do not allow to use same TOTP code

2025-01-01 13:13:53 +08:00 · 2019-08-22 21:47:36 +02:00 · 2019-08-22 21:47:36 +02:00 · ecb74473a1
commit ecb74473a1
parent af3649159c
2 changed files with 35 additions and 9 deletions
--- a/lib/consts.js
+++ b/lib/consts.js
@ -98,5 +98,7 @@ module.exports = {
    // access token default ttl in seconds (token ttl time is extended every time token is used by this value)
    ACCESS_TOKEN_DEFAULT_TTL: 14 * 24 * 3600,
    // access token can be extended until max lifetime value is reached in seconds
-    ACCESS_TOKEN_MAX_LIFETIME: 180 * 24 * 3600
+    ACCESS_TOKEN_MAX_LIFETIME: 180 * 24 * 3600,
+
+    TOTP_WINDOW_SIZE: 6
 };
--- a/lib/user-handler.js
+++ b/lib/user-handler.js
@ -1732,7 +1732,7 @@ class UserHandler {
            secret,
            encoding: 'base32',
            token: data.token,
-            window: 6
+            window: consts.TOTP_WINDOW_SIZE
        });

        if (!verified) {
@ -1902,18 +1902,30 @@ class UserHandler {
    }

    async checkTotp(user, data) {
-        let userRlKey = 'totp:' + user;
+        let userRlKey = `totp:${user}`;
+        let totpSuccessKey = `totp:${user}:${data.token}`;

-        let rateLimitRes;
        try {
-            rateLimitRes = await this.rateLimit(userRlKey, data, 0);
+            let rateLimitRes = await this.rateLimit(userRlKey, data, 0);
+            if (!rateLimitRes.success) {
+                throw rateLimitResponse(rateLimitRes);
+            }
        } catch (err) {
-            err.code = 'InternalDatabaseError';
+            err.code = err.code || 'InternalDatabaseError';
            throw err;
        }

-        if (!rateLimitRes.success) {
-            throw rateLimitResponse(rateLimitRes);
+        try {
+            let totpAlreadyUsed = await this.redis.exists(totpSuccessKey);
+            if (totpAlreadyUsed) {
+                let err = new Error('This code has already been used, please try again with a new code');
+                err.response = 'NO';
+                err.code = 'RateLimitedError';
+                throw err;
+            }
+        } catch (err) {
+            err.code = err.code || 'InternalDatabaseError';
+            throw err;
        }

        let userData;
@ -1971,7 +1983,7 @@ class UserHandler {
            secret,
            encoding: 'base32',
            token: data.token,
-            window: 6
+            window: consts.TOTP_WINDOW_SIZE
        });

        try {
@ -1995,6 +2007,18 @@ class UserHandler {
            // ignore
        }

+        if (verified) {
+            try {
+                await this.redis
+                    .multi()
+                    .set(totpSuccessKey, Date.now())
+                    .expire(totpSuccessKey, consts.TOTP_WINDOW_SIZE * 30)
+                    .exec();
+            } catch (err) {
+                // ignore
+            }
+        }
+
        return verified;
    }