Do not allow to reuse TOTP passcode (#3878)

author: Lauris BH <lauris@nix.lv> 2018-05-02 18:02:02 +0300
committer: GitHub <noreply@github.com> 2018-05-02 18:02:02 +0300
commit: 1e1ece8f3dce8ed9958f3bd5823c135d1c19eb49 (patch)
tree: ea20ecae0125334774662796a667570b71bbdd99 /routers
parent: c58e1e437bafe2023b34c16d03f22764ece94d38 (diff)
download: gitea-1e1ece8f3dce8ed9958f3bd5823c135d1c19eb49.tar.gz
gitea-1e1ece8f3dce8ed9958f3bd5823c135d1c19eb49.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/routers/user/auth.go b/routers/user/auth.go
index d44939f50d..4249f9e5f9 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -221,7 +221,7 @@ func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
 		return
 	}
 
-	if ok {
+	if ok && twofa.LastUsedPasscode != form.Passcode {
 		remember := ctx.Session.Get("twofaRemember").(bool)
 		u, err := models.GetUserByID(id)
 		if err != nil {
@@ -243,6 +243,12 @@ func TwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
 			}
 		}
 
+		twofa.LastUsedPasscode = form.Passcode
+		if err = models.UpdateTwoFactor(twofa); err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+
 		handleSignIn(ctx, u, remember)
 		return
 	}
author	Lauris BH <lauris@nix.lv>	2018-05-02 18:02:02 +0300
committer	GitHub <noreply@github.com>	2018-05-02 18:02:02 +0300
commit	1e1ece8f3dce8ed9958f3bd5823c135d1c19eb49 (patch)
tree	ea20ecae0125334774662796a667570b71bbdd99 /routers
parent	c58e1e437bafe2023b34c16d03f22764ece94d38 (diff)
download	gitea-1e1ece8f3dce8ed9958f3bd5823c135d1c19eb49.tar.gz gitea-1e1ece8f3dce8ed9958f3bd5823c135d1c19eb49.zip