From 3f84a63e6d8f3dc08ed24f9558eee4c099d495e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adri=C3=A0=20Casaj=C3=BAs?= Date: Fri, 16 Dec 2022 17:54:46 +0100 Subject: [PATCH] Extend validity of totp tokens for up to a minute. (#1494) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Feat: Allow TOTP for up to one minute in the future and in the past * Feat: Allow TOTP for up to one minute in the future and in the past Co-authored-by: Adrià Casajús --- app/api/views/auth_mfa.py | 2 +- app/auth/views/mfa.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/api/views/auth_mfa.py b/app/api/views/auth_mfa.py index ddf66251..aa770ca4 100644 --- a/app/api/views/auth_mfa.py +++ b/app/api/views/auth_mfa.py @@ -55,7 +55,7 @@ def auth_mfa(): ) totp = pyotp.TOTP(user.otp_secret) - if not totp.verify(mfa_token): + if not totp.verify(mfa_token, valid_window=2): send_invalid_totp_login_email(user, "TOTP") return jsonify(error="Wrong TOTP Token"), 400 diff --git a/app/auth/views/mfa.py b/app/auth/views/mfa.py index af915134..80dcb0bf 100644 --- a/app/auth/views/mfa.py +++ b/app/auth/views/mfa.py @@ -67,7 +67,7 @@ def mfa(): token = otp_token_form.token.data.replace(" ", "") - if totp.verify(token) and user.last_otp != token: + if totp.verify(token, valid_window=2) and user.last_otp != token: del session[MFA_USER_ID] user.last_otp = token Session.commit()