geforkt von mirrored/vaultwarden
Fixed issue/request #705
Added a config option to disable time drifted totp codes. Default is false, since this is what the RFC recommends.
Dieser Commit ist enthalten in:
Ursprung
9ff577a7b4
Commit
3f6809bcdf
3 geänderte Dateien mit 22 neuen und 2 gelöschten Zeilen
|
@ -140,6 +140,18 @@
|
||||||
## After that, you should be able to follow the rest of the guide linked above,
|
## After that, you should be able to follow the rest of the guide linked above,
|
||||||
## ignoring the fields that ask for the values that you already configured beforehand.
|
## ignoring the fields that ask for the values that you already configured beforehand.
|
||||||
|
|
||||||
|
## Authenticator Settings
|
||||||
|
## Disable authenticator time drifted codes to be valid.
|
||||||
|
## TOTP codes of the previous and next 30 seconds will be invalid
|
||||||
|
##
|
||||||
|
## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
|
||||||
|
## we allow by default the TOTP code which was valid one step back and one in the future.
|
||||||
|
## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
|
||||||
|
## You can disable this, so that only the current TOTP Code is allowed.
|
||||||
|
## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
|
||||||
|
## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
|
||||||
|
# AUTHENTICATOR_DISABLE_TIME_DRIFT = false
|
||||||
|
|
||||||
## Rocket specific settings, check Rocket documentation to learn more
|
## Rocket specific settings, check Rocket documentation to learn more
|
||||||
# ROCKET_ENV=staging
|
# ROCKET_ENV=staging
|
||||||
# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
|
# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
|
||||||
|
|
|
@ -11,6 +11,8 @@ use crate::db::{
|
||||||
DbConn,
|
DbConn,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
pub use crate::config::CONFIG;
|
||||||
|
|
||||||
pub fn routes() -> Vec<Route> {
|
pub fn routes() -> Vec<Route> {
|
||||||
routes![
|
routes![
|
||||||
generate_authenticator,
|
generate_authenticator,
|
||||||
|
@ -118,9 +120,11 @@ pub fn validate_totp_code(user_uuid: &str, totp_code: u64, secret: &str, conn: &
|
||||||
.expect("Earlier than 1970-01-01 00:00:00 UTC").as_secs();
|
.expect("Earlier than 1970-01-01 00:00:00 UTC").as_secs();
|
||||||
|
|
||||||
// The amount of steps back and forward in time
|
// The amount of steps back and forward in time
|
||||||
let steps = 1;
|
// Also check if we need to disable time drifted TOTP codes.
|
||||||
for step in -steps..=steps {
|
// If that is the case, we set the steps to 0 so only the current TOTP is valid.
|
||||||
|
let steps = if CONFIG.authenticator_disable_time_drift() { 0 } else { 1 };
|
||||||
|
|
||||||
|
for step in -steps..=steps {
|
||||||
let time_step = (current_time / 30) as i32 + step;
|
let time_step = (current_time / 30) as i32 + step;
|
||||||
// We need to calculate the time offsite and cast it as an i128.
|
// We need to calculate the time offsite and cast it as an i128.
|
||||||
// Else we can't do math with it on a default u64 variable.
|
// Else we can't do math with it on a default u64 variable.
|
||||||
|
|
|
@ -275,6 +275,10 @@ make_config! {
|
||||||
/// Note that the checkbox would still be present, but ignored.
|
/// Note that the checkbox would still be present, but ignored.
|
||||||
disable_2fa_remember: bool, true, def, false;
|
disable_2fa_remember: bool, true, def, false;
|
||||||
|
|
||||||
|
/// Disable authenticator time drifted codes to be valid |> Enabling this only allows the current TOTP code to be valid
|
||||||
|
/// TOTP codes of the previous and next 30 seconds will be invalid.
|
||||||
|
authenticator_disable_time_drift: bool, true, def, false;
|
||||||
|
|
||||||
/// Require new device emails |> When a user logs in an email is required to be sent.
|
/// Require new device emails |> When a user logs in an email is required to be sent.
|
||||||
/// If sending the email fails the login attempt will fail.
|
/// If sending the email fails the login attempt will fail.
|
||||||
require_device_email: bool, true, def, false;
|
require_device_email: bool, true, def, false;
|
||||||
|
|
Laden …
In neuem Issue referenzieren