From dc172476e16e26d23920b77cc25ec277b7e57c80 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Sat, 19 Mar 2016 16:29:01 +0100
Subject: [PATCH] Make sure the two factor auth pages are not accessible when
 already authenticated using two factor.

---
 app/Http/Kernel.php                           |  2 +
 .../RedirectIfTwoFactorAuthenticated.php      | 48 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 app/Http/Middleware/RedirectIfTwoFactorAuthenticated.php

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index a33492fd8a..d5d719d6f3 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -9,6 +9,7 @@ use FireflyIII\Http\Middleware\Binder;
 use FireflyIII\Http\Middleware\EncryptCookies;
 use FireflyIII\Http\Middleware\Range;
 use FireflyIII\Http\Middleware\RedirectIfAuthenticated;
+use FireflyIII\Http\Middleware\RedirectIfTwoFactorAuthenticated;
 use FireflyIII\Http\Middleware\VerifyCsrfToken;
 use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
@@ -67,6 +68,7 @@ class Kernel extends HttpKernel
                 ShareErrorsFromSession::class,
                 VerifyCsrfToken::class,
                 Authenticate::class,
+                RedirectIfTwoFactorAuthenticated::class,
             ],
             'web-auth-range'         => [
                 EncryptCookies::class,
diff --git a/app/Http/Middleware/RedirectIfTwoFactorAuthenticated.php b/app/Http/Middleware/RedirectIfTwoFactorAuthenticated.php
new file mode 100644
index 0000000000..618283794b
--- /dev/null
+++ b/app/Http/Middleware/RedirectIfTwoFactorAuthenticated.php
@@ -0,0 +1,48 @@
+<?php
+/**
+ * RedirectIfTwoFactorAuthenticated.php
+ * Copyright (C) 2016 Sander Dorigo
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+
+declare(strict_types = 1);
+
+namespace FireflyIII\Http\Middleware;
+
+use Closure;
+use Illuminate\Support\Facades\Auth;
+use Preferences;
+use Session;
+/**
+ * Class RedirectIfTwoFactorAuthenticated
+ *
+ * @package FireflyIII\Http\Middleware
+ */
+class RedirectIfTwoFactorAuthenticated
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request $request
+     * @param  \Closure                 $next
+     * @param  string|null              $guard
+     *
+     * @return mixed
+     */
+    public function handle($request, Closure $next, $guard = null)
+    {
+        if (Auth::guard($guard)->check()) {
+
+            $twoFactorAuthEnabled     = Preferences::get('twoFactorAuthEnabled', false)->data;
+            $hasTwoFactorAuthSecret   = !is_null(Preferences::get('twoFactorAuthSecret'));
+            $isTwoFactorAuthenticated = Session::get('twofactor-authenticated');
+            if ($twoFactorAuthEnabled && $hasTwoFactorAuthSecret && $isTwoFactorAuthenticated) {
+                return redirect('/');
+            }
+        }
+
+        return $next($request);
+    }
+}