From f6090655bfda2277fdec7ec5054b132c6d255213 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Sun, 3 Nov 2019 20:47:21 +0300
Subject: [PATCH] 2fa: check TOTP based on previous secret values (oops of the
 year, 2019)

---
 plugins/auth_internal/init.php | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php
index 478ec1440..bcba7970a 100644
--- a/plugins/auth_internal/init.php
+++ b/plugins/auth_internal/init.php
@@ -31,14 +31,7 @@ class Auth_Internal extends Plugin implements IAuthModule {
 			$sth->execute([$login]);
 
 			if ($row = $sth->fetch()) {
-
-				$base32 = new \OTPHP\Base32();
-
 				$otp_enabled = $row['otp_enabled'];
-				$secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false);
-
-				$topt = new \OTPHP\TOTP($secret);
-				$otp_check = $topt->now();
 
 				if ($otp_enabled) {
 
@@ -48,7 +41,18 @@ class Auth_Internal extends Plugin implements IAuthModule {
 					}
 
 					if ($otp) {
-						if ($otp != $otp_check) {
+						$base32 = new \OTPHP\Base32();
+
+						$secret = $base32->encode(mb_substr(sha1($row["salt"]), 0, 12), false);
+						$secret_legacy = $base32->encode(sha1($row["salt"]));
+
+						$totp = new \OTPHP\TOTP($secret);
+						$otp_check = $totp->now();
+
+						$totp_legacy = new \OTPHP\TOTP($secret_legacy);
+						$otp_check_legacy = $totp_legacy->now();
+
+						if ($otp != $otp_check && $otp != $otp_check_legacy) {
 							return false;
 						}
 					} else {