Merge pull request #642 from andreasbrett/patch-2

Harden 2FA/TOTP implementation according to rfc6238 (part 3)
This commit is contained in:
Louis Lam 2021-10-16 14:30:25 +08:00 committed by GitHub
commit 6ff3cb275e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -75,6 +75,12 @@ const port = parseInt(process.env.UPTIME_KUMA_PORT || process.env.PORT || args.p
const sslKey = process.env.UPTIME_KUMA_SSL_KEY || process.env.SSL_KEY || args["ssl-key"] || undefined; const sslKey = process.env.UPTIME_KUMA_SSL_KEY || process.env.SSL_KEY || args["ssl-key"] || undefined;
const sslCert = process.env.UPTIME_KUMA_SSL_CERT || process.env.SSL_CERT || args["ssl-cert"] || undefined; const sslCert = process.env.UPTIME_KUMA_SSL_CERT || process.env.SSL_CERT || args["ssl-cert"] || undefined;
// 2FA / notp verification defaults
const twofa_verification_opts = {
"window": 1,
"time": 30
}
/** /**
* Run unit test after the server is ready * Run unit test after the server is ready
* @type {boolean} * @type {boolean}
@ -272,7 +278,7 @@ exports.entryPage = "dashboard";
} }
if (data.token) { if (data.token) {
let verify = notp.totp.verify(data.token, user.twofa_secret); let verify = notp.totp.verify(data.token, user.twofa_secret, twofa_verification_opts);
if (verify && verify.delta == 0) { if (verify && verify.delta == 0) {
callback({ callback({
@ -390,7 +396,7 @@ exports.entryPage = "dashboard";
socket.userID, socket.userID,
]); ]);
let verify = notp.totp.verify(token, user.twofa_secret); let verify = notp.totp.verify(token, user.twofa_secret, twofa_verification_opts);
if (verify && verify.delta == 0) { if (verify && verify.delta == 0) {
callback({ callback({