Build(deps): Bump rotp from 3.3.1 to 5.1.0 (#8477)
* Build(deps): Bump rotp from 3.3.1 to 5.1.0 Bumps [rotp](https://github.com/mdp/rotp) from 3.3.1 to 5.1.0. - [Release notes](https://github.com/mdp/rotp/releases) - [Changelog](https://github.com/mdp/rotp/blob/master/CHANGELOG.md) - [Commits](https://github.com/mdp/rotp/compare/v3.3.1...v5.1.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Fix breaking ROTP changes
This commit is contained in:
parent
5cef71e885
commit
9b30922109
|
@ -315,7 +315,8 @@ GEM
|
||||||
request_store (1.4.1)
|
request_store (1.4.1)
|
||||||
rack (>= 1.4)
|
rack (>= 1.4)
|
||||||
rinku (2.0.6)
|
rinku (2.0.6)
|
||||||
rotp (3.3.1)
|
rotp (5.1.0)
|
||||||
|
addressable (~> 2.5)
|
||||||
rqrcode (0.10.1)
|
rqrcode (0.10.1)
|
||||||
chunky_png (~> 1.0)
|
chunky_png (~> 1.0)
|
||||||
rspec (3.8.0)
|
rspec (3.8.0)
|
||||||
|
|
|
@ -1219,7 +1219,7 @@ class UsersController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def create_second_factor_totp
|
def create_second_factor_totp
|
||||||
totp_data = ROTP::Base32.random_base32
|
totp_data = ROTP::Base32.random
|
||||||
secure_session["staged-totp-#{current_user.id}"] = totp_data
|
secure_session["staged-totp-#{current_user.id}"] = totp_data
|
||||||
qrcode_svg = RQRCode::QRCode.new(current_user.totp_provisioning_uri(totp_data)).as_svg(
|
qrcode_svg = RQRCode::QRCode.new(current_user.totp_provisioning_uri(totp_data)).as_svg(
|
||||||
offset: 0,
|
offset: 0,
|
||||||
|
@ -1295,7 +1295,11 @@ class UsersController < ApplicationController
|
||||||
RateLimiter.new(nil, "second-factor-min-#{key}", 3, 1.minute).performed!
|
RateLimiter.new(nil, "second-factor-min-#{key}", 3, 1.minute).performed!
|
||||||
end
|
end
|
||||||
|
|
||||||
authenticated = !auth_token.blank? && totp_object.verify_with_drift(auth_token, 30)
|
authenticated = !auth_token.blank? && totp_object.verify(
|
||||||
|
auth_token,
|
||||||
|
drift_ahead: SecondFactorManager::TOTP_ALLOWED_DRIFT_SECONDS,
|
||||||
|
drift_behind: SecondFactorManager::TOTP_ALLOWED_DRIFT_SECONDS
|
||||||
|
)
|
||||||
unless authenticated
|
unless authenticated
|
||||||
return render json: failed_json.merge(
|
return render json: failed_json.merge(
|
||||||
error: I18n.t("login.invalid_second_factor_code")
|
error: I18n.t("login.invalid_second_factor_code")
|
||||||
|
|
|
@ -1,13 +1,15 @@
|
||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
module SecondFactorManager
|
module SecondFactorManager
|
||||||
|
TOTP_ALLOWED_DRIFT_SECONDS = 30
|
||||||
|
|
||||||
extend ActiveSupport::Concern
|
extend ActiveSupport::Concern
|
||||||
|
|
||||||
def create_totp(opts = {})
|
def create_totp(opts = {})
|
||||||
UserSecondFactor.create!({
|
UserSecondFactor.create!({
|
||||||
user_id: self.id,
|
user_id: self.id,
|
||||||
method: UserSecondFactor.methods[:totp],
|
method: UserSecondFactor.methods[:totp],
|
||||||
data: ROTP::Base32.random_base32
|
data: ROTP::Base32.random
|
||||||
}.merge(opts))
|
}.merge(opts))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -30,7 +32,13 @@ module SecondFactorManager
|
||||||
last_used = totp.last_used.to_i
|
last_used = totp.last_used.to_i
|
||||||
end
|
end
|
||||||
|
|
||||||
authenticated = !token.blank? && totp.get_totp_object.verify_with_drift_and_prior(token, 30, last_used)
|
authenticated = !token.blank? && totp.get_totp_object.verify(
|
||||||
|
token,
|
||||||
|
drift_ahead: TOTP_ALLOWED_DRIFT_SECONDS,
|
||||||
|
drift_behind: TOTP_ALLOWED_DRIFT_SECONDS,
|
||||||
|
after: last_used
|
||||||
|
)
|
||||||
|
|
||||||
if authenticated
|
if authenticated
|
||||||
totp.update!(last_used: DateTime.now)
|
totp.update!(last_used: DateTime.now)
|
||||||
break
|
break
|
||||||
|
|
Loading…
Reference in New Issue