From 01ccc2cc967935d4093ad3067e2b45bda80653a3 Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Mon, 21 May 2018 14:24:06 +0800
Subject: security: prevent same passcode from being reused

Reported by @cezar97.
---
 routes/user/auth.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'routes/user/auth.go')

diff --git a/routes/user/auth.go b/routes/user/auth.go
index bf689f9a..85b6bd4c 100644
--- a/routes/user/auth.go
+++ b/routes/user/auth.go
@@ -209,7 +209,9 @@ func LoginTwoFactorPost(c *context.Context) {
 		c.ServerError("GetTwoFactorByUserID", err)
 		return
 	}
-	valid, err := t.ValidateTOTP(c.Query("passcode"))
+
+	passcode := c.Query("passcode")
+	valid, err := t.ValidateTOTP(passcode)
 	if err != nil {
 		c.ServerError("ValidateTOTP", err)
 		return
@@ -224,6 +226,17 @@ func LoginTwoFactorPost(c *context.Context) {
 		c.ServerError("GetUserByID", err)
 		return
 	}
+
+	// Prevent same passcode from being reused
+	if c.Cache.IsExist(u.TwoFactorCacheKey(passcode)) {
+		c.Flash.Error(c.Tr("settings.two_factor_reused_passcode"))
+		c.Redirect(setting.AppSubURL + "/user/login/two_factor")
+		return
+	}
+	if err = c.Cache.Put(u.TwoFactorCacheKey(passcode), 1, 60); err != nil {
+		log.Error(2, "Failed to put cache 'two factor passcode': %v", err)
+	}
+
 	afterLogin(c, u, c.Session.Get("twoFactorRemember").(bool))
 }
 
-- 
cgit v1.2.3