HOTP secrets are not validated correctly. - Githubissues

freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!

https://securedrop.org/

Other

3.6k stars 685 forks source link

HOTP secrets are not validated correctly. #6189

Closed zenmonkeykstop closed 2 years ago

zenmonkeykstop commented 2 years ago

Description

HOTP secrets are not set up correctly in all cases:

On the JI:

case 1: if an admin adds a user and selects the "is using a Yubikey [HOTP]" checkbox, but does not provide a HOTP secret, an error is not thrown and an account using TOTP is set up instead.
case 2: if an admin adds a user and selects the "is using a Yubikey [HOTP]" checkbox, and provides a HOTP secret containing only spaces, an error is not thrown and an account using HOTP is set up.

Steps to Reproduce

log in to the JI as an admin user and go to Admin
case 1: add a user, enabling HOTP but leaving the HOTP Secret field empty
case 2: add a user, enabling HOTP and setting the HOTP Secret field to contain one or more spaces only

Expected Behavior

Both cases should fail, displaying the add user form again with a message about the length requirement for HOTP secrets

Actual Behavior

case 1: user add succeeds, admin is redirected to TOTP setup screen
case 2: user add succeeds, admin is redirected to HOTP PIN verification screen.

Comments

Suggestions to fix, any other relevant information.

zenmonkeykstop commented 2 years ago

This should be closed by #6191