v2.4.6: TOTP allow multiple codes, composer update, PHPStan

Core/External/composer.json

@@ -10,6 +10,7 @@
         "geoip2/geoip2": "~2.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.6"
+        "phpunit/phpunit": "^9.6",
+        "phpstan/phpstan": "^2.1"
     }
 }

Core/External/phpstan.neon

@@ -0,0 +1,11 @@
+parameters:
+    level: 6
+
+    paths:
+        - ../../
+
+    excludePaths:
+        - ./vendor/*
+        - ../../test/*
+        - ../../Core/Cache/*
+        - ../../Site/Cache/*

Core/Objects/TwoFactor/TimeBasedTwoFactorToken.class.php

@@ -58,8 +58,19 @@ class TimeBasedTwoFactorToken extends TwoFactorToken {
     return substr(str_pad(strval($code), $length, "0", STR_PAD_LEFT), -1 * $length);
   }
 
-  public function verify(string $code): bool {
-    return $this->generate() === $code;
+  public function verify(string $code, int $numCodes = 2): bool {
+    $now = time();
+    $length = 6;
+    $period = 30;
+
+    // verify the last $numCodes codes
+    for ($i = 0; $i < max(1, $numCodes); $i++) {
+      if ($this->generate($now - $period * i, $length, $period) === $code) {
+        return true;
+      }
+    }
+
+    return false;
   }
 
   public function getData(): string {

Core/core.php

@@ -10,7 +10,7 @@ if (is_file($autoLoad)) {
   require_once $autoLoad;
 }
 
-const WEBBASE_VERSION = "2.4.5";
+const WEBBASE_VERSION = "2.4.6";
 
 spl_autoload_extensions(".php");
 spl_autoload_register(function ($class) {