Limit OTP requests to one per expiry window. Closes #2000

2022-08-02 13:29:06 -07:00
parent c40eaa47e9
commit 0b5ddf433b
3 changed files with 37 additions and 5 deletions
--- a/auth/fediverse/fediverse.go
+++ b/auth/fediverse/fediverse.go
@@ -19,9 +19,19 @@ type OTPRegistration struct {
 // to be active at a time.
 var pendingAuthRequests = make(map[string]OTPRegistration)

+const registrationTimeout = time.Minute * 10
+
 // RegisterFediverseOTP will start the OTP flow for a user, creating a new
 // code and returning it to be sent to a destination.
-func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) OTPRegistration {
+func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) (OTPRegistration, bool) {
+	request, requestExists := pendingAuthRequests[accessToken]
+
+	// If a request is already registered and has not expired then return that
+	// existing request.
+	if requestExists && time.Since(request.Timestamp) < registrationTimeout {
+		return request, false
+	}
+
 	code, _ := createCode()
 	r := OTPRegistration{
 		Code:            code,
@@ -32,14 +42,14 @@ func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string)
 	}
 	pendingAuthRequests[accessToken] = r

-	return r
+	return r, true
 }

 // ValidateFediverseOTP will verify a OTP code for a auth request.
 func ValidateFediverseOTP(accessToken, code string) (bool, *OTPRegistration) {
 	request, ok := pendingAuthRequests[accessToken]

-	if !ok || request.Code != code || time.Since(request.Timestamp) > time.Minute*10 {
+	if !ok || request.Code != code || time.Since(request.Timestamp) > registrationTimeout {
 		return false, nil
 	}

--- a/auth/fediverse/fediverse_test.go
+++ b/auth/fediverse/fediverse_test.go
@@ -10,7 +10,11 @@ const (
 )

 func TestOTPFlowValidation(t *testing.T) {
-	r := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
+	r, success := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
+
+	if !success {
+		t.Error("Registration should be permitted.")
+	}

 	if r.Code == "" {
 		t.Error("Code is empty")
@@ -41,3 +45,16 @@ func TestOTPFlowValidation(t *testing.T) {
 		t.Error("UserDisplayName is not set correctly")
 	}
 }
+
+func TestSingleOTPFlowRequest(t *testing.T) {
+	r1, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
+	r2, s2 := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
+
+	if r1.Code != r2.Code {
+		t.Error("Only one registration should be permitted.")
+	}
+
+	if s2 {
+		t.Error("Second registration should not be permitted.")
+	}
+}