We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
standardnotes-server
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fix(auth): account enumeration with pseudo u2f and mfa (#709)

Karol Sójko 1 year ago
parent
ef07045ee9
commit
bbb35d16fc
2 changed files with 25 additions and 25 deletions
Unified View Show Diff Stats
  1. 1 1
      packages/auth/src/Domain/UseCase/VerifyMFA.spec.ts
  2. 24 24
      packages/auth/src/Domain/UseCase/VerifyMFA.ts

+ 1 - 1
packages/auth/src/Domain/UseCase/VerifyMFA.spec.ts
View File 

@@ -257,7 +257,7 @@ describe('VerifyMFA', () => {
 
     })
 
     })
 
 
 
     it('should not pass if user is not found and pseudo u2f is required', async () => {
 
     it('should not pass if user is not found and pseudo u2f is required', async () => {
 
-      booleanSelector.select = jest.fn().mockReturnValueOnce(false).mockReturnValueOnce(true)
 
+      booleanSelector.select = jest.fn().mockReturnValueOnce(true).mockReturnValueOnce(true)
 
       userRepository.findOneByUsernameOrEmail = jest.fn().mockReturnValue(null)
 
       userRepository.findOneByUsernameOrEmail = jest.fn().mockReturnValue(null)
 
 
 
       expect(
 
       expect(

+ 24 - 24
packages/auth/src/Domain/UseCase/VerifyMFA.ts
View File 

@@ -48,33 +48,33 @@ export class VerifyMFA implements UseCaseInterface {
 
 
 
       const user = await this.userRepository.findOneByUsernameOrEmail(username)
 
       const user = await this.userRepository.findOneByUsernameOrEmail(username)
 
       if (user == null) {
 
       if (user == null) {
 
-        const mfaSelectorHash = crypto
 
+        const secondFactorSelectorHash = crypto
 
           .createHash('sha256')
 
           .createHash('sha256')
 
-          .update(`mfa-selector-${dto.email}${this.pseudoKeyParamsKey}`)
 
+          .update(`second-factor-selector-${dto.email}${this.pseudoKeyParamsKey}`)
 
           .digest('hex')
 
           .digest('hex')
 
-        const u2fSelectorHash = crypto
 
-          .createHash('sha256')
 
-          .update(`u2f-selector-${dto.email}${this.pseudoKeyParamsKey}`)
 
-          .digest('hex')
 
-
 
-        const isPseudoMFARequired = this.booleanSelector.select(mfaSelectorHash, [true, false])
 
-
 
-        const isPseudoU2FRequired = this.booleanSelector.select(u2fSelectorHash, [true, false])
 
 
 
-        if (isPseudoMFARequired) {
 
-          return {
 
-            success: false,
 
-            errorTag: ErrorTag.MfaRequired,
 
-            errorMessage: 'Please enter your two-factor authentication code.',
 
-            errorPayload: { mfa_key: `mfa_${uuidv4()}` },
 
-          }
 
-        }
 
-
 
-        if (isPseudoU2FRequired) {
 
-          return {
 
-            success: false,
 
-            errorTag: ErrorTag.U2FRequired,
 
-            errorMessage: 'Please authenticate with your U2F device.',
 
+        const isPseudoSecondFactorRequired = this.booleanSelector.select(secondFactorSelectorHash, [true, false])
 
+        if (isPseudoSecondFactorRequired) {
 
+          const u2fSelectorHash = crypto
 
+            .createHash('sha256')
 
+            .update(`u2f-selector-${dto.email}${this.pseudoKeyParamsKey}`)
 
+            .digest('hex')
 
+
 
+          const isPseudoU2FRequired = this.booleanSelector.select(u2fSelectorHash, [true, false])
 
+
 
+          if (isPseudoU2FRequired) {
 
+            return {
 
+              success: false,
 
+              errorTag: ErrorTag.U2FRequired,
 
+              errorMessage: 'Please authenticate with your U2F device.',
 
+            }
 
+          } else {
 
+            return {
 
+              success: false,
 
+              errorTag: ErrorTag.MfaRequired,
 
+              errorMessage: 'Please enter your two-factor authentication code.',
 
+              errorPayload: { mfa_key: `mfa_${uuidv4()}` },
 
+            }
 
           }
 
           }
 
         }
 
         }

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5