From 9af5db89ad5f648c11c9c1014f557ca7bc80c098 Mon Sep 17 00:00:00 2001
From: Shane Mc Cormack <shanemcc@gmail.com>
Date: Sun, 11 Nov 2018 01:51:16 +0000
Subject: [PATCH] Error if 2FA Key provided but not required. Close #25

---
 web/1.0/index.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/web/1.0/index.php b/web/1.0/index.php
index e109e35..ee7ed36 100644
--- a/web/1.0/index.php
+++ b/web/1.0/index.php
@@ -277,6 +277,10 @@ function getKnownDevice($user, &$context) {
 					$errorExtraData = '2FA key required.';
 					$resp->setHeader('login_error', '2fa_required');
 				}
+			} else if (empty($keys) && isset($_SERVER['HTTP_X_2FA_KEY'])) {
+				$errorExtraData = '2FA key provided but not required.';
+				$resp->setHeader('login_error', '2fa_notrequired');
+				$valid = false;
 			}
 
 			if ($valid) {