From d6e2033c5a57f5604ab0bc16b1528ceb5782455b Mon Sep 17 00:00:00 2001
From: Yvo Brevoort <yvo@muze.nl>
Date: Sat, 13 Dec 2025 11:26:14 +0100
Subject: [PATCH 1/4] make sure the token code is not in use

---
 lib/User.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/lib/User.php b/lib/User.php
index 2affb0b..bfc97a3 100644
--- a/lib/User.php
+++ b/lib/User.php
@@ -7,6 +7,15 @@
 	class User {
 		private static function generateTokenCode() {
 			$digits = 6;
+
+			self::cleanupTokens();
+			$existingTokens = self::getExistingVerifyTokens();
+
+			while (in_array($code, $existingTokens)) { // make sure we have no collissions;
+				$code = random_int(0,1000000);
+				$code = str_pad($code, $digits, '0', STR_PAD_LEFT);
+			}
+
 			$code = random_int(0,1000000);
 			$code = str_pad($code, $digits, '0', STR_PAD_LEFT);
 			return $code;
@@ -331,4 +340,14 @@ public static function cleanupTokens() {
 				':now' => $now->getTimestamp()
 			]);
 		}
+
+		 public static getExistingVerifyTokens() {
+			  Db::connect();
+			  $query = Db::$pdo->prepare(
+				   'SELECT code FROM verify'
+			  );
+			  $existingTokens = $query->execute();
+			  return $existingTokens;
+		 }
+
 	}		

From 482361eec06f7bd0696476602d4ec3d303a831e0 Mon Sep 17 00:00:00 2001
From: Yvo Brevoort <yvo@muze.nl>
Date: Sat, 13 Dec 2025 11:27:48 +0100
Subject: [PATCH 2/4] typofix

---
 lib/User.php | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/lib/User.php b/lib/User.php
index bfc97a3..a7db96a 100644
--- a/lib/User.php
+++ b/lib/User.php
@@ -341,13 +341,12 @@ public static function cleanupTokens() {
 			]);
 		}
 
-		 public static getExistingVerifyTokens() {
-			  Db::connect();
-			  $query = Db::$pdo->prepare(
-				   'SELECT code FROM verify'
-			  );
-			  $existingTokens = $query->execute();
-			  return $existingTokens;
-		 }
-
+		public static function getExistingVerifyTokens() {
+			Db::connect();
+			$query = Db::$pdo->prepare(
+				'SELECT code FROM verify'
+			);
+			$existingTokens = $query->execute();
+			return $existingTokens;
+		}
 	}		

From b151f3ca4476b1961548a23527dcff7b282e2fea Mon Sep 17 00:00:00 2001
From: Yvo Brevoort <yvo@muze.nl>
Date: Sat, 13 Dec 2025 11:34:23 +0100
Subject: [PATCH 3/4] fix existing tokens call

---
 lib/User.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/User.php b/lib/User.php
index a7db96a..390d447 100644
--- a/lib/User.php
+++ b/lib/User.php
@@ -11,13 +11,14 @@ private static function generateTokenCode() {
 			self::cleanupTokens();
 			$existingTokens = self::getExistingVerifyTokens();
 
+			$code = random_int(0,1000000);
+			$code = str_pad($code, $digits, '0', STR_PAD_LEFT);
+
 			while (in_array($code, $existingTokens)) { // make sure we have no collissions;
 				$code = random_int(0,1000000);
 				$code = str_pad($code, $digits, '0', STR_PAD_LEFT);
 			}
 
-			$code = random_int(0,1000000);
-			$code = str_pad($code, $digits, '0', STR_PAD_LEFT);
 			return $code;
 		}
 
@@ -346,7 +347,8 @@ public static function getExistingVerifyTokens() {
 			$query = Db::$pdo->prepare(
 				'SELECT code FROM verify'
 			);
-			$existingTokens = $query->execute();
+			$query->execute();
+			$existingTokens = $query->fetchAll();
 			return $existingTokens;
 		}
 	}		

From 56f775475df116ec3bb37d4b5b43c758f56c0422 Mon Sep 17 00:00:00 2001
From: Yvo Brevoort <yvo@muze.nl>
Date: Sat, 13 Dec 2025 11:42:05 +0100
Subject: [PATCH 4/4] fix cleanup test

---
 tests/phpunit/UserTest.php | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/tests/phpunit/UserTest.php b/tests/phpunit/UserTest.php
index b61faeb..80cd184 100644
--- a/tests/phpunit/UserTest.php
+++ b/tests/phpunit/UserTest.php
@@ -333,16 +333,11 @@ public function testCleanup() {
 			"hello" => "world",
 			"expires" => time() - 10
 		]);
-		$token2 = User::saveVerifyToken("verify", [
-			"hello" => "world",
-			"expires" => time() - 10
-		]);
 		$query = Db::$pdo->prepare('SELECT count(*) AS count FROM verify');
 		$query->execute();
 		$result = $query->fetchAll();
 		$beforeCleanup = $result[0]['count'];
-		$this->assertEquals(2, $beforeCleanup);
-		
+		$this->assertEquals(1, $beforeCleanup);
 		User::cleanupTokens();
 		$query = Db::$pdo->prepare('SELECT count(*) AS count FROM verify');
 		$query->execute();