domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Switch plaintext scratch tokens to use hash instead (#4331)

Browse source
This commit is contained in:
techknowlogick 2018-07-27 08:54:50 -04:00 committed by GitHub
parent ac968c3c6f
commit adf3f004b6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 118 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

6
routers/user/auth.go
View file

@ -306,7 +306,11 @@ func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthFo
// Validate the passcode with the stored TOTP secret.
if twofa.VerifyScratchToken(form.Token) {
// Invalidate the scratch token.
twofa.ScratchToken = ""
_, err = twofa.GenerateScratchToken()
if err != nil {
ctx.ServerError("UserSignIn", err)
return
}
if err = models.UpdateTwoFactor(twofa); err != nil {
ctx.ServerError("UserSignIn", err)
return