From 18a2305c35af2c68fe41c72d915212b86786a65a Mon Sep 17 00:00:00 2001
From: Brandon <brandon@mauldin314.com>
Date: Fri, 3 May 2024 16:37:14 -0700
Subject: [PATCH] Added secret validation

---
 .../options/multi_factor_authentication.js        | 12 +++++++++++-
 src/routes/api/totp.ts                            | 15 +++++++--------
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/public/app/widgets/type_widgets/options/multi_factor_authentication.js b/src/public/app/widgets/type_widgets/options/multi_factor_authentication.js
index 40643c0d4..3948ba70a 100644
--- a/src/public/app/widgets/type_widgets/options/multi_factor_authentication.js
+++ b/src/public/app/widgets/type_widgets/options/multi_factor_authentication.js
@@ -111,7 +111,17 @@ export default class MultiFactorAuthenticationOptions extends OptionsWidget {
   }
 
   save() {
-    // TODO: CHECK VALIDITY OF SECRET
+    const key = this.$totpSecretInput.val();
+    const regex = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]+/;
+
+    if (key.length != 52) {
+      toastService.showError("Invalid Secret", 2000);
+      return;
+    }
+    if (regex.test(key)) {
+      toastService.showError("Invalid Secret", 2000);
+      return;
+    }
 
     server
       .post("totp/set", {
diff --git a/src/routes/api/totp.ts b/src/routes/api/totp.ts
index 1e7506336..608bc4d0b 100644
--- a/src/routes/api/totp.ts
+++ b/src/routes/api/totp.ts
@@ -1,13 +1,10 @@
 import options = require("../../services/options");
 import totp_secret = require("../../services/encryption/totp_secret");
 import { Request } from "express";
-import totp_fs = require("../../services/totp_secret")
+import totp_fs = require("../../services/totp_secret");
 const speakeasy = require("speakeasy");
 
 function verifyOTPToken(guessedToken: any) {
-  console.log("[" + guessedToken + "]");
-  console.log(typeof guessedToken);
-
   const tokenValidates = speakeasy.totp.verify({
     secret: process.env.MFA_SECRET,
     encoding: "base32",
@@ -39,13 +36,15 @@ function disableTOTP() {
 }
 
 function setTotpSecret(req: Request) {
-  // TODO: CHECK VALIDITY OF SECRET
-  options.setOption
-  totp_fs.saveTotpSecret(req.body.secret)
+  const regex = /[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]+/;
+  if (req.body.secret.length != 52) return;
+  if (regex.test(req.body.secret)) return;
+
+  totp_fs.saveTotpSecret(req.body.secret);
 }
 
 function getSecret() {
-  return totp_fs.getTotpSecret()
+  return totp_fs.getTotpSecret();
 }
 
 export = {