From 3cc2bdc22972e704d05fe030e16d5b40e43facaf Mon Sep 17 00:00:00 2001
From: Johannes Rauh <johannes.rauh@icinga.com>
Date: Thu, 2 Oct 2025 08:25:20 +0200
Subject: [PATCH] Verify 2fa token properly

---
 application/forms/Authentication/Challenge2FAForm.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/application/forms/Authentication/Challenge2FAForm.php b/application/forms/Authentication/Challenge2FAForm.php
index 85f8296aa..6a2207ed6 100644
--- a/application/forms/Authentication/Challenge2FAForm.php
+++ b/application/forms/Authentication/Challenge2FAForm.php
@@ -44,10 +44,9 @@ class Challenge2FAForm extends LoginForm
 
     public function onSuccess()
     {
-        // TODO: Implement proper 2FA code validation
         $user = Auth::getInstance()->getUser();
         $totp = IcingaTotp::loadFromDb($this->getDb(), $user->getUsername());
-        if ($totp->verify($_POST['token'])) {
+        if ($this->getElement('token') && $totp->verify($this->getValue('token'))) {
             $auth = Auth::getInstance();
             $user = $auth->getUser();
             $user->setTwoFactorSuccessful(true);