From bbecc035313184694372aacb0befeca8d28934a7 Mon Sep 17 00:00:00 2001
From: Rebecca Law <rebecca.law@digital.cabinet-office.gov.uk>
Date: Thu, 10 Dec 2015 16:34:29 +0000
Subject: [PATCH 1/2] 109526036: Fix bug. If one of the codes was invalid and
 one was valid on the verify page the valid code would be marked as used.

---
 app/main/dao/verify_codes_dao.py | 7 +++++++
 app/main/forms.py                | 3 +--
 app/main/views/verify.py         | 4 +++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/main/dao/verify_codes_dao.py b/app/main/dao/verify_codes_dao.py
index 6273c9ac3..049432982 100644
--- a/app/main/dao/verify_codes_dao.py
+++ b/app/main/dao/verify_codes_dao.py
@@ -31,6 +31,13 @@ def use_code(id):
     db.session.commit()
 
 
+def use_code_for_user_and_type(user_id, code_type):
+    verify_code = VerifyCodes.query.filter_by(user_id=user_id, code_type=code_type).first()
+    verify_code.code_used = True
+    db.session.add(verify_code)
+    db.session.commit()
+
+
 def add_code_with_expiry(user_id, code, code_type, expiry):
     code = VerifyCodes(user_id=user_id,
                        code=code,
diff --git a/app/main/forms.py b/app/main/forms.py
index 76634c5ae..c2780f0f5 100644
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -79,7 +79,6 @@ def validate_code(field, code):
             field.errors.append('Code does not match')
             return False
         else:
-            verify_codes_dao.use_code(code.id)
             return True
     else:
-        return True
+        return False
diff --git a/app/main/views/verify.py b/app/main/views/verify.py
index 3e3c139af..4978e04e5 100644
--- a/app/main/views/verify.py
+++ b/app/main/views/verify.py
@@ -2,7 +2,7 @@ from flask import render_template, redirect, jsonify, session
 from flask_login import login_user
 
 from app.main import main
-from app.main.dao import users_dao
+from app.main.dao import users_dao, verify_codes_dao
 from app.main.forms import VerifyForm
 
 
@@ -16,6 +16,8 @@ def process_verify():
     form = VerifyForm()
     if form.validate_on_submit():
         user = users_dao.get_user_by_id(session['user_id'])
+        verify_codes_dao.use_code_for_user_and_type(user_id=user.id, code_type='email')
+        verify_codes_dao.use_code_for_user_and_type(user_id=user.id, code_type='sms')
         users_dao.activate_user(user.id)
         login_user(user)
         return redirect('/add-service')

From 1ce8170ce175bcbbdef85322fd8b188924a9a715 Mon Sep 17 00:00:00 2001
From: Rebecca Law <rebecca.law@digital.cabinet-office.gov.uk>
Date: Thu, 10 Dec 2015 16:38:34 +0000
Subject: [PATCH 2/2] 109526036:Mark the sms code as being used on the
 two-factor page

---
 app/main/views/two_factor.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/main/views/two_factor.py b/app/main/views/two_factor.py
index 093bd6a51..dc01a722b 100644
--- a/app/main/views/two_factor.py
+++ b/app/main/views/two_factor.py
@@ -2,7 +2,7 @@ from flask import render_template, redirect, jsonify, session
 from flask_login import login_user
 
 from app.main import main
-from app.main.dao import users_dao
+from app.main.dao import users_dao, verify_codes_dao
 from app.main.forms import TwoFactorForm
 
 
@@ -17,6 +17,7 @@ def process_two_factor():
 
     if form.validate_on_submit():
         user = users_dao.get_user_by_id(session['user_id'])
+        verify_codes_dao.use_code_for_user_and_type(user_id=user.id, code_type='sms')
         login_user(user)
         return redirect('/dashboard')
     else: