Switch plaintext scratch tokens to use hash instead (#4331)

author: techknowlogick <techknowlogick@users.noreply.github.com> 2018-07-27 08:54:50 -0400
committer: GitHub <noreply@github.com> 2018-07-27 08:54:50 -0400
commit: adf3f004b65135e9375ae60dfd0d9ecba340342e (patch)
tree: 7878b7c6cd11a6f0911f36d71b358e73ea5bfbce /routers/user/auth.go
parent: ac968c3c6fab89043e11d44b656f2feea01b5931 (diff)
download: gitea-adf3f004b65135e9375ae60dfd0d9ecba340342e.tar.gz
gitea-adf3f004b65135e9375ae60dfd0d9ecba340342e.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/routers/user/auth.go b/routers/user/auth.go
index b24c56745d..e99f9d5de1 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -306,7 +306,11 @@ func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthFo
 	// Validate the passcode with the stored TOTP secret.
 	if twofa.VerifyScratchToken(form.Token) {
 		// Invalidate the scratch token.
-		twofa.ScratchToken = ""
+		_, err = twofa.GenerateScratchToken()
+		if err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
 		if err = models.UpdateTwoFactor(twofa); err != nil {
 			ctx.ServerError("UserSignIn", err)
 			return
author	techknowlogick <techknowlogick@users.noreply.github.com>	2018-07-27 08:54:50 -0400
committer	GitHub <noreply@github.com>	2018-07-27 08:54:50 -0400
commit	adf3f004b65135e9375ae60dfd0d9ecba340342e (patch)
tree	7878b7c6cd11a6f0911f36d71b358e73ea5bfbce /routers/user/auth.go
parent	ac968c3c6fab89043e11d44b656f2feea01b5931 (diff)
download	gitea-adf3f004b65135e9375ae60dfd0d9ecba340342e.tar.gz gitea-adf3f004b65135e9375ae60dfd0d9ecba340342e.zip