From 96b734edaa7be00ee08c1ae61813f578b84cabca Mon Sep 17 00:00:00 2001
From: xisi <chaeldarrs@gmail.com>
Date: Wed, 15 Jan 2014 10:35:24 -0500
Subject: [PATCH] fix how late we delete tokens for 2fa

---
 public/include/classes/payout.class.php | 20 ++++++------
 public/include/classes/user.class.php   | 41 ++++++++++++-------------
 2 files changed, 30 insertions(+), 31 deletions(-)

diff --git a/public/include/classes/payout.class.php b/public/include/classes/payout.class.php
index c8298668..ce4368e8 100644
--- a/public/include/classes/payout.class.php
+++ b/public/include/classes/payout.class.php
@@ -37,18 +37,18 @@ class Payout Extends Base {
    * @return data mixed Inserted ID or false
    **/
   public function createPayout($account_id=NULL, $strToken) {
-    // twofactor - consume the token if it is enabled and valid
-    if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['withdraw']) {
-      $tValid = $this->token->isTokenValid($account_id, $strToken, 7);
-      if ($tValid) {
-        $this->token->deleteToken($strToken);
-      } else {
-        $this->setErrorMessage('Invalid token');
-        return false;
-      }
-    }
     $stmt = $this->mysqli->prepare("INSERT INTO $this->table (account_id) VALUES (?)");
     if ($stmt && $stmt->bind_param('i', $account_id) && $stmt->execute()) {
+      // twofactor - consume the token if it is enabled and valid
+      if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['withdraw']) {
+        $tValid = $this->token->isTokenValid($account_id, $strToken, 7);
+        if ($tValid) {
+          $this->token->deleteToken($strToken);
+        } else {
+          $this->setErrorMessage('Invalid token');
+          return false;
+        }
+      }
       return $stmt->insert_id;
     }
     return $this->sqlError('E0049');
diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
index 7e36b54a..0f08164c 100644
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@@ -311,16 +311,6 @@ class User extends Base {
       $this->setErrorMessage( 'New password is too short, please use more than 8 chars' );
       return false;
     }
-    // twofactor - consume the token if it is enabled and valid
-    if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['changepw']) {
-      $tValid = $this->token->isTokenValid($userID, $strToken, 6);
-      if ($tValid) {
-        $this->token->deleteToken($strToken);
-      } else {
-        $this->setErrorMessage('Invalid token');
-        return false;
-      }
-    }
     $current = $this->getHash($current);
     $new = $this->getHash($new1);
     $stmt = $this->mysqli->prepare("UPDATE $this->table SET pass = ? WHERE ( id = ? AND pass = ? )");
@@ -328,6 +318,16 @@ class User extends Base {
       $stmt->bind_param('sis', $new, $userID, $current);
       $stmt->execute();
       if ($stmt->errno == 0 && $stmt->affected_rows === 1) {
+        // twofactor - consume the token if it is enabled and valid
+        if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['changepw']) {
+          $tValid = $this->token->isTokenValid($userID, $strToken, 6);
+          if ($tValid) {
+            $this->token->deleteToken($strToken);
+          } else {
+            $this->setErrorMessage('Invalid token');
+            return false;
+          }
+        }
         return true;
       }
       $stmt->close();
@@ -395,20 +395,19 @@ class User extends Base {
     $threshold = min($this->config['ap_threshold']['max'], max(0, floatval($threshold)));
     $donate = min(100, max(0, floatval($donate)));
 
-    // twofactor - consume the token if it is enabled and valid
-    if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['details']) {
-      $tValid = $this->token->isTokenValid($userID, $strToken, 5);
-      if ($tValid) {
-        $this->token->deleteToken($strToken);
-      } else {
-        $this->setErrorMessage('Invalid token');
-        return false;
-      }
-    }
-    
     // We passed all validation checks so update the account
     $stmt = $this->mysqli->prepare("UPDATE $this->table SET coin_address = ?, ap_threshold = ?, donate_percent = ?, email = ?, is_anonymous = ? WHERE id = ?");
     if ($this->checkStmt($stmt) && $stmt->bind_param('sddsii', $address, $threshold, $donate, $email, $is_anonymous, $userID) && $stmt->execute())
+      // twofactor - consume the token if it is enabled and valid
+      if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['details']) {
+        $tValid = $this->token->isTokenValid($userID, $strToken, 5);
+        if ($tValid) {
+          $this->token->deleteToken($strToken);
+        } else {
+          $this->setErrorMessage('Invalid token');
+          return false;
+        }
+      }
       return true;
     // Catchall
     $this->setErrorMessage('Failed to update your account');