Merge pull request #61297 from nextcloud/backport/61292/stable33

come-nc · web-flow · commit 57b2638897c4 · 2026-06-15T17:55:15.000+02:00
[stable33] fix(twofactor_backupcodes): Add a clean helper to set code as used
diff --git a/apps/twofactor_backupcodes/lib/Db/BackupCodeMapper.php b/apps/twofactor_backupcodes/lib/Db/BackupCodeMapper.php
@@ -54,4 +54,17 @@ public function deleteCodesByUserId(string $uid): void {
 			->where($qb->expr()->eq('user_id', $qb->createNamedParameter($uid)));
 		$qb->executeStatement();
 	}
+
+	/**
+	 * Marks the backup code as used, if not already marked as used in DB.
+	 * @return int number of affected rows
+	 */
+	public function markUsedIfUnused(BackupCode $code): int {
+		$qb = $this->db->getQueryBuilder();
+		$qb->update($this->getTableName())
+			->set('used', $qb->createNamedParameter(1, IQueryBuilder::PARAM_INT))
+			->where($qb->expr()->eq('id', $qb->createNamedParameter($code->getId(), IQueryBuilder::PARAM_INT)))
+			->andWhere($qb->expr()->eq('used', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT)));
+		return $qb->executeStatement();
+	}
 }
diff --git a/apps/twofactor_backupcodes/lib/Service/BackupCodeStorage.php b/apps/twofactor_backupcodes/lib/Service/BackupCodeStorage.php
@@ -85,19 +85,12 @@ public function getBackupCodesState(IUser $user): array {
 		];
 	}
 
-	/**
-	 * @param IUser $user
-	 * @param string $code
-	 * @return bool
-	 */
 	public function validateCode(IUser $user, string $code): bool {
 		$dbCodes = $this->mapper->getBackupCodes($user);
 
 		foreach ($dbCodes as $dbCode) {
 			if ((int)$dbCode->getUsed() === 0 && $this->hasher->verify($code, $dbCode->getCode())) {
-				$dbCode->setUsed(1);
-				$this->mapper->update($dbCode);
-				return true;
+				return ($this->mapper->markUsedIfUnused($dbCode) === 1);
 			}
 		}
 		return false;
diff --git a/apps/twofactor_backupcodes/tests/Unit/Service/BackupCodeStorageTest.php b/apps/twofactor_backupcodes/tests/Unit/Service/BackupCodeStorageTest.php
@@ -157,12 +157,11 @@ public function testValidateCode(): void {
 			->with('CHALLENGE', 'HASHEDVALUE', $this->anything())
 			->willReturn(true);
 		$this->mapper->expects($this->once())
-			->method('update')
-			->with($code);
+			->method('markUsedIfUnused')
+			->with($code)
+			->willReturn(1);
 
 		$this->assertTrue($this->storage->validateCode($user, 'CHALLENGE'));
-
-		$this->assertEquals(1, $code->getUsed());
 	}
 
 	public function testValidateUsedCode(): void {

Original file line number	Diff line number	Diff line change
`@@ -85,19 +85,12 @@ public function getBackupCodesState(IUser $user): array {`
`85`	`85`	`];`
`86`	`86`	`}`
`87`	`87`
`88`		`- /**`
`89`		`- * @param IUser $user`
`90`		`- * @param string $code`
`91`		`- * @return bool`
`92`		`- */`
`93`	`88`	`public function validateCode(IUser $user, string $code): bool {`
`94`	`89`	`$dbCodes = $this->mapper->getBackupCodes($user);`
`95`	`90`
`96`	`91`	`foreach ($dbCodes as $dbCode) {`
`97`	`92`	`if ((int)$dbCode->getUsed() === 0 && $this->hasher->verify($code, $dbCode->getCode())) {`
`98`		`- $dbCode->setUsed(1);`
`99`		`- $this->mapper->update($dbCode);`
`100`		`- return true;`
	`93`	`+ return ($this->mapper->markUsedIfUnused($dbCode) === 1);`
`101`	`94`	`}`
`102`	`95`	`}`
`103`	`96`	`return false;`