diff --git a/app/Classes/TimedTOTP.php b/app/Classes/TimedTOTP.php index f3c87743..4fcb48f2 100644 --- a/app/Classes/TimedTOTP.php +++ b/app/Classes/TimedTOTP.php @@ -4,6 +4,7 @@ use OTPHP\TOTP; use OTPHP\Factory; +use Assert\AssertionFailedException; class TimedTOTP { @@ -16,10 +17,11 @@ class TimedTOTP */ public static function get($uri) { + try { $otp = Factory::loadFromProvisioningUri($uri); } - catch (InvalidArgumentException $exception) { + catch (AssertionFailedException $exception) { return false; } diff --git a/app/Http/Controllers/QrCodeController.php b/app/Http/Controllers/QrCodeController.php index 94c3af92..9e542911 100644 --- a/app/Http/Controllers/QrCodeController.php +++ b/app/Http/Controllers/QrCodeController.php @@ -3,11 +3,11 @@ namespace App\Http\Controllers; use Validator; -use Illuminate\Http\Request; -use Illuminate\Http\File; -use Illuminate\Support\Facades\Storage; use Zxing\QrReader; -use App\TwoFAccount; +use App\Classes\TimedTOTP; +use Illuminate\Http\File; +use Illuminate\Http\Request; +use Illuminate\Support\Facades\Storage; class QrCodecontroller extends Controller { @@ -39,6 +39,7 @@ public function decode(Request $request) $qrcode = new QrReader(storage_path('app/' . $path)); $uri = urldecode($qrcode->text()); + // delete uploaded file Storage::delete($path); if( empty($uri) ) { @@ -51,6 +52,17 @@ public function decode(Request $request) } + // Check uri validity + if( !TimedTOTP::get($uri) ) { + + return response()->json([ + 'error' => [ + 'uri' => 'This uri do not return any TOTP code 😕' + ] + ], 400); + + } + $uriChunks = explode('?', $uri); foreach(explode('&', $uriChunks[1]) as $option) {