fix(2FA): handle malformed TOTP tokens gracefully (#10595)

opencollective · Dec 31, 2024 · 0744f7f · 0744f7f
1 parent 6cfee23
commit 0744f7f
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/server/lib/two-factor-authentication/totp.ts b/server/lib/two-factor-authentication/totp.ts
@@ -37,11 +37,16 @@ export default {
  * twoFactorAuthenticatorCode = 6-digit TOTP
  */
 function validateTOTPToken(encryptedSecret: string, token: string): boolean {
-  const decryptedTwoFactorAuthToken = crypto.decrypt(encryptedSecret);
-  return speakeasy.totp.verify({
-    secret: decryptedTwoFactorAuthToken,
-    encoding: 'base32',
-    token: token,
-    window: 2,
-  });
+  try {
+    const decryptedTwoFactorAuthToken = crypto.decrypt(encryptedSecret);
+    return speakeasy.totp.verify({
+      secret: decryptedTwoFactorAuthToken,
+      encoding: 'base32',
+      token: token,
+      window: 2,
+    });
+  } catch {
+    // An error can be thrown if the token is malformed. We simply return false in this case.
+    return false;
+  }
 }