Improved TOTp handling in login.

Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well.
2026-04-19 23:03:45 +02:00 · 2015-12-10 21:58:17 -05:00
parent 7345385442
commit 288ee1a258
5 changed files with 113 additions and 101 deletions
--- a/resources/lang/en/auth.php
+++ b/resources/lang/en/auth.php
@@ -21,5 +21,6 @@ return [
    'sendlink' => 'Send Password Reset Link',
    'emailsent' => 'Your password reset email is on its way.',
    'remeberme' => 'Remeber Me',
+    'totp_failed' => 'The TOTP token provided was invalid. Please ensure that the token generated by your device was valid.'

 ];
--- a/resources/lang/en/strings.php
+++ b/resources/lang/en/strings.php
@@ -12,7 +12,6 @@ return [
    'password' => 'Password',
    'email' => 'Email',
    'whoops' => 'Whoops',
-    'failed' => 'Your request could not be processed. Please try again later.',
    'success' => 'Success',
    'location' => 'Location',
    'node' => 'Node',