Merge pull request #743 from andreasbrett/patch-4

Harden 2FA/TOTP implementation according to rfc6238 (part 2)
3 years ago · d578300104
3 changed files with 18 additions and 4 deletions
--- a/db/patch-2fa-invalidate-used-token.sql
+++ b/db/patch-2fa-invalidate-used-token.sql
@ -0,0 +1,7 @@
+-- You should not modify if this have pushed to Github, unless it does serious wrong with the db.
+BEGIN TRANSACTION;
+
+ALTER TABLE user
+    ADD twofa_last_token VARCHAR(6);
+
+COMMIT;
--- a/server/database.js
+++ b/server/database.js
@ -50,6 +50,7 @@ class Database {
        "patch-group-table.sql": true,
        "patch-monitor-push_token.sql": true,
        "patch-http-monitor-method-body-and-headers.sql": true,
+        "patch-2fa-invalidate-used-token.sql": true,
    }

    /**
--- a/server/server.js
+++ b/server/server.js
@ -292,7 +292,7 @@ exports.entryPage = "dashboard";
            if (user) {
                afterLogin(socket, user);

-                if (user.twofaStatus == 0) {
+                if (user.twofa_status == 0) {
                    callback({
                        ok: true,
                        token: jwt.sign({
@ -301,7 +301,7 @@ exports.entryPage = "dashboard";
                    });
                }

-                if (user.twofaStatus == 1 && !data.token) {
+                if (user.twofa_status == 1 && !data.token) {
                    callback({
                        tokenRequired: true,
                    });
@ -310,7 +310,13 @@ exports.entryPage = "dashboard";
                if (data.token) {
                    let verify = notp.totp.verify(data.token, user.twofa_secret, twofa_verification_opts);

-                    if (verify && verify.delta == 0) {
+                    if (user.twofa_last_token !== data.token && verify) {
+
+                        await R.exec("UPDATE `user` SET twofa_last_token = ? WHERE id = ? ", [
+                            data.token,
+                            socket.userID,
+                        ]);
+
                        callback({
                            ok: true,
                            token: jwt.sign({
@ -428,7 +434,7 @@ exports.entryPage = "dashboard";

            let verify = notp.totp.verify(token, user.twofa_secret, twofa_verification_opts);

-            if (verify && verify.delta == 0) {
+            if (user.twofa_last_token !== token && verify) {
                callback({
                    ok: true,
                    valid: true,