jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

password reset: require and verify totpToken

Browse Source
This commit is contained in:
Girish Ramakrishnan
2021-08-11 12:08:28 -07:00
parent 5b10cb63f4
commit 04d377d20d
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/routes/cloudron.js
View File

@@ -35,6 +35,7 @@ const assert = require('assert'),
HttpError = require('connect-lastmile').HttpError,
HttpSuccess = require('connect-lastmile').HttpSuccess,
safe = require('safetydance'),
speakeasy = require('speakeasy'),
sysinfo = require('../sysinfo.js'),
system = require('../system.js'),
tokens = require('../tokens.js'),
@@ -95,6 +96,13 @@ async function passwordReset(req, res, next) {
if (error) return next(new HttpError(401, 'Invalid resetToken'));
if (!userObject) return next(new HttpError(401, 'Invalid resetToken'));
if (userObject.twoFactorAuthenticationEnabled) {
if (typeof req.body.totpToken !== 'string') return next(new HttpError(401, 'A totpToken must be provided'));
const verified = speakeasy.totp.verify({ secret: userObject.twoFactorAuthenticationSecret, encoding: 'base32', token: req.body.totpToken, window: 2 });
if (!verified) return next(new HttpError(401, 'Invalid totpToken'));
}
// if you fix the duration here, the emails and UI have to be fixed as well
if (Date.now() - userObject.resetTokenCreationTime > 7 * 24 * 60 * 60 * 1000) return next(new HttpError(401, 'Token expired'));
if (!userObject.username) return next(new HttpError(409, 'No username set'));