fix: use custom handler for totp processing to introduce delay and handle parallel requests for security purposes

Author: julianlam

lib/controllers.js

@@ -9,13 +9,16 @@ const validator = require.main.require('validator');
 const async = require('async');
 const fs = require('fs');
 const path = require('path');
+const util = require('util');
 const base64url = require('base64url');
 
+const db = require.main.require('./src/database');
 const groups = require.main.require('./src/groups');
 const user = require.main.require('./src/user');
 const meta = require.main.require('./src/meta');
 const helpers = require.main.require('./src/controllers/helpers');
 
+const wait = util.promisify(setTimeout);
 const guard = (path) => {
 	let url = new URL(path, nconf.get('url'));
 	url = url.hostname === nconf.get('url_parsed').hostname ? url : nconf.get('url');
@@ -131,11 +134,24 @@ Controllers.renderAuthnChallenge = async (req, res, next) => {
 	});
 };
 
-Controllers.processTotpLogin = function (req, res, next) {
-	passport.authenticate('totp', {
-		failureRedirect: `${nconf.get('relative_path')}/login/2fa/totp`,
-		failureFlash: '[[2factor:login.failure]]',
-		keepSessionInfo: true,
+Controllers.processTotpLogin = async (req, res, next) => {
+	const count = await db.incrObjectField('locks', `totp:${req.uid}`);
+	if (count > 1) {
+		req.flash('error', '[[error:api.429]]');
+		await wait(10000); // 10s for spamming
+		return res.redirect(`${nconf.get('relative_path')}/login/2fa/totp`);
+	}
+
+	passport.authenticate('totp', async (err, user, info) => {
+		if (err || !user) {
+			req.flash('error', '[[2factor:login.failure]]');
+			await wait(2000);
+			await db.deleteObjectField('locks', `totp:${req.uid}`);
+			return res.redirect(`${nconf.get('relative_path')}/login/2fa/totp`);
+		}
+
+		await db.deleteObjectField('locks', `totp:${req.uid}`);
+		return next();
 	})(req, res, next);
 };