diff --git a/bookwyrm/forms/edit_user.py b/bookwyrm/forms/edit_user.py index a7effaf08..51be68a51 100644 --- a/bookwyrm/forms/edit_user.py +++ b/bookwyrm/forms/edit_user.py @@ -123,6 +123,7 @@ class ConfirmPasswordForm(CustomForm): class Confirm2FAForm(CustomForm): otp = forms.CharField(max_length=6, min_length=6, widget=forms.TextInput) + # IDK if we need this? class Meta: model = models.User fields = ["otp_secret"] @@ -133,4 +134,16 @@ class Confirm2FAForm(CustomForm): totp = pyotp.TOTP(self.instance.otp_secret) if not totp.verify(otp): - self.add_error("otp", _("Code does not match")) + # maybe it's a backup code? + hotp = pyotp.HOTP(self.instance.otp_secret) + hotp_count = ( + self.instance.hotp_count if self.instance.hotp_count is not None else 0 + ) + + if not hotp.verify(otp, hotp_count): + self.add_error("otp", _("Code does not match")) + + # TODO: backup codes + # increment the user hotp_count if it was an HOTP + # self.instance.hotp_count = hotp_count + 1 + # self.instance.save(broadcast=False, update_fields=["hotp_count"]) diff --git a/bookwyrm/templates/preferences/2fa.html b/bookwyrm/templates/preferences/2fa.html index 798716ac4..e5e9684ce 100644 --- a/bookwyrm/templates/preferences/2fa.html +++ b/bookwyrm/templates/preferences/2fa.html @@ -29,7 +29,7 @@ {{ qrcode | safe }} -