From da70790ec06640c436837f3c7ddbe58efb0f068b Mon Sep 17 00:00:00 2001
From: Andrea <andrea@avris.it>
Date: Sat, 15 Jan 2022 21:50:52 +0100
Subject: [PATCH] [mfa] allow faking MFA in development

---
 server/routes/mfa.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/server/routes/mfa.js b/server/routes/mfa.js
index e3a7ae0c..2c630047 100644
--- a/server/routes/mfa.js
+++ b/server/routes/mfa.js
@@ -98,13 +98,17 @@ router.post('/mfa/validate', handleErrorAsync(async (req, res) => {
 
     const authenticator = (await findAuthenticatorsByUser(req.db, req.rawUser, 'mfa_secret'))[0];
 
-    const tokenValidates = speakeasy.totp.verify({
+    let tokenValidates = speakeasy.totp.verify({
         secret: authenticator.payload,
         encoding: 'base32',
         token: normalise(req.body.code),
         window: 6
     });
 
+    if (process.env.NODE_ENV === 'development' && normalise(req.body.code) === '999999') {
+        tokenValidates = true;
+    }
+
     if (!tokenValidates) {
         return res.json({error: 'user.code.invalid'});
     }