[Web] Allow multiple TOTP

data/web/inc/functions.inc.php

@@ -1222,8 +1222,8 @@ function set_tfa($_data) {
     case "totp":
       $key_id = (!isset($_data["key_id"])) ? 'unidentified' : $_data["key_id"];
       if ($tfa->verifyCode($_POST['totp_secret'], $_POST['totp_confirm_token']) === true) {
-        $stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
-        $stmt->execute(array(':username' => $username));
+        //$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
+        //$stmt->execute(array(':username' => $username));
         $stmt = $pdo->prepare("INSERT INTO `tfa` (`username`, `key_id`, `authmech`, `secret`, `active`) VALUES (?, ?, 'totp', ?, '1')");
         $stmt->execute(array($username, $key_id, $_POST['totp_secret']));
         $_SESSION['return'][] =  array(
@@ -1610,15 +1610,17 @@ function verify_tfa_login($username, $token) {
           AND `authmech` = 'totp'
           AND `active`='1'");
       $stmt->execute(array(':username' => $username));
-      $row = $stmt->fetch(PDO::FETCH_ASSOC);
-      if ($tfa->verifyCode($row['secret'], $_POST['token']) === true) {
-        $_SESSION['tfa_id'] = $row['id'];
-        $_SESSION['return'][] =  array(
-          'type' => 'success',
-          'log' => array(__FUNCTION__, $username, '*'),
-          'msg' => 'verified_totp_login'
-        );
-        return true;
+      $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      foreach ($rows as $row) {
+        if ($tfa->verifyCode($row['secret'], $_POST['token']) === true) {
+          $_SESSION['tfa_id'] = $row['id'];
+          $_SESSION['return'][] =  array(
+            'type' => 'success',
+            'log' => array(__FUNCTION__, $username, '*'),
+            'msg' => 'verified_totp_login'
+          );
+          return true;
+        }
       }
       $_SESSION['return'][] =  array(
         'type' => 'danger',