Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(security): prevent TOTP replay attacks and fix user enumeration in verifyTotp

Browse Source 
Adds lastTotpAt timestamp to User model. After a successful TOTP validation,
the timestamp is recorded. Any reuse of the same code within the 30-second
window is rejected as a replay attack.

verifyTotp now returns a single generic UNAUTHORIZED error regardless of
whether the user ID is invalid or TOTP is not enabled, preventing enumeration
of user IDs and MFA status.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-04-09 21:41:09 +02:00
parent 1833182e90
commit afabaa0b7a
4 changed files with 64 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/db/prisma/migrations/20260409_user_last_totp_at.sql
+1
View File
@@ -0,0 +1 @@
ALTER TABLE "users" ADD COLUMN IF NOT EXISTS "lastTotpAt" TIMESTAMP(3);