mirror of https://gitgud.io/fatchan/jschan.git
- Don't allow code re-use, successfully used codes will be invalid on repeated use for the window time - Don't attach the full twofactor secret to user object in session for security. Only store a boolean if it's enabled for rendering, checks, etc. The full account should be fetched first before doTwoFactor() - Better names for some keys of twofactor redis stuffindiachan-spamvector
parent
e6346f9f53
commit
29bb4856ab
8 changed files with 30 additions and 11 deletions
@ -1,14 +1,23 @@ |
||||
const OTPAuth = require('otpauth'); |
||||
const OTPAuth = require('otpauth') |
||||
, redis = require(__dirname+'/../redis/redis.js'); |
||||
|
||||
module.exports = (totpSecret, userInput) => { |
||||
module.exports = async (username, totpSecret, userInput) => { |
||||
const totp = new OTPAuth.TOTP({ |
||||
secret: totpSecret, |
||||
algorithm: 'SHA256', |
||||
}); |
||||
const delta = totp.validate({ |
||||
let delta = totp.validate({ |
||||
token: userInput, |
||||
algorithm: 'SHA256', |
||||
window: 1, |
||||
}); |
||||
if (delta !== null) { |
||||
const key = `twofactor_success:${username}`; |
||||
const uses = await redis.incr(key); |
||||
redis.expire(key, 30); |
||||
if (uses && uses > 1) { |
||||
delta = null; |
||||
} |
||||
} |
||||
return { totp, delta }; |
||||
}; |
||||
|
Loading…
Reference in new issue