node-google-authenticator icon indicating copy to clipboard operation
node-google-authenticator copied to clipboard
verified publisher icon simply-alliv

loophole in the process

Open zilahir opened this issue 4 years ago • 0 comments

Hi!

I don't think this implementation is working. Let me explain:

  1. register
  2. login
  3. generate qr (read it with the app, etc)
  4. log out

then:

  1. login
  2. open up the google auth app
  3. sent the request with the code to /2fa/authenticate, it will every time throws the
WrongAuthenticationTokenException()

in the middleware.

And the reason for that is the following:

this condition:

!omitSecondFactor &&
            user.isTwoFactorAuthenticationEnabled &&
            !isSecondFactorAuthenticated

will always evaluate to True because where this value: isSecondFactorAuthenticated should be flagged to true, the function never reaches, because we are keep getting that error i just mentioned above.

This Truevalue of that variable being set in the createToken method (the 2nd parameter, which is set to false by default), However, it's being called with true, in the secondFactorAuthentication method, BUT we are never getting there as mentioned above.

zilahir avatar Jan 23 '22 16:01 zilahir