Do not allow to reuse TOTP passcode

lafriks · lafriks · commit a58db36f38fd · 2018-05-02T08:42:08.000+03:00
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
@@ -176,6 +176,8 @@ var migrations = []Migration{
 	NewMigration("add is_fsck_enabled column for repos", addFsckEnabledToRepo),
 	// v61 -> v62
 	NewMigration("add size column for attachments", addSizeToAttachment),
+	// v62 -> v63
+	NewMigration("add last used passcode column for TOTP", addLastUsedPasscodeTOTP),
 }
 
 // Migrate database to current version
diff --git a/models/migrations/v62.go b/models/migrations/v62.go
@@ -0,0 +1,22 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"fmt"
+
+	"github.com/go-xorm/xorm"
+)
+
+func addLastUsedPasscodeTOTP(x *xorm.Engine) error {
+	type TwoFactor struct {
+		LastUsedPasscode string `xorm:"VARCHAR(10)"`
+	}
+
+	if err := x.Sync2(new(TwoFactor)); err != nil {
+		return fmt.Errorf("Sync2: %v", err)
+	}
+	return nil
+}
diff --git a/models/twofactor.go b/models/twofactor.go
@@ -23,12 +23,13 @@ import (
 
 // TwoFactor represents a two-factor authentication token.
 type TwoFactor struct {
-	ID           int64 `xorm:"pk autoincr"`
-	UID          int64 `xorm:"UNIQUE"`
-	Secret       string
-	ScratchToken string
-	CreatedUnix  util.TimeStamp `xorm:"INDEX created"`
-	UpdatedUnix  util.TimeStamp `xorm:"INDEX updated"`
+	ID               int64 `xorm:"pk autoincr"`
+	UID              int64 `xorm:"UNIQUE"`
+	Secret           string
+	ScratchToken     string
+	LastUsedPasscode string         `xorm:"VARCHAR(10)"`
+	CreatedUnix      util.TimeStamp `xorm:"INDEX created"`
+	UpdatedUnix      util.TimeStamp `xorm:"INDEX updated"`
 }
 
 // GenerateScratchToken recreates the scratch token the user is using.
diff --git a/routers/user/auth.go b/routers/user/auth.go
@@ -221,7 +221,7 @@ func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
 		return
 	}
 
-	if ok {
+	if ok && twofa.LastUsedPasscode != form.Passcode {
 		remember := ctx.Session.Get("twofaRemember").(bool)
 		u, err := models.GetUserByID(id)
 		if err != nil {
@@ -243,6 +243,12 @@ func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
 			}
 		}
 
+		twofa.LastUsedPasscode = form.Passcode
+		if err = models.UpdateTwoFactor(twofa); err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+
 		handleSignIn(ctx, u, remember)
 		return
 	}

Original file line number	Diff line number	Diff line change
`@@ -176,6 +176,8 @@ var migrations = []Migration{`
`176`	`176`	`NewMigration("add is_fsck_enabled column for repos", addFsckEnabledToRepo),`
`177`	`177`	`// v61 -> v62`
`178`	`178`	`NewMigration("add size column for attachments", addSizeToAttachment),`
	`179`	`+ // v62 -> v63`
	`180`	`+ NewMigration("add last used passcode column for TOTP", addLastUsedPasscodeTOTP),`
`179`	`181`	`}`
`180`	`182`
`181`	`183`	`// Migrate database to current version`
Original file line number	Diff line number	Diff line change
`@@ -221,7 +221,7 @@ func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {`
`221`	`221`	`return`
`222`	`222`	`}`
`223`	`223`
`224`		`- if ok {`
	`224`	`+ if ok && twofa.LastUsedPasscode != form.Passcode {`
`225`	`225`	`remember := ctx.Session.Get("twofaRemember").(bool)`
`226`	`226`	`u, err := models.GetUserByID(id)`
`227`	`227`	`if err != nil {`
`@@ -243,6 +243,12 @@ func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {`
`243`	`243`	`}`
`244`	`244`	`}`
`245`	`245`
	`246`	`+ twofa.LastUsedPasscode = form.Passcode`
	`247`	`+ if err = models.UpdateTwoFactor(twofa); err != nil {`
	`248`	`+ ctx.ServerError("UserSignIn", err)`
	`249`	`+ return`
	`250`	`+ }`
	`251`	`+`
`246`	`252`	`handleSignIn(ctx, u, remember)`
`247`	`253`	`return`
`248`	`254`	`}`