chore: verifyRecoveryCode - Persist the used_at write immediately

matiasperrone-exo · matiasperrone-exo · commit 5cb18c21eede · 2026-05-29T16:20:04.000Z
So a consumed recovery code cannot be reused on a subsequent request.
diff --git a/app/Strategies/MFA/AbstractMFAChallengeStrategy.php b/app/Strategies/MFA/AbstractMFAChallengeStrategy.php
@@ -51,6 +51,7 @@ public function verifyRecoveryCode(User $user, string $code): void
         foreach ($this->recovery_code_repository->getUnusedByUser($user) as $recoveryCode) {
             if (Hash::check($code, $recoveryCode->getCodeHash())) {
                 $recoveryCode->markUsed();
+                $this->recovery_code_repository->add($recoveryCode, true);
                 return;
             }
         }
diff --git a/tests/Unit/MFA/AbstractMFAChallengeStrategyTest.php b/tests/Unit/MFA/AbstractMFAChallengeStrategyTest.php
@@ -90,6 +90,7 @@ public function testVerifyRecoveryCode_withMatchingCode_marksAsUsed(): void
 
         $repo = \Mockery::mock(IUserRecoveryCodeRepository::class);
         $repo->shouldReceive('getUnusedByUser')->with($user)->andReturn([$recoveryCode]);
+        $repo->shouldReceive('add')->with($recoveryCode, true)->once();
 
         $strategy = new class($repo) extends AbstractMFAChallengeStrategy {
             public function issueChallenge(User $user, ?Client $client, bool $remember): array { return []; }

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@ public function verifyRecoveryCode(User $user, string $code): void`
`51`	`51`	`foreach ($this->recovery_code_repository->getUnusedByUser($user) as $recoveryCode) {`
`52`	`52`	`if (Hash::check($code, $recoveryCode->getCodeHash())) {`
`53`	`53`	`$recoveryCode->markUsed();`
	`54`	`+ $this->recovery_code_repository->add($recoveryCode, true);`
`54`	`55`	`return;`
`55`	`56`	`}`
`56`	`57`	`}`