fix: totp code validation (#1228)

accounts-js · Jun 28, 2022 · 2afcb84 · 2afcb84
1 parent 60d88ed
commit 2afcb84
Show file tree

Hide file tree

Showing 4 changed files with 576 additions and 274 deletions.
diff --git a/.changeset/nasty-meals-whisper.md b/.changeset/nasty-meals-whisper.md
@@ -0,0 +1,6 @@
+---
+'@accounts/password': patch
+'@accounts/two-factor': patch
+---
+
+Fix critical issue with "Two-Factor" not validating TOTP codes correctly due to a flawed version of @levminer/speakeasy
diff --git a/packages/two-factor/package.json b/packages/two-factor/package.json
@@ -27,7 +27,7 @@
   },
   "dependencies": {
     "@accounts/types": "^0.33.2",
-    "@levminer/speakeasy": "1.3.1",
+    "@levminer/speakeasy": "1.3.3",
     "tslib": "2.3.1"
   },
   "devDependencies": {

diff --git a/packages/two-factor/src/two-factor.ts b/packages/two-factor/src/two-factor.ts
@@ -15,6 +15,21 @@ export class TwoFactor {
   private db!: DatabaseInterface;
   private serviceName = 'two-factor';
 
+  private verifyTOTPCode(secret: string, code: string): Boolean {
+    try {
+      const verified = totp.verify({
+        secret,
+        encoding: 'base32',
+        token: code,
+        window: this.options.window,
+      });
+      if (verified) return true;
+    } catch (e) {
+      //
+    }
+    return false;
+  }
+
   constructor(options: AccountsTwoFactorOptions = {}) {
     this.options = { ...defaultOptions, ...options };
   }
@@ -39,14 +54,8 @@ export class TwoFactor {
     if (!twoFactorService) {
       throw new Error(this.options.errors.userTwoFactorNotSet);
     }
-    if (
-      !totp.verify({
-        secret: twoFactorService.secret.base32,
-        encoding: 'base32',
-        token: code,
-        window: this.options.window,
-      })
-    ) {
+
+    if (!this.verifyTOTPCode(twoFactorService.secret.base32, code)) {
       throw new Error(this.options.errors.codeDidNotMatch);
     }
   }
@@ -81,14 +90,7 @@ export class TwoFactor {
       throw new Error(this.options.errors.userTwoFactorAlreadySet);
     }
 
-    if (
-      totp.verify({
-        secret: secret.base32,
-        encoding: 'base32',
-        token: code,
-        window: this.options.window,
-      })
-    ) {
+    if (this.verifyTOTPCode(secret.base32, code)) {
       twoFactorService = {
         secret,
       };
@@ -115,14 +117,7 @@ export class TwoFactor {
     if (!twoFactorService) {
       throw new Error(this.options.errors.userTwoFactorNotSet);
     }
-    if (
-      totp.verify({
-        secret: twoFactorService.secret.base32,
-        encoding: 'base32',
-        token: code,
-        window: this.options.window,
-      })
-    ) {
+    if (this.verifyTOTPCode(twoFactorService.secret.base32, code)) {
       await this.db.unsetService(userId, this.serviceName);
     } else {
       throw new Error(this.options.errors.codeDidNotMatch);