From ffe501d64f7a72580fbbc74ddd74c2c53100afef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Taavi=20V=C3=A4=C3=A4n=C3=A4nen?= <hi@taavi.wtf>
Date: Tue, 5 Nov 2024 20:51:41 +0200
Subject: [PATCH] ApiOATHValidate: Remove use of getModule()

Change-Id: I5fee274e792f087aedf30259069203d8e1f24d10
---
 src/Api/Module/ApiOATHValidate.php | 46 ++++++++++++++++--------------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/src/Api/Module/ApiOATHValidate.php b/src/Api/Module/ApiOATHValidate.php
index 009ec2ad..f8bcdc12 100644
--- a/src/Api/Module/ApiOATHValidate.php
+++ b/src/Api/Module/ApiOATHValidate.php
@@ -21,7 +21,6 @@ namespace MediaWiki\Extension\OATHAuth\Api\Module;
 use MediaWiki\Api\ApiBase;
 use MediaWiki\Api\ApiMain;
 use MediaWiki\Api\ApiResult;
-use MediaWiki\Extension\OATHAuth\IModule;
 use MediaWiki\Extension\OATHAuth\OATHUserRepository;
 use MediaWiki\Json\FormatJson;
 use MediaWiki\Logger\LoggerFactory;
@@ -77,30 +76,33 @@ class ApiOATHValidate extends ApiBase {
 
 		if ( $user->isNamed() ) {
 			$authUser = $this->oathUserRepository->findByUser( $user );
-			if ( $authUser ) {
-				$module = $authUser->getModule();
-				if ( $module instanceof IModule ) {
-					$data = [];
-					$decoded = FormatJson::decode( $params['data'], true );
-					if ( is_array( $decoded ) ) {
-						$data = $decoded;
+			if ( $authUser->isTwoFactorAuthEnabled() ) {
+				$result['enabled'] = true;
+
+				$data = [];
+				$decoded = FormatJson::decode( $params['data'], true );
+				if ( is_array( $decoded ) ) {
+					$data = $decoded;
+				}
+
+				foreach ( $authUser->getKeys() as $key ) {
+					if ( $key->verify( $data, $authUser ) !== false ) {
+						$result['valid'] = true;
+						break;
 					}
+				}
 
-					$result['enabled'] = $module->isEnabled( $authUser );
-					$result['valid'] = $module->verify( $authUser, $data ) !== false;
+				if ( !$result['valid'] ) {
+					// Increase rate limit counter for failed request
+					$user->pingLimiter( 'badoath' );
 
-					if ( !$result['valid'] ) {
-						// Increase rate limit counter for failed request
-						$user->pingLimiter( 'badoath' );
-
-						LoggerFactory::getInstance( 'authentication' )->info(
-							'OATHAuth user {user} failed OTP token/recovery code from {clientip}',
-							[
-								'user'     => $user,
-								'clientip' => $user->getRequest()->getIP(),
-							]
-						);
-					}
+					LoggerFactory::getInstance( 'authentication' )->info(
+						'OATHAuth user {user} failed OTP token/recovery code from {clientip}',
+						[
+							'user'     => $user,
+							'clientip' => $user->getRequest()->getIP(),
+						]
+					);
 				}
 			}
 		}