Closed justin-wilxite closed 10 months ago
I may be missing something here, but it seems like there is no failure handling when a user provides a recovery code that isn't valid when trying to log in with TOTP.
If I alter line 561 of the unit test in totp_test.go
https://github.com/volatiletech/authboss/blob/d38273a886c8562b3ce99d70fc0a82b97225ddcd/otp/twofactor/totp2fa/totp_test.go#L561
to this:
h.bodyReader.Return = mocks.Values{Recovery: "anything"}
the test still passes.
This appears to allow a user to bypass 2FA
Thanks for fixing this.
aarondl
commented
10 months ago
I may be missing something here, but it seems like there is no failure handling when a user provides a recovery code that isn't valid when trying to log in with TOTP.
If I alter line 561 of the unit test in totp_test.go
https://github.com/volatiletech/authboss/blob/d38273a886c8562b3ce99d70fc0a82b97225ddcd/otp/twofactor/totp2fa/totp_test.go#L561
to this:
the test still passes.
This appears to allow a user to bypass 2FA