Added secret validation

2025-06-06 18:08:33 +02:00 · 2024-05-03 16:37:14 -07:00 · 2024-05-03 16:37:14 -07:00 · 18a2305c35
commit 18a2305c35
parent f8d1d553df
2 changed files with 18 additions and 9 deletions
--- a/src/public/app/widgets/type_widgets/options/multi_factor_authentication.js
+++ b/src/public/app/widgets/type_widgets/options/multi_factor_authentication.js
@ -111,7 +111,17 @@ export default class MultiFactorAuthenticationOptions extends OptionsWidget {
  }

  save() {
-    // TODO: CHECK VALIDITY OF SECRET
+    const key = this.$totpSecretInput.val();
+    const regex = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]+/;
+
+    if (key.length != 52) {
+      toastService.showError("Invalid Secret", 2000);
+      return;
+    }
+    if (regex.test(key)) {
+      toastService.showError("Invalid Secret", 2000);
+      return;
+    }

    server
      .post("totp/set", {
--- a/src/routes/api/totp.ts
+++ b/src/routes/api/totp.ts
@ -1,13 +1,10 @@
 import options = require("../../services/options");
 import totp_secret = require("../../services/encryption/totp_secret");
 import { Request } from "express";
-import totp_fs = require("../../services/totp_secret")
+import totp_fs = require("../../services/totp_secret");
 const speakeasy = require("speakeasy");

 function verifyOTPToken(guessedToken: any) {
-  console.log("[" + guessedToken + "]");
-  console.log(typeof guessedToken);
-
  const tokenValidates = speakeasy.totp.verify({
    secret: process.env.MFA_SECRET,
    encoding: "base32",
@ -39,13 +36,15 @@ function disableTOTP() {
 }

 function setTotpSecret(req: Request) {
-  // TODO: CHECK VALIDITY OF SECRET
-  options.setOption
-  totp_fs.saveTotpSecret(req.body.secret)
+  const regex = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]+/;
+  if (req.body.secret.length != 52) return;
+  if (regex.test(req.body.secret)) return;
+
+  totp_fs.saveTotpSecret(req.body.secret);
 }

 function getSecret() {
-  return totp_fs.getTotpSecret()
+  return totp_fs.getTotpSecret();
 }

 export = {