From 32f9874ae713922e721e27372c6f068ba89488fd Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Tue, 10 Nov 2020 15:19:39 +0100
Subject: [PATCH] Clear MFA inputs if an invalid code is entered

It's not useful preserving an invalid code for the user.
---
 .../system/user/multifactor/BackupMultifactorMethod.class.php  | 2 ++
 .../system/user/multifactor/TotpMultifactorMethod.class.php    | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php
index 4a70764c8b..cdb217e85f 100644
--- a/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php
+++ b/wcfsetup/install/files/lib/system/user/multifactor/BackupMultifactorMethod.class.php
@@ -219,6 +219,7 @@ class BackupMultifactorMethod implements IMultifactorMethod {
 					FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId);
 					$attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT1H'));
 					if ($attempts['count'] > self::USER_ATTEMPTS_PER_HOUR) {
+						$field->value('');
 						$field->addValidationError(new FormFieldValidationError(
 							'flood',
 							'wcf.user.security.multifactor.backup.error.flood',
@@ -230,6 +231,7 @@ class BackupMultifactorMethod implements IMultifactorMethod {
 					$userCode = \preg_replace('/\s+/', '', $field->getValue());
 					
 					if ($this->findValidCode($userCode, $codes) === null) {
+						$field->value('');
 						$field->addValidationError(new FormFieldValidationError('invalid'));
 					}
 				})),
diff --git a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
index 9ab6969a34..d081f22020 100644
--- a/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
+++ b/wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php
@@ -67,6 +67,7 @@ class TotpMultifactorMethod implements IMultifactorMethod {
 						
 						$minCounter = 0;
 						if (!$totp->validateTotpCode($field->getValue(), $minCounter, new \DateTime())) {
+							$field->value('');
 							$field->addValidationError(new FormFieldValidationError('invalid'));
 						}
 						$field->minCounter($minCounter);
@@ -211,6 +212,7 @@ class TotpMultifactorMethod implements IMultifactorMethod {
 					FloodControl::getInstance()->registerUserContent('com.woltlab.wcf.multifactor.backup', $setupId);
 					$attempts = FloodControl::getInstance()->countUserContent('com.woltlab.wcf.multifactor.backup', $setupId, new \DateInterval('PT10M'));
 					if ($attempts['count'] > self::USER_ATTEMPTS_PER_TEN_MINUTES) {
+						$field->value('');
 						$field->addValidationError(new FormFieldValidationError(
 							'flood',
 							'wcf.user.security.multifactor.totp.error.flood',
@@ -235,6 +237,7 @@ class TotpMultifactorMethod implements IMultifactorMethod {
 					$totp = new Totp($selectedDevice['secret']);
 					$minCounter = $selectedDevice['minCounter'];
 					if (!$totp->validateTotpCode($field->getValue(), $minCounter, new \DateTime())) {
+						$field->value('');
 						$field->addValidationError(new FormFieldValidationError('invalid'));
 					}
 					$field->minCounter($minCounter);
-- 
2.20.1