Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

token can be used several times #59

Closed
individual-it opened this issue Sep 12, 2018 · 9 comments · Fixed by #63
Closed

token can be used several times #59

individual-it opened this issue Sep 12, 2018 · 9 comments · Fixed by #63
Assignees
@karakayasemi
Labels
bug QA
Milestone
0.5.1

Comments

@individual-it
Copy link
Member

  1. login using a token
  2. remember the token
  3. logout
  4. login again using the same token

From RFC6238 :

   Note that a prover may send the same OTP inside a given time-step
   window multiple times to a verifier.  The verifier MUST NOT accept
   the second attempt of the OTP after the successful validation has
   been issued for the first OTP, which ensures one-time only use of an
   OTP.
@individual-it individual-it added this to the QA milestone Sep 12, 2018
This was referenced Sep 12, 2018
Closed
Closed
@PVince81
Copy link

likely not a regression as this part of the code wasn't touched

@karakayasemi
Copy link
Contributor

If someone listens to the user-server conversation and learns the secret, he/she still should be unable to log on. I am planning to add a column to app table for the last secret and prevent this situation.

@karakayasemi karakayasemi self-assigned this Sep 12, 2018
@karakayasemi karakayasemi mentioned this issue Sep 13, 2018
Closed
@karakayasemi karakayasemi mentioned this issue Sep 25, 2018
Merged
@davitol
Copy link
Contributor

davitol commented Sep 28, 2018

Retested following these stpes:


    login using a token
    remember the token
    logout
    login again using the same token

It keeps failing. I'm still able to log in with the same token. (tested with oC 10.0.9 and TOTP release-0.5.0)

@PVince81
Copy link

@karakayasemi ^

@PVince81 PVince81 reopened this Sep 28, 2018
@PVince81 PVince81 mentioned this issue Sep 28, 2018
Merged
@PVince81
Copy link

PVince81 commented Sep 28, 2018
edited by davitol
Loading

@karakayasemi
Copy link
Contributor

karakayasemi commented Sep 28, 2018
edited
Loading

Somehow mapper update is not working in this line: https://github.com/owncloud/twofactor_totp/blob/master/lib/Service/Totp.php#L123. lastValidatedKey column always null. I will debug it.

@karakayasemi
Copy link
Contributor

I found my mistake. To prevent method does not exist warnings in createMock function, I implemented set function for last_validated_key column in here: https://github.com/owncloud/twofactor_totp/blob/master/lib/Db/TotpSecret.php#L65. Obviously, entity setters are doing more than just assignment. They are also updating UpdatedFields of the entity. I will create a fix for my mistake.
Should I open PR for master or which way I should follow?

@PVince81
Copy link

please open a PR for master

in the future please also manually test to make sure everything works

@karakayasemi
Copy link
Contributor

Okay, I will be more careful. Sorry for the mess.

@karakayasemi karakayasemi mentioned this issue Sep 28, 2018
Merged
@PVince81 PVince81 modified the milestones: QA, development Sep 28, 2018
@PVince81 PVince81 modified the milestones: development, QA Sep 28, 2018
@PVince81 PVince81 mentioned this issue Sep 28, 2018
Closed
21 tasks
@davitol davitol mentioned this issue Jul 10, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@karakayasemi karakayasemi

Labels
bug QA
Projects
None yet
Milestone
0.5.1
4 participants
@PVince81 @individual-it @davitol @karakayasemi