lamassu/lamassu-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: temp two factor secret checking on two factor reset

Browse source
This commit is contained in:
Sérgio Salgado 2021-04-19 16:46:43 +01:00 committed by Josh Harvey
parent 928caaf167
commit 357fe75427
2 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/new-admin/graphql/modules/authentication.js
View file

@ -272,8 +272,12 @@ const reset2FA = (token, userID, code, secret, context) => {
return users.getUserById(userID) return users.getUserById(userID)
.then(user => { .then(user => {
destroySessionIfSameUser(context, user) destroySessionIfSameUser(context, user)
return users.reset2FASecret(token, user.id, secret).then(() => true) if (user.temp_twofa_code !== secret) {
throw new authErrors.InvalidTwoFactorError()
}
return users.reset2FASecret(token, user.id, secret)
}) })
.then(() => true)
.catch(err => console.error(err)) .catch(err => console.error(err))
} }

2
lib/users.js
View file

@ -89,7 +89,7 @@ function reset2FASecret (token, id, secret) {
return validateAuthToken(token, 'reset_twofa').then(res => { return validateAuthToken(token, 'reset_twofa').then(res => {
if (!res.success) throw new Error('Failed to verify 2FA reset token') if (!res.success) throw new Error('Failed to verify 2FA reset token')
return db.tx(t => { return db.tx(t => {
const q1 = t.none('UPDATE users SET twofa_code=$1 WHERE id=$2', [secret, id]) const q1 = t.none('UPDATE users SET twofa_code=$1, temp_twofa_code=NULL WHERE id=$2', [secret, id])
const q2 = t.none(`DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`, [id]) const q2 = t.none(`DELETE FROM user_sessions WHERE sess -> 'user' ->> 'id'=$1`, [id])
const q3 = t.none(`DELETE FROM auth_tokens WHERE token=$1 and type='reset_twofa'`, [token]) const q3 = t.none(`DELETE FROM auth_tokens WHERE token=$1 and type='reset_twofa'`, [token])
return t.batch([q1, q2, q3]) return t.batch([q1, q2, q3])