From acc2995d8621579dcd096d6541386f67671de053 Mon Sep 17 00:00:00 2001
From: Andreas Brett <github@abrett.de>
Date: Tue, 19 Oct 2021 00:42:33 +0200
Subject: [PATCH] invalidate used token

---
 db/patch-2fa-invalidate-used-token.sql |  7 +++++++
 server/database.js                     |  1 +
 server/server.js                       | 14 ++++++++++----
 3 files changed, 18 insertions(+), 4 deletions(-)
 create mode 100644 db/patch-2fa-invalidate-used-token.sql

diff --git a/db/patch-2fa-invalidate-used-token.sql b/db/patch-2fa-invalidate-used-token.sql
new file mode 100644
index 00000000..2f0b42ca
--- /dev/null
+++ b/db/patch-2fa-invalidate-used-token.sql
@@ -0,0 +1,7 @@
+-- You should not modify if this have pushed to Github, unless it does serious wrong with the db.
+BEGIN TRANSACTION;
+
+ALTER TABLE user
+    ADD twofa_last_token VARCHAR(6);
+
+COMMIT;
diff --git a/server/database.js b/server/database.js
index 1030ffdd..e97dea99 100644
--- a/server/database.js
+++ b/server/database.js
@@ -50,6 +50,7 @@ class Database {
         "patch-group-table.sql": true,
         "patch-monitor-push_token.sql": true,
         "patch-http-monitor-method-body-and-headers.sql": true,
+        "patch-2fa-invalidate-used-token.sql": true,
     }
 
     /**
diff --git a/server/server.js b/server/server.js
index c4d18869..a6e26aab 100644
--- a/server/server.js
+++ b/server/server.js
@@ -265,7 +265,7 @@ exports.entryPage = "dashboard";
             if (user) {
                 afterLogin(socket, user);
 
-                if (user.twofaStatus == 0) {
+                if (user.twofa_status == 0) {
                     callback({
                         ok: true,
                         token: jwt.sign({
@@ -274,7 +274,7 @@ exports.entryPage = "dashboard";
                     });
                 }
 
-                if (user.twofaStatus == 1 && !data.token) {
+                if (user.twofa_status == 1 && !data.token) {
                     callback({
                         tokenRequired: true,
                     });
@@ -283,7 +283,13 @@ exports.entryPage = "dashboard";
                 if (data.token) {
                     let verify = notp.totp.verify(data.token, user.twofa_secret, twofa_verification_opts);
 
-                    if (verify && verify.delta == 0) {
+                    if (user.twofa_last_token !== data.token && verify) {
+
+                        await R.exec("UPDATE `user` SET twofa_last_token = ? WHERE id = ? ", [
+                            data.token,
+                            socket.userID,
+                        ]);
+
                         callback({
                             ok: true,
                             token: jwt.sign({
@@ -401,7 +407,7 @@ exports.entryPage = "dashboard";
 
             let verify = notp.totp.verify(token, user.twofa_secret, twofa_verification_opts);
 
-            if (verify && verify.delta == 0) {
+            if (user.twofa_last_token !== token && verify) {
                 callback({
                     ok: true,
                     valid: true,