Only allow the recovery endpoint to be called once if the code is wrong

flexiapi/app/Http/Controllers/Api/Account/AccountController.php

@@ -231,12 +231,14 @@ class AccountController extends Controller
             ? $alias->account
             : Account::sip($sip)->firstOrFail();
 
-        if ($account->confirmation_key != $recoveryKey) abort(404);
+        $confirmationKey = $account->confirmation_key;
+        $account->confirmation_key = null;
+
+        if ($confirmationKey != $recoveryKey) abort(404);
 
         if ($account->activationExpired()) abort(403, 'Activation expired');
 
         $account->activated = true;
-        $account->confirmation_key = null;
         $account->save();
 
         $account->passwords->each(function ($i, $k) {

flexiapi/resources/views/api/documentation_markdown.blade.php

@@ -209,6 +209,8 @@ Return `phone: true` if the returned account has a phone number.
 Send a SMS with a recovery PIN code to the `phone` number provided.
 Return `404` if the account doesn't exists.
 
+Can only be used once, a new `recover_key` need to be requested to be called again.
+
 JSON parameters:
 
 * `phone` required the phone number to send the SMS to

flexiapi/tests/Feature/ApiAccountTest.php

@@ -669,6 +669,23 @@ class ApiAccountTest extends TestCase
             ->assertStatus(200);
     }
 
+    public function testRecoverTwice()
+    {
+        $confirmationKey = '1234';
+
+        $password = Password::factory()->create();
+        $password->account->generateApiKey();
+        $password->account->confirmation_key = $confirmationKey;
+        $password->account->activated = false;
+        $password->account->save();
+
+        $this->get($this->route . '/' . $password->account->identifier . '/recover/wrongkey')
+            ->assertStatus(404);
+
+        $this->get($this->route . '/' . $password->account->identifier . '/recover/' . $confirmationKey)
+            ->assertStatus(404);
+    }
+
     /**
      * /!\ Dangerous endpoints
      */