Switch plaintext scratch tokens to use hash instead (#4331)

2025-07-12 13:37:20 +00:00 · 2018-07-27 08:54:50 -04:00
parent ac968c3c6f
commit adf3f004b6
5 changed files with 118 additions and 12 deletions
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@ -306,7 +306,11 @@ func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthFo
 	// Validate the passcode with the stored TOTP secret.
 	if twofa.VerifyScratchToken(form.Token) {
 		// Invalidate the scratch token.
-		twofa.ScratchToken = ""
+		_, err = twofa.GenerateScratchToken()
+		if err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
 		if err = models.UpdateTwoFactor(twofa); err != nil {
 			ctx.ServerError("UserSignIn", err)
 			return