From 5f192344f8ee0be589cf955e8a20e4bb35ecaa48 Mon Sep 17 00:00:00 2001
From: Sam Lord <sam@ghost.org>
Date: Wed, 9 Oct 2024 14:18:27 +0100
Subject: [PATCH] Switched to 1 token per minute, 10 tokens accepted

More typical in TOTP setups for each token to last 1 minute, and to
allow some older tokens.

Also moved the options setting out of the generate scope in case
verify is called first (unlikely but possible).
---
 ghost/session-service/lib/session-service.js | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/ghost/session-service/lib/session-service.js b/ghost/session-service/lib/session-service.js
index 442bfa4857..c04b3e10f9 100644
--- a/ghost/session-service/lib/session-service.js
+++ b/ghost/session-service/lib/session-service.js
@@ -3,6 +3,12 @@ const {
 } = require('@tryghost/errors');
 const {totp} = require('otplib');
 
+totp.options = {
+    digits: 6,
+    step: 60,
+    window: [10, 10]
+};
+
 /**
  * @typedef {object} User
  * @prop {string} id
@@ -108,11 +114,6 @@ module.exports = function createSessionService({
     async function generateAuthCodeForUser(req, res) {
         const session = await getSession(req, res); // Todo: Do we need to handle "No session found"?
         const secret = getSecret('admin_session_secret') + session.user_id;
-        totp.options = {
-            digits: 6,
-            encoding: 'ascii',
-            step: 300 // time in sec, time for which the token will be valid //Todo: is this supposed to be 5 min?
-        };
         const token = totp.generate(secret);
         return token;
     }