CapaKraken

Hartmut/CapaKraken

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hartmut	afabaa0b7a	fix(security): prevent TOTP replay attacks and fix user enumeration in verifyTotp Adds lastTotpAt timestamp to User model. After a successful TOTP validation, the timestamp is recorded. Any reuse of the same code within the 30-second window is rejected as a replay attack. verifyTotp now returns a single generic UNAUTHORIZED error regardless of whether the user ID is invalid or TOTP is not enabled, preventing enumeration of user IDs and MFA status. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-09 21:41:09 +02:00

Author

SHA1

Message

Date

Hartmut

afabaa0b7a

fix(security): prevent TOTP replay attacks and fix user enumeration in verifyTotp

Adds lastTotpAt timestamp to User model. After a successful TOTP validation,
the timestamp is recorded. Any reuse of the same code within the 30-second
window is rejected as a replay attack.

verifyTotp now returns a single generic UNAUTHORIZED error regardless of
whether the user ID is invalid or TOTP is not enabled, preventing enumeration
of user IDs and MFA status.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-09 21:41:09 +02:00

1 Commits