Do not allow to reuse TOTP passcode (#3878)

2025-07-13 14:07:20 +00:00 · 2018-05-02 18:02:02 +03:00
parent c58e1e437b
commit 1e1ece8f3d
4 changed files with 38 additions and 7 deletions
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@ -221,7 +221,7 @@ func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
 		return
 	}

-	if ok {
+	if ok && twofa.LastUsedPasscode != form.Passcode {
 		remember := ctx.Session.Get("twofaRemember").(bool)
 		u, err := models.GetUserByID(id)
 		if err != nil {
@ -243,6 +243,12 @@ func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
 			}
 		}

+		twofa.LastUsedPasscode = form.Passcode
+		if err = models.UpdateTwoFactor(twofa); err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+
 		handleSignIn(ctx, u, remember)
 		return
 	}