Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow TOTP reuse #4911

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
+49 −1
Open

Disallow TOTP reuse #4911

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fc5d0a0
Disallow TOTP reuse
segiddins Jul 20, 2024
58f55fe
Save correct last_totp_at after verifying
segiddins Jul 22, 2024
0562dcb
Travel in between totp requests
segiddins Jul 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion app/models/concerns/user_totp_methods.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,10 @@ def verify_totp(seed, otp)
return false if seed.blank?

totp = ROTP::TOTP.new(seed)
return false unless totp.verify(otp, drift_behind: 30, drift_ahead: 30)
totp_at = totp.verify(otp, drift_behind: 30, drift_ahead: 30, after: last_totp_at)
return false if totp_at.blank?

self.last_totp_at = Time.at(totp_at).utc
save!(validate: false)
end
end
5 changes: 5 additions & 0 deletions db/migrate/20240720201622_add_last_totp_at_to_users.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
class AddLastTotpAtToUsers < ActiveRecord::Migration[7.1]
def change
add_column :users, :last_totp_at, :timestamp, null: true
end
end
1 change: 1 addition & 0 deletions db/schema.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -519,6 +519,7 @@
t.string "mfa_hashed_recovery_codes", default: [], array: true
t.boolean "public_email", default: false, null: false
t.datetime "deleted_at"
t.datetime "last_totp_at", precision: nil
t.index "lower((email)::text) varchar_pattern_ops", name: "index_users_on_lower_email"
t.index ["email"], name: "index_users_on_email"
t.index ["handle"], name: "index_users_on_handle"
Expand Down
2 changes: 2 additions & 0 deletions test/functional/api/v1/deletions_controller_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,8 @@ class Api::V1::DeletionsControllerTest < ActionController::TestCase

should "not include mfa warnings" do
@gems.each_value do |gem|
travel_to 30.seconds.from_now

@request.env["HTTP_OTP"] = ROTP::TOTP.new(@user.totp_seed).now
delete :create, params: { gem_name: gem[:name], version: gem[:version] }

Expand Down
4 changes: 4 additions & 0 deletions test/functional/multifactor_auths_controller_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -672,6 +672,8 @@ class MultifactorAuthsControllerTest < ActionController::TestCase

should "redirect user back to mfa_redirect_uri after successful mfa setup" do
@redirect_paths.each do |path|
travel_to 30.seconds.from_now

session[:mfa_redirect_uri] = path
put :update, params: { level: "ui_and_api" }
put :otp_update, params: { otp: ROTP::TOTP.new(@seed).now, level: "ui_and_api" }
Expand All @@ -694,6 +696,8 @@ class MultifactorAuthsControllerTest < ActionController::TestCase

should "redirect user back to mfa_redirect_uri after a failed setup + successful setup" do
@redirect_paths.each do |path|
travel_to 30.seconds.from_now

session[:mfa_redirect_uri] = path
put :update, params: { level: "ui_and_api" }
put :otp_update, params: { otp: "12345", level: "ui_and_api" }
Expand Down
34 changes: 34 additions & 0 deletions test/models/concerns/user_multifactor_methods_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -410,6 +410,23 @@ class UserMultifactorMethodsTest < ActiveSupport::TestCase

refute @user.ui_mfa_verified?(ROTP::TOTP.new(ROTP::Base32.random_base32).now)
end

should "return false when reused" do
code = ROTP::TOTP.new(@user.totp_seed).now

assert @user.ui_mfa_verified?(code)
refute @user.ui_mfa_verified?(code)
end

should "return true after waiting for the next interval" do
code = ROTP::TOTP.new(@user.totp_seed).now

assert @user.ui_mfa_verified?(code)
travel_to 30.seconds.from_now do
refute @user.ui_mfa_verified?(code)
assert @user.ui_mfa_verified?(ROTP::TOTP.new(@user.totp_seed).now)
end
end
end

context "with webauthn otp" do
Expand Down Expand Up @@ -453,6 +470,23 @@ class UserMultifactorMethodsTest < ActiveSupport::TestCase
should "return false if otp is incorrect" do
refute @user.api_mfa_verified?(ROTP::TOTP.new(ROTP::Base32.random_base32).now)
end

should "return false when reused" do
code = ROTP::TOTP.new(@user.totp_seed).now

assert @user.api_mfa_verified?(code)
refute @user.api_mfa_verified?(code)
end

should "return true after waiting for the next interval" do
code = ROTP::TOTP.new(@user.totp_seed).now

assert @user.api_mfa_verified?(code)
travel_to 30.seconds.from_now do
refute @user.api_mfa_verified?(code)
assert @user.api_mfa_verified?(ROTP::TOTP.new(@user.totp_seed).now)
end
end
end

context "with webauthn otp" do
Expand Down