search

timothymiller / t4-app

A powerful cross-platform UI toolkit for building actually native iOS, Android, macOS, Windows, Linux, and Progressive Web Apps with React (Native).
https://t4stack.com
MIT License
1.31k stars 69 forks source link

Lucia separate TOTP secret per auth method #123

Closed rmarscher closed 7 months ago

rmarscher commented 7 months ago

It was incorrect to reuse a single TOTP secret for resets across all users. This update generates a new secret for each auth method when a code is requested.

This update also removes the VerificationCode table and moves the relevant fields into the AuthMethod table.

Rather than create a new migration, this update edits the existing migration for lucia auth. If you have already run that migration, then connect to your D1 and local sqlite databases and run the following sql:

DROP TABLE VerificationCode;
ALTER TABLE AuthMethod ADD `totp_secret` text;
ALTER TABLE AuthMethod ADD `totp_expires` integer;
ALTER TABLE AuthMethod ADD `timeout_until` integer;
ALTER TABLE AuthMethod ADD `timeout_seconds` integer;
rmarscher commented 7 months ago

Always feels good when a PR reduces lines of code...