Switched to 1 token per minute, 10 tokens accepted

More typical in TOTP setups for each token to last 1 minute, and to allow some older tokens. Also moved the options setting out of the generate scope in case verify is called first (unlikely but possible).
2024-11-23 03:42:27 +03:00 · 2024-10-09 14:18:27 +01:00 · 2024-10-09 14:18:27 +01:00 · 5f192344f8
commit 5f192344f8
parent 8a86db4ea5
1 changed files with 6 additions and 5 deletions
--- a/ghost/session-service/lib/session-service.js
+++ b/ghost/session-service/lib/session-service.js
@ -3,6 +3,12 @@ const {
 } = require('@tryghost/errors');
 const {totp} = require('otplib');

+totp.options = {
+    digits: 6,
+    step: 60,
+    window: [10, 10]
+};
+
 /**
 * @typedef {object} User
 * @prop {string} id
@ -108,11 +114,6 @@ module.exports = function createSessionService({
    async function generateAuthCodeForUser(req, res) {
        const session = await getSession(req, res); // Todo: Do we need to handle "No session found"?
        const secret = getSecret('admin_session_secret') + session.user_id;
-        totp.options = {
-            digits: 6,
-            encoding: 'ascii',
-            step: 300 // time in sec, time for which the token will be valid //Todo: is this supposed to be 5 min?
-        };
        const token = totp.generate(secret);
        return token;
    }