Skip to content

Commit

Permalink
Fix OTP challenge rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@mathcoll
mathcoll committed Mar 18, 2023
1 parent fff2b23 commit 576553c
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 4 deletions.
12 changes: 12 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,18 @@ Types of changes
------------

## 2023
### Milestone 24 - 2023-03
**Added**
- [x] Implement tts (Text To Speech) to sockets
- [x] Added welcoming sound to sockets that can be played on ESP device
- [x] Adding "getObjects" to sockets functions in order to list all connected Objects from current user

**Fixed**
- [x] Fix OTP challenge rules

**Changed**
- [x] Switched otp to x-otp headers

### Milestone 23 - 2023-02
**Added**
- [x] Added OTP/2FA challenge as MVP on the authenticate process
Expand Down
10 changes: 6 additions & 4 deletions routes/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,6 @@ const challengeOTP = (res, req, rp, defaultUser) => new Promise((resolve, reject
// Threashold on Brute Force attempt - based on session
(bruteForceCount>otpBruteForceCount), // this is async and not available // TODO

// Do not create OTP challenge if the user already have one in the past 5 days
(req.user.lastOTP!==null && moment(parseInt(req.user.lastOTP, 10)).isBefore(moment().subtract(5, "days"))), // TODO
// or when user never had an OTP
(typeof req.user.lastOTP==="undefined" || req.user.lastOTP===null),

Expand All @@ -106,8 +104,12 @@ const challengeOTP = (res, req, rp, defaultUser) => new Promise((resolve, reject
}
}

// OTP requested from rules AND (either lastOTP never occured OR occured more than half the expiration)
if(otpChallenge && ( (typeof req.user.lastOTP==="undefined" || req.user.lastOTP===null) || (moment(parseInt(req.user.lastOTP, 10)).isBefore(moment().subtract(otpExpiresAfter/2, "minutes")))) ) {
if(otpChallenge &&
// OTP requested from rules AND (either lastOTP never occured OR occured more than half the expiration)
( (typeof req.user.lastOTP==="undefined" || req.user.lastOTP===null) || (moment(parseInt(req.user.lastOTP, 10)).isBefore(moment().subtract(otpExpiresAfter/2, "minutes")))) &&
// Do not create OTP challenge if the user already have one in the past 5 days
(req.user.lastOTP!==null && moment(parseInt(req.user.lastOTP, 10)).isBefore(moment().subtract(5, "days"))) // TODO
) {
// Do not send OTP challenge more than 2 times within the OTP duration
user.lastOTP = moment().format("x");
user.isOTP = true;
Expand Down

0 comments on commit 576553c

Please sign in to comment.