mirror of
https://github.com/louislam/uptime-kuma.git
synced 2024-11-27 16:54:04 +00:00
invalidate used token
This commit is contained in:
parent
c6fc385289
commit
acc2995d86
3 changed files with 18 additions and 4 deletions
7
db/patch-2fa-invalidate-used-token.sql
Normal file
7
db/patch-2fa-invalidate-used-token.sql
Normal file
|
@ -0,0 +1,7 @@
|
|||
-- You should not modify if this have pushed to Github, unless it does serious wrong with the db.
|
||||
BEGIN TRANSACTION;
|
||||
|
||||
ALTER TABLE user
|
||||
ADD twofa_last_token VARCHAR(6);
|
||||
|
||||
COMMIT;
|
|
@ -50,6 +50,7 @@ class Database {
|
|||
"patch-group-table.sql": true,
|
||||
"patch-monitor-push_token.sql": true,
|
||||
"patch-http-monitor-method-body-and-headers.sql": true,
|
||||
"patch-2fa-invalidate-used-token.sql": true,
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -265,7 +265,7 @@ exports.entryPage = "dashboard";
|
|||
if (user) {
|
||||
afterLogin(socket, user);
|
||||
|
||||
if (user.twofaStatus == 0) {
|
||||
if (user.twofa_status == 0) {
|
||||
callback({
|
||||
ok: true,
|
||||
token: jwt.sign({
|
||||
|
@ -274,7 +274,7 @@ exports.entryPage = "dashboard";
|
|||
});
|
||||
}
|
||||
|
||||
if (user.twofaStatus == 1 && !data.token) {
|
||||
if (user.twofa_status == 1 && !data.token) {
|
||||
callback({
|
||||
tokenRequired: true,
|
||||
});
|
||||
|
@ -283,7 +283,13 @@ exports.entryPage = "dashboard";
|
|||
if (data.token) {
|
||||
let verify = notp.totp.verify(data.token, user.twofa_secret, twofa_verification_opts);
|
||||
|
||||
if (verify && verify.delta == 0) {
|
||||
if (user.twofa_last_token !== data.token && verify) {
|
||||
|
||||
await R.exec("UPDATE `user` SET twofa_last_token = ? WHERE id = ? ", [
|
||||
data.token,
|
||||
socket.userID,
|
||||
]);
|
||||
|
||||
callback({
|
||||
ok: true,
|
||||
token: jwt.sign({
|
||||
|
@ -401,7 +407,7 @@ exports.entryPage = "dashboard";
|
|||
|
||||
let verify = notp.totp.verify(token, user.twofa_secret, twofa_verification_opts);
|
||||
|
||||
if (verify && verify.delta == 0) {
|
||||
if (user.twofa_last_token !== token && verify) {
|
||||
callback({
|
||||
ok: true,
|
||||
valid: true,
|
||||
|
|
Loading…
Reference in a new issue