From 8bb2c514b08f2460ccab5dcbfc752ade828417da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Jaussoin?=
 <timothee.jaussoin@belledonne-communications.com>
Date: Wed, 8 Nov 2023 10:41:14 +0000
Subject: [PATCH] Only allow the recovery endpoint to be called once if the
 code is wrong

---
 .../Api/Account/AccountController.php           |  6 ++++--
 .../views/api/documentation_markdown.blade.php  |  2 ++
 flexiapi/tests/Feature/ApiAccountTest.php       | 17 +++++++++++++++++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/flexiapi/app/Http/Controllers/Api/Account/AccountController.php b/flexiapi/app/Http/Controllers/Api/Account/AccountController.php
index 4539234..4b22978 100644
--- a/flexiapi/app/Http/Controllers/Api/Account/AccountController.php
+++ b/flexiapi/app/Http/Controllers/Api/Account/AccountController.php
@@ -231,12 +231,14 @@ class AccountController extends Controller
             ? $alias->account
             : Account::sip($sip)->firstOrFail();
 
-        if ($account->confirmation_key != $recoveryKey) abort(404);
+        $confirmationKey = $account->confirmation_key;
+        $account->confirmation_key = null;
+
+        if ($confirmationKey != $recoveryKey) abort(404);
 
         if ($account->activationExpired()) abort(403, 'Activation expired');
 
         $account->activated = true;
-        $account->confirmation_key = null;
         $account->save();
 
         $account->passwords->each(function ($i, $k) {
diff --git a/flexiapi/resources/views/api/documentation_markdown.blade.php b/flexiapi/resources/views/api/documentation_markdown.blade.php
index 19f9aa0..ab48f14 100644
--- a/flexiapi/resources/views/api/documentation_markdown.blade.php
+++ b/flexiapi/resources/views/api/documentation_markdown.blade.php
@@ -209,6 +209,8 @@ Return `phone: true` if the returned account has a phone number.
 Send a SMS with a recovery PIN code to the `phone` number provided.
 Return `404` if the account doesn't exists.
 
+Can only be used once, a new `recover_key` need to be requested to be called again.
+
 JSON parameters:
 
 * `phone` required the phone number to send the SMS to
diff --git a/flexiapi/tests/Feature/ApiAccountTest.php b/flexiapi/tests/Feature/ApiAccountTest.php
index 2d8b249..8ad4bd7 100644
--- a/flexiapi/tests/Feature/ApiAccountTest.php
+++ b/flexiapi/tests/Feature/ApiAccountTest.php
@@ -669,6 +669,23 @@ class ApiAccountTest extends TestCase
             ->assertStatus(200);
     }
 
+    public function testRecoverTwice()
+    {
+        $confirmationKey = '1234';
+
+        $password = Password::factory()->create();
+        $password->account->generateApiKey();
+        $password->account->confirmation_key = $confirmationKey;
+        $password->account->activated = false;
+        $password->account->save();
+
+        $this->get($this->route . '/' . $password->account->identifier . '/recover/wrongkey')
+            ->assertStatus(404);
+
+        $this->get($this->route . '/' . $password->account->identifier . '/recover/' . $confirmationKey)
+            ->assertStatus(404);
+    }
+
     /**
      * /!\ Dangerous endpoints
      */