Skip to content

Commit 817b3ca

Browse files
committed
Fix Yubikey OTP being case sensitive
1 parent be18ef4 commit 817b3ca

3 files changed

Lines changed: 10 additions & 5 deletions

File tree

app/Http/Controllers/Profile/Settings/TwoFactor/YubikeySetupController.php

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,10 +40,14 @@ public function store(YubikeyStoreRequest $request)
4040
}
4141
RateLimiter::hit($limitKey, 120);
4242
$yubico = new YubicoService();
43-
$yubico->verify($request->input('code'));
43+
$otp = strtolower($request->input('code'));
44+
$yubico->verify($otp);
4445

4546
// Check if the Yubikey is already registered
46-
if ($request->user()->twoFactors()->where('identifier', $yubico->identifier)->exists()) {
47+
$already_exists = $request->user()->twoFactors()
48+
->whereRaw('LOWER(identifier) = ?', [$yubico->identifier])
49+
->exists();
50+
if ($already_exists) {
4751
throw ValidationException::withMessages(['code' => 'This Yubikey is already registered.']);
4852
}
4953
// Create the Yubikey

app/Http/Controllers/TwoFactorController.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,9 +74,9 @@ public function submit(Request $request)
7474
public function verifyYubikey($data, Collection $twoFactors, $user): bool
7575
{
7676
// Get the first 12 characters of the code
77-
$identifier = substr($data['code'], 0, 12);
77+
$identifier = strtolower(substr($data['code'], 0, 12));
7878
// Find the identifier in $collection
79-
$twoFactor = $twoFactors->firstWhere('identifier', $identifier);
79+
$twoFactor = $twoFactors->firstWhere(fn($factor) => strtolower($factor->identifier) === $identifier);
8080
if ($twoFactor === null) {
8181
throw ValidationException::withMessages(['code' => 'This Yubikey is not known.']);
8282
}

app/Services/YubicoService.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ class YubicoService
1313

1414
public function verify(string $otp): bool
1515
{
16+
$otp = strtolower($otp);
1617
$this->nonce = bin2hex(random_bytes(16));
1718

1819
$requestParams = [
@@ -48,7 +49,7 @@ public function verify(string $otp): bool
4849
throw ValidationException::withMessages(['code' => $errorMessage]);
4950
}
5051
// Get the first 12 characters of the OTP
51-
$this->identifier = substr($responseData['otp'], 0, 12);
52+
$this->identifier = strtolower(substr($responseData['otp'], 0, 12));
5253

5354
return true;
5455
}

0 commit comments

Comments
 (0)