Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2FA (TOTP) can be bypassed by entering any string as a recovery code #351

Closed
justin-wilxite opened this issue Sep 14, 2023 · 1 comment
Closed

2FA (TOTP) can be bypassed by entering any string as a recovery code #351

justin-wilxite opened this issue Sep 14, 2023 · 1 comment

Comments

@justin-wilxite
Copy link
Contributor

I may be missing something here, but it seems like there is no failure handling when a user provides a recovery code that isn't valid when trying to log in with TOTP.

If I alter line 561 of the unit test in totp_test.go

authboss/otp/twofactor/totp2fa/totp_test.go

Line 561 in d38273a

h.bodyReader.Return = mocks.Values{Recovery: codes[0]}

to this:

h.bodyReader.Return = mocks.Values{Recovery: "anything"}

the test still passes.

This appears to allow a user to bypass 2FA
justin-wilxite added a commit to justin-wilxite/authboss that referenced this issue Sep 28, 2023
@justin-wilxite
handle invalid recovery code in totp2fa volatiletech#351
665ef52
aarondl added a commit that referenced this issue Sep 28, 2023
@aarondl
Merge pull request #354 from justin-wilxite/totp-fix
dbfe07e 
Handle invalid recovery code in totp2fa #351
@aarondl
Copy link
Member

aarondl commented Sep 28, 2023

Thanks for fixing this.

@aarondl aarondl closed this as completed Sep 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aarondl @justin-wilxite