Merge pull request #641 from andreasbrett/patch-1
Harden 2FA/TOTP implementation according to rfc6238 (part 1)
This commit is contained in:
commit
9c80e1c732
|
@ -321,7 +321,7 @@ exports.entryPage = "dashboard";
|
||||||
]);
|
]);
|
||||||
|
|
||||||
if (user.twofa_status == 0) {
|
if (user.twofa_status == 0) {
|
||||||
let newSecret = await genSecret();
|
let newSecret = genSecret();
|
||||||
let encodedSecret = base32.encode(newSecret);
|
let encodedSecret = base32.encode(newSecret);
|
||||||
|
|
||||||
// Google authenticator doesn't like equal signs
|
// Google authenticator doesn't like equal signs
|
||||||
|
|
57
src/util.js
57
src/util.js
|
@ -7,7 +7,7 @@
|
||||||
// Backend uses the compiled file util.js
|
// Backend uses the compiled file util.js
|
||||||
// Frontend uses util.ts
|
// Frontend uses util.ts
|
||||||
Object.defineProperty(exports, "__esModule", { value: true });
|
Object.defineProperty(exports, "__esModule", { value: true });
|
||||||
exports.getMonitorRelativeURL = exports.genSecret = exports.getRandomInt = exports.getRandomArbitrary = exports.TimeLogger = exports.polyfill = exports.debug = exports.ucfirst = exports.sleep = exports.flipStatus = exports.STATUS_PAGE_PARTIAL_DOWN = exports.STATUS_PAGE_ALL_UP = exports.STATUS_PAGE_ALL_DOWN = exports.PENDING = exports.UP = exports.DOWN = exports.appName = exports.isDev = void 0;
|
exports.getMonitorRelativeURL = exports.genSecret = exports.getCryptoRandomInt = exports.getRandomInt = exports.getRandomArbitrary = exports.TimeLogger = exports.polyfill = exports.debug = exports.ucfirst = exports.sleep = exports.flipStatus = exports.STATUS_PAGE_PARTIAL_DOWN = exports.STATUS_PAGE_ALL_UP = exports.STATUS_PAGE_ALL_DOWN = exports.PENDING = exports.UP = exports.DOWN = exports.appName = exports.isDev = void 0;
|
||||||
const _dayjs = require("dayjs");
|
const _dayjs = require("dayjs");
|
||||||
const dayjs = _dayjs;
|
const dayjs = _dayjs;
|
||||||
exports.isDev = process.env.NODE_ENV === "development";
|
exports.isDev = process.env.NODE_ENV === "development";
|
||||||
|
@ -102,12 +102,61 @@ function getRandomInt(min, max) {
|
||||||
return Math.floor(Math.random() * (max - min + 1)) + min;
|
return Math.floor(Math.random() * (max - min + 1)) + min;
|
||||||
}
|
}
|
||||||
exports.getRandomInt = getRandomInt;
|
exports.getRandomInt = getRandomInt;
|
||||||
|
/**
|
||||||
|
* Returns either the NodeJS crypto.randomBytes() function or its
|
||||||
|
* browser equivalent implemented via window.crypto.getRandomValues()
|
||||||
|
*/
|
||||||
|
let getRandomBytes = ((typeof window !== 'undefined' && window.crypto)
|
||||||
|
// Browsers
|
||||||
|
? function () {
|
||||||
|
return (numBytes) => {
|
||||||
|
let randomBytes = new Uint8Array(numBytes);
|
||||||
|
for (let i = 0; i < numBytes; i += 65536) {
|
||||||
|
window.crypto.getRandomValues(randomBytes.subarray(i, i + Math.min(numBytes - i, 65536)));
|
||||||
|
}
|
||||||
|
return randomBytes;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
// Node
|
||||||
|
: function () {
|
||||||
|
return require("crypto").randomBytes;
|
||||||
|
})();
|
||||||
|
function getCryptoRandomInt(min, max) {
|
||||||
|
// synchronous version of: https://github.com/joepie91/node-random-number-csprng
|
||||||
|
const range = max - min;
|
||||||
|
if (range >= Math.pow(2, 32))
|
||||||
|
console.log("Warning! Range is too large.");
|
||||||
|
let tmpRange = range;
|
||||||
|
let bitsNeeded = 0;
|
||||||
|
let bytesNeeded = 0;
|
||||||
|
let mask = 1;
|
||||||
|
while (tmpRange > 0) {
|
||||||
|
if (bitsNeeded % 8 === 0)
|
||||||
|
bytesNeeded += 1;
|
||||||
|
bitsNeeded += 1;
|
||||||
|
mask = mask << 1 | 1;
|
||||||
|
tmpRange = tmpRange >>> 1;
|
||||||
|
}
|
||||||
|
const randomBytes = getRandomBytes(bytesNeeded);
|
||||||
|
let randomValue = 0;
|
||||||
|
for (let i = 0; i < bytesNeeded; i++) {
|
||||||
|
randomValue |= randomBytes[i] << 8 * i;
|
||||||
|
}
|
||||||
|
randomValue = randomValue & mask;
|
||||||
|
if (randomValue <= range) {
|
||||||
|
return min + randomValue;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return getCryptoRandomInt(min, max);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
exports.getCryptoRandomInt = getCryptoRandomInt;
|
||||||
function genSecret(length = 64) {
|
function genSecret(length = 64) {
|
||||||
let secret = "";
|
let secret = "";
|
||||||
let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
||||||
let charsLength = chars.length;
|
const charsLength = chars.length;
|
||||||
for (let i = 0; i < length; i++) {
|
for (let i = 0; i < length; i++) {
|
||||||
secret += chars.charAt(Math.floor(Math.random() * charsLength));
|
secret += chars.charAt(getCryptoRandomInt(0, charsLength - 1));
|
||||||
}
|
}
|
||||||
return secret;
|
return secret;
|
||||||
}
|
}
|
||||||
|
|
66
src/util.ts
66
src/util.ts
|
@ -114,12 +114,72 @@ export function getRandomInt(min: number, max: number) {
|
||||||
return Math.floor(Math.random() * (max - min + 1)) + min;
|
return Math.floor(Math.random() * (max - min + 1)) + min;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns either the NodeJS crypto.randomBytes() function or its
|
||||||
|
* browser equivalent implemented via window.crypto.getRandomValues()
|
||||||
|
*/
|
||||||
|
let getRandomBytes = (
|
||||||
|
(typeof window !== 'undefined' && window.crypto)
|
||||||
|
|
||||||
|
// Browsers
|
||||||
|
? function () {
|
||||||
|
return (numBytes: number) => {
|
||||||
|
let randomBytes = new Uint8Array(numBytes);
|
||||||
|
for (let i = 0; i < numBytes; i += 65536) {
|
||||||
|
window.crypto.getRandomValues(randomBytes.subarray(i, i + Math.min(numBytes - i, 65536)));
|
||||||
|
}
|
||||||
|
return randomBytes;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
// Node
|
||||||
|
: function() {
|
||||||
|
return require("crypto").randomBytes;
|
||||||
|
}
|
||||||
|
)();
|
||||||
|
|
||||||
|
export function getCryptoRandomInt(min: number, max: number):number {
|
||||||
|
|
||||||
|
// synchronous version of: https://github.com/joepie91/node-random-number-csprng
|
||||||
|
|
||||||
|
const range = max - min
|
||||||
|
if (range >= Math.pow(2, 32))
|
||||||
|
console.log("Warning! Range is too large.")
|
||||||
|
|
||||||
|
let tmpRange = range
|
||||||
|
let bitsNeeded = 0
|
||||||
|
let bytesNeeded = 0
|
||||||
|
let mask = 1
|
||||||
|
|
||||||
|
while (tmpRange > 0) {
|
||||||
|
if (bitsNeeded % 8 === 0) bytesNeeded += 1
|
||||||
|
bitsNeeded += 1
|
||||||
|
mask = mask << 1 | 1
|
||||||
|
tmpRange = tmpRange >>> 1
|
||||||
|
}
|
||||||
|
|
||||||
|
const randomBytes = getRandomBytes(bytesNeeded)
|
||||||
|
let randomValue = 0
|
||||||
|
|
||||||
|
for (let i = 0; i < bytesNeeded; i++) {
|
||||||
|
randomValue |= randomBytes[i] << 8 * i
|
||||||
|
}
|
||||||
|
|
||||||
|
randomValue = randomValue & mask;
|
||||||
|
|
||||||
|
if (randomValue <= range) {
|
||||||
|
return min + randomValue
|
||||||
|
} else {
|
||||||
|
return getCryptoRandomInt(min, max)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
export function genSecret(length = 64) {
|
export function genSecret(length = 64) {
|
||||||
let secret = "";
|
let secret = "";
|
||||||
let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
||||||
let charsLength = chars.length;
|
const charsLength = chars.length;
|
||||||
for ( let i = 0; i < length; i++ ) {
|
for ( let i = 0; i < length; i++ ) {
|
||||||
secret += chars.charAt(Math.floor(Math.random() * charsLength));
|
secret += chars.charAt(getCryptoRandomInt(0, charsLength - 1));
|
||||||
}
|
}
|
||||||
return secret;
|
return secret;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue