gaschz/trilium
1
0
Fork 0
mirror of https://github.com/zadam/trilium.git synced 2025-10-21 07:38:53 +02:00
Code Issues Actions 25 Packages Projects Releases Wiki Activity

fix(auth): add missing TOTP verification for /login/token (#6823)

Browse Source
This commit is contained in:
Elian Doran 2025-08-30 14:08:10 +03:00 committed by GitHub
commit f7e77cd6cb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
apps/server/src/routes/api/login.ts
View File

@ -13,6 +13,8 @@ import sql from "../../services/sql.js";
import ws from "../../services/ws.js";
import etapiTokenService from "../../services/etapi_tokens.js";
import type { Request } from "express";
import totp from "../../services/totp";
import recoveryCodeService from "../../services/encryption/recovery_codes";
/**
* @swagger
@ -161,9 +163,16 @@ function touchProtectedSession() {
function token(req: Request) {
const password = req.body.password;
const submittedTotpToken = req.body.totpToken;
if (totp.isTotpEnabled()) {
if (!verifyTOTP(submittedTotpToken)) {
return [401, "Incorrect credential"];
}
}
if (!passwordEncryptionService.verifyPassword(password)) {
return [401, "Incorrect password"];
return [401, "Incorrect credential"];
}
// for backwards compatibility with Sender which does not send the name
@ -174,6 +183,14 @@ function token(req: Request) {
return { token: authToken };
}
function verifyTOTP(submittedTotpToken: string) {
if (totp.validateTOTP(submittedTotpToken)) return true;
const recoveryCodeValidates = recoveryCodeService.verifyRecoveryCode(submittedTotpToken);
return recoveryCodeValidates;
}
export default {
loginSync,
loginToProtectedSession,