fix: temp two factor secret checking on two factor reset

2021-04-19 16:46:43 +01:00 · 2021-04-19 16:46:43 +01:00 · 357fe75427
commit 357fe75427
parent 928caaf167
2 changed files with 6 additions and 2 deletions
--- a/lib/new-admin/graphql/modules/authentication.js
+++ b/lib/new-admin/graphql/modules/authentication.js
@ -272,8 +272,12 @@ const reset2FA = (token, userID, code, secret, context) => {
  return users.getUserById(userID)
    .then(user => {
      destroySessionIfSameUser(context, user)
-      return users.reset2FASecret(token, user.id, secret).then(() => true)
+      if (user.temp_twofa_code !== secret) {
+        throw new authErrors.InvalidTwoFactorError()
+      }
+      return users.reset2FASecret(token, user.id, secret)
    })
+    .then(() => true)
    .catch(err => console.error(err))
 }