security: prevent same passcode from being reused

Reported by @cezar97.
2018-05-21 14:24:06 +08:00 · 2018-05-21 14:24:06 +08:00 · 01ccc2cc96
parent cd093a07a3
commit 01ccc2cc96
7 changed files with 267 additions and 237 deletions
--- a/conf/locale/locale_en-US.ini
+++ b/conf/locale/locale_en-US.ini
@ -351,6 +351,7 @@ two_factor_or_enter_secret = Or enter the secret:
 two_factor_then_enter_passcode = Then enter passcode:
 two_factor_verify = Verify
 two_factor_invalid_passcode = The passcode you entered is not valid, please try again!
+two_factor_reused_passcode = The passcode you entered has already been used, please try another one!
 two_factor_enable_error = Enable Two-factor authentication failed: %v
 two_factor_enable_success = Two-factor authentication has enabled for your account successfully!
 two_factor_recovery_codes_title = Two-factor Authentication Recovery Codes
--- a/gogs.go
+++ b/gogs.go
@ -16,7 +16,7 @@ import (
 	"github.com/gogits/gogs/pkg/setting"
 )

-const APP_VER = "0.11.48.0426"
+const APP_VER = "0.11.49.0521"

 func init() {
 	setting.AppVer = APP_VER
--- a/models/user.go
+++ b/models/user.go
@ -120,6 +120,11 @@ func (u *User) AfterSet(colName string, _ xorm.Cell) {
 	}
 }

+// IDStr returns string representation of user's ID.
+func (u *User) IDStr() string {
+	return com.ToStr(u.ID)
+}
+
 func (u *User) APIFormat() *api.User {
 	return &api.User{
 		ID:        u.ID,
--- a/models/user_cache.go
+++ b/models/user_cache.go
@ -0,0 +1,11 @@
+// Copyright 2018 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package models
+
+// TwoFactorCacheKey returns key used for cache two factor passcode.
+// e.g. TwoFactor_1_012664
+func (u *User) TwoFactorCacheKey(passcode string) string {
+	return "TwoFactor_" + u.IDStr() + "_" + passcode
+}
--- a/pkg/bindata/bindata.go
+++ b/pkg/bindata/bindata.go
--- a/routes/user/auth.go
+++ b/routes/user/auth.go
@ -209,7 +209,9 @@ func LoginTwoFactorPost(c *context.Context) {
 		c.ServerError("GetTwoFactorByUserID", err)
 		return
 	}
-	valid, err := t.ValidateTOTP(c.Query("passcode"))
+
+	passcode := c.Query("passcode")
+	valid, err := t.ValidateTOTP(passcode)
 	if err != nil {
 		c.ServerError("ValidateTOTP", err)
 		return
@ -224,6 +226,17 @@ func LoginTwoFactorPost(c *context.Context) {
 		c.ServerError("GetUserByID", err)
 		return
 	}
+
+	// Prevent same passcode from being reused
+	if c.Cache.IsExist(u.TwoFactorCacheKey(passcode)) {
+		c.Flash.Error(c.Tr("settings.two_factor_reused_passcode"))
+		c.Redirect(setting.AppSubURL + "/user/login/two_factor")
+		return
+	}
+	if err = c.Cache.Put(u.TwoFactorCacheKey(passcode), 1, 60); err != nil {
+		log.Error(2, "Failed to put cache 'two factor passcode': %v", err)
+	}
+
 	afterLogin(c, u, c.Session.Get("twoFactorRemember").(bool))
 }

--- a/templates/.VERSION
+++ b/templates/.VERSION
@ -1 +1 @@
-0.11.48.0426
+0.11.49.0521