diff --git a/app/Api/v1/Controllers/TwoFAccountController.php b/app/Api/v1/Controllers/TwoFAccountController.php index 8f2bd1e2..a14286a3 100644 --- a/app/Api/v1/Controllers/TwoFAccountController.php +++ b/app/Api/v1/Controllers/TwoFAccountController.php @@ -106,8 +106,8 @@ public function update(TwoFAccountUpdateRequest $request, TwoFAccount $twofaccou $this->authorize('update', $twofaccount); $validated = $request->validated(); - - $twofaccount->fillWithOtpParameters($validated); + + $twofaccount->fillWithOtpParameters($validated, $twofaccount->icon && is_null(Arr::get($validated, 'icon', null))); $request->user()->twofaccounts()->save($twofaccount); // Possible group change diff --git a/tests/Api/v1/Controllers/TwoFAccountControllerTest.php b/tests/Api/v1/Controllers/TwoFAccountControllerTest.php index 4ddbc434..deff6c28 100644 --- a/tests/Api/v1/Controllers/TwoFAccountControllerTest.php +++ b/tests/Api/v1/Controllers/TwoFAccountControllerTest.php @@ -815,6 +815,29 @@ public function test_update_twofaccount_of_another_user_is_forbidden() ]); } + #[Test] + public function test_update_with_removed_icon_prevents_official_logo_fetching() + { + $attributes = ([ + 'otp_type' => 'totp', + 'account' => OtpTestData::ACCOUNT, + 'service' => OtpTestData::SERVICE, + 'secret' => OtpTestData::SECRET, + 'algorithm' => OtpTestData::ALGORITHM_DEFAULT, + 'digits' => OtpTestData::DIGITS_DEFAULT, + 'period' => OtpTestData::PERIOD_DEFAULT, + 'legacy_uri' => OtpTestData::TOTP_SHORT_URI, + 'icon' => 'icon.png', + ]); + $twofaccount = TwoFAccount::factory()->for($this->user)->create($attributes); + $attributes['icon'] = ''; + + $response = $this->actingAs($this->user, 'api-guard') + ->json('PUT', '/api/v1/twofaccounts/' . $twofaccount->id, $attributes); + + $this->assertNull($response->json('icon')); + } + #[Test] public function test_migrate_valid_gauth_payload_returns_success_with_consistent_resources() {