mirror of https://gitgud.io/fatchan/jschan.git
- Don't allow code re-use, successfully used codes will be invalid on repeated use for the window time - Don't attach the full twofactor secret to user object in session for security. Only store a boolean if it's enabled for rendering, checks, etc. The full account should be fetched first before doTwoFactor() - Better names for some keys of twofactor redis stuffindiachan-spamvector
parent
e6346f9f53
commit
29bb4856ab
8 changed files with 30 additions and 11 deletions
@ -1,14 +1,23 @@ |
|||||||
const OTPAuth = require('otpauth'); |
const OTPAuth = require('otpauth') |
||||||
|
, redis = require(__dirname+'/../redis/redis.js'); |
||||||
|
|
||||||
module.exports = (totpSecret, userInput) => { |
module.exports = async (username, totpSecret, userInput) => { |
||||||
const totp = new OTPAuth.TOTP({ |
const totp = new OTPAuth.TOTP({ |
||||||
secret: totpSecret, |
secret: totpSecret, |
||||||
algorithm: 'SHA256', |
algorithm: 'SHA256', |
||||||
}); |
}); |
||||||
const delta = totp.validate({ |
let delta = totp.validate({ |
||||||
token: userInput, |
token: userInput, |
||||||
algorithm: 'SHA256', |
algorithm: 'SHA256', |
||||||
window: 1, |
window: 1, |
||||||
}); |
}); |
||||||
|
if (delta !== null) { |
||||||
|
const key = `twofactor_success:${username}`; |
||||||
|
const uses = await redis.incr(key); |
||||||
|
redis.expire(key, 30); |
||||||
|
if (uses && uses > 1) { |
||||||
|
delta = null; |
||||||
|
} |
||||||
|
} |
||||||
return { totp, delta }; |
return { totp, delta }; |
||||||
}; |
}; |
||||||
|
Loading…
Reference in new issue