From acc2995d8621579dcd096d6541386f67671de053 Mon Sep 17 00:00:00 2001 From: Andreas Brett Date: Tue, 19 Oct 2021 00:42:33 +0200 Subject: [PATCH] invalidate used token --- db/patch-2fa-invalidate-used-token.sql | 7 +++++++ server/database.js | 1 + server/server.js | 14 ++++++++++---- 3 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 db/patch-2fa-invalidate-used-token.sql diff --git a/db/patch-2fa-invalidate-used-token.sql b/db/patch-2fa-invalidate-used-token.sql new file mode 100644 index 000000000..2f0b42ca8 --- /dev/null +++ b/db/patch-2fa-invalidate-used-token.sql @@ -0,0 +1,7 @@ +-- You should not modify if this have pushed to Github, unless it does serious wrong with the db. +BEGIN TRANSACTION; + +ALTER TABLE user + ADD twofa_last_token VARCHAR(6); + +COMMIT; diff --git a/server/database.js b/server/database.js index 1030ffdd9..e97dea996 100644 --- a/server/database.js +++ b/server/database.js @@ -50,6 +50,7 @@ class Database { "patch-group-table.sql": true, "patch-monitor-push_token.sql": true, "patch-http-monitor-method-body-and-headers.sql": true, + "patch-2fa-invalidate-used-token.sql": true, } /** diff --git a/server/server.js b/server/server.js index c4d18869e..a6e26aabd 100644 --- a/server/server.js +++ b/server/server.js @@ -265,7 +265,7 @@ exports.entryPage = "dashboard"; if (user) { afterLogin(socket, user); - if (user.twofaStatus == 0) { + if (user.twofa_status == 0) { callback({ ok: true, token: jwt.sign({ @@ -274,7 +274,7 @@ exports.entryPage = "dashboard"; }); } - if (user.twofaStatus == 1 && !data.token) { + if (user.twofa_status == 1 && !data.token) { callback({ tokenRequired: true, }); @@ -283,7 +283,13 @@ exports.entryPage = "dashboard"; if (data.token) { let verify = notp.totp.verify(data.token, user.twofa_secret, twofa_verification_opts); - if (verify && verify.delta == 0) { + if (user.twofa_last_token !== data.token && verify) { + + await R.exec("UPDATE `user` SET twofa_last_token = ? WHERE id = ? ", [ + data.token, + socket.userID, + ]); + callback({ ok: true, token: jwt.sign({ @@ -401,7 +407,7 @@ exports.entryPage = "dashboard"; let verify = notp.totp.verify(token, user.twofa_secret, twofa_verification_opts); - if (verify && verify.delta == 0) { + if (user.twofa_last_token !== token && verify) { callback({ ok: true, valid: true,