jul 2024 13:35:27 +0200
Subject: [PATCH] Extract sanitization of OTP values into separate method

---
 src/Auth.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/Auth.php b/src/Auth.php
index 62baa11..0769f2e 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -813,9 +813,7 @@ final class Auth extends UserManager {
 		}
 
 		$_SESSION[self::SESSION_FIELD_AWAITING_2FA_USER_ID] = (int) $_SESSION[self::SESSION_FIELD_AWAITING_2FA_USER_ID];
-		$otpValue = !empty($otpValue) ? (string) $otpValue : '';
-		$otpValue = \preg_replace('/[^A-Za-z0-9]/', '', $otpValue);
-		$otpValue = \strtoupper($otpValue);
+		$otpValue = !empty($otpValue) ? self::sanitizeOtpValue((string) $otpValue) : '';
 
 		if (empty($otpValue)) {
 			throw new InvalidOneTimePasswordException();
@@ -2010,7 +2008,7 @@ final class Auth extends UserManager {
 			$this->throttle([ 'enableTwoFactor', 'mechanism', $mechanism, 'userId', $this->getUserId() ], 2, (60 * 60), 2);
 			$this->throttle([ 'enableTwoFactor', 'mechanism', $mechanism, $this->getIpAddress() ], 3, (60 * 60), 3);
 
-			$otpValue = !empty($otpValue) ? \trim((string) $otpValue) : null;
+			$otpValue = !empty($otpValue) ? self::sanitizeOtpValue((string) $otpValue) : '';
 
 			if (empty($otpValue)) {
 				throw new InvalidOneTimePasswordException();
@@ -2663,4 +2661,12 @@ final class Auth extends UserManager {
 		return null;
 	}
 
+	private static function sanitizeOtpValue($otpValue) {
+		$otpValue = \trim($otpValue);
+		$otpValue = \preg_replace('/[^A-Za-z0-9]/', '', $otpValue);
+		$otpValue = \strtoupper($otpValue);
+
+		return $otpValue;
+	}
+
 }