mirror of
https://git.joinsharkey.org/Sharkey/Sharkey.git
synced 2024-11-26 10:23:09 +02:00
fix actual security problems #407
timing attacks on HTTP signature and backup codes for 2fa
This commit is contained in:
parent
7cf570565e
commit
02c97f7985
2 changed files with 5 additions and 2 deletions
|
@ -11,6 +11,7 @@ import type { MiUserProfile, UserProfilesRepository, UsersRepository } from '@/m
|
||||||
import { bindThis } from '@/decorators.js';
|
import { bindThis } from '@/decorators.js';
|
||||||
import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error.js';
|
import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error.js';
|
||||||
import type { MiLocalUser } from '@/models/User.js';
|
import type { MiLocalUser } from '@/models/User.js';
|
||||||
|
import * as crypto from 'node:crypto';
|
||||||
|
|
||||||
@Injectable()
|
@Injectable()
|
||||||
export class UserAuthService {
|
export class UserAuthService {
|
||||||
|
@ -27,7 +28,9 @@ export class UserAuthService {
|
||||||
public async twoFactorAuthenticate(profile: MiUserProfile, token: string): Promise<void> {
|
public async twoFactorAuthenticate(profile: MiUserProfile, token: string): Promise<void> {
|
||||||
if (profile.twoFactorBackupSecret?.includes(token)) {
|
if (profile.twoFactorBackupSecret?.includes(token)) {
|
||||||
await this.userProfilesRepository.update({ userId: profile.userId }, {
|
await this.userProfilesRepository.update({ userId: profile.userId }, {
|
||||||
twoFactorBackupSecret: profile.twoFactorBackupSecret.filter((secret) => secret !== token),
|
twoFactorBackupSecret: profile.twoFactorBackupSecret.filter(
|
||||||
|
(secret) => !crypto.timingSafeEqual(secret, token)
|
||||||
|
),
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
const delta = OTPAuth.TOTP.validate({
|
const delta = OTPAuth.TOTP.validate({
|
||||||
|
|
|
@ -287,7 +287,7 @@ export class ActivityPubServerService {
|
||||||
|
|
||||||
const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64');
|
const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64');
|
||||||
|
|
||||||
if (hash !== digestValue) {
|
if (! crypto.timingSafeEqual(hash, digestValue)) {
|
||||||
// Invalid digest
|
// Invalid digest
|
||||||
reply.code(401);
|
reply.code(401);
|
||||||
return;
|
return;
|
||||||
|
|
Loading…
Reference in a new issue