security: prevent same passcode from being reused

Reported by @cezar97.
author: Unknwon <u@gogs.io> 2018-05-21 14:24:06 +0800
committer: Unknwon <u@gogs.io> 2018-05-21 14:24:06 +0800
commit: 01ccc2cc967935d4093ad3067e2b45bda80653a3 (patch)
tree: b52062569bb0efac16641a70f664749107476513 /routes/user
parent: cd093a07a3b8e0c52c93682d325c5b44f9f2dd63 (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/routes/user/auth.go b/routes/user/auth.go
index bf689f9a..85b6bd4c 100644
--- a/routes/user/auth.go
+++ b/routes/user/auth.go
@@ -209,7 +209,9 @@ func LoginTwoFactorPost(c *context.Context) {
 		c.ServerError("GetTwoFactorByUserID", err)
 		return
 	}
-	valid, err := t.ValidateTOTP(c.Query("passcode"))
+
+	passcode := c.Query("passcode")
+	valid, err := t.ValidateTOTP(passcode)
 	if err != nil {
 		c.ServerError("ValidateTOTP", err)
 		return
@@ -224,6 +226,17 @@ func LoginTwoFactorPost(c *context.Context) {
 		c.ServerError("GetUserByID", err)
 		return
 	}
+
+	// Prevent same passcode from being reused
+	if c.Cache.IsExist(u.TwoFactorCacheKey(passcode)) {
+		c.Flash.Error(c.Tr("settings.two_factor_reused_passcode"))
+		c.Redirect(setting.AppSubURL + "/user/login/two_factor")
+		return
+	}
+	if err = c.Cache.Put(u.TwoFactorCacheKey(passcode), 1, 60); err != nil {
+		log.Error(2, "Failed to put cache 'two factor passcode': %v", err)
+	}
+
 	afterLogin(c, u, c.Session.Get("twoFactorRemember").(bool))
 }
author	Unknwon <u@gogs.io>	2018-05-21 14:24:06 +0800
committer	Unknwon <u@gogs.io>	2018-05-21 14:24:06 +0800
commit	01ccc2cc967935d4093ad3067e2b45bda80653a3 (patch)
tree	b52062569bb0efac16641a70f664749107476513 /routes/user
parent	cd093a07a3b8e0c52c93682d325c5b44f9f2dd63 (diff)