Enforce that a 2FA code can only be used once

rster2002 / Ledgero-API

Work in progress backend for managing personal finance.

GNU Affero General Public License v3.0

0 stars 0 forks source link

Enforce that a 2FA code can only be used once #42

Open rster2002 opened 1 year ago

rster2002 commented 1 year ago

Implemenation idea: store the last used time step for each user. A TOTP should only be accepted if the stored time step is lower than the current time step.

rster2002 commented 1 year ago

A better implementation is probably to store the id + code as a memcached entry and let it expire after a minute. If the entry already exists, then the code should be rejected