limit to 5 attempts on code verification

This commit is contained in:
Grant 2024-07-19 09:44:49 -06:00
parent d6336ee87e
commit b49ded7ccd
2 changed files with 20 additions and 2 deletions

View File

@ -98,6 +98,7 @@ app.post("/login/step/instance", async (req, res) => {
prompt: "USERNAME", // change this if oidc is available prompt: "USERNAME", // change this if oidc is available
instance: domain, instance: domain,
method: deliveryProvider ? "SEND_CODE" : "RECV_CODE", method: deliveryProvider ? "SEND_CODE" : "RECV_CODE",
attempt: 0,
}; };
// const oidcSupport = await doesInstanceSupportOIDC(domain); // const oidcSupport = await doesInstanceSupportOIDC(domain);
@ -238,6 +239,13 @@ app.post("/login/step/verify", async (req, res) => {
const { session_id, username, instance } = req.session.login; const { session_id, username, instance } = req.session.login;
if (req.session.login.attempt > 5) {
req.session.destroy(() => {
res.status(400).json({ success: false, error: "too_many_attempts" });
});
return;
}
const session = await prisma.authSession.findFirst({ const session = await prisma.authSession.findFirst({
where: { where: {
id: session_id, id: session_id,
@ -266,7 +274,11 @@ app.post("/login/step/verify", async (req, res) => {
code = req.body.code; code = req.body.code;
if (session.one_time_code !== code) { if (session.one_time_code !== code) {
return res.status(400).json({ success: false, error: "code_invalid" }); req.session.login.attempt++;
req.session.save(() => {
res.status(400).json({ success: false, error: "code_invalid" });
});
return;
} }
req.session.user = { sub: session.user_sub }; req.session.user = { sub: session.user_sub };
@ -290,7 +302,12 @@ app.post("/login/step/verify", async (req, res) => {
res.json({ success: true }); res.json({ success: true });
}); });
} else { } else {
if (req.session.login) {
req.session.login.attempt++;
}
req.session.save(() => {
res.status(400).json({ success: false, error: data.error }); res.status(400).json({ success: false, error: data.error });
});
} }
}); });
break; break;

View File

@ -15,6 +15,7 @@ declare module "express-session" {
method: "SEND_CODE" | "RECV_CODE"; // what delivery to attempt method: "SEND_CODE" | "RECV_CODE"; // what delivery to attempt
username?: string; username?: string;
session_id?: string; session_id?: string;
attempt: number;
}; };
} }
} }