From 0744f7f5f39770884104b2ae9b8eaf961864062c Mon Sep 17 00:00:00 2001
From: Benjamin Piouffle <benjamin@opencollective.com>
Date: Tue, 31 Dec 2024 11:07:30 +0100
Subject: [PATCH] fix(2FA): handle malformed TOTP tokens gracefully (#10595)

---
 server/lib/two-factor-authentication/totp.ts | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/server/lib/two-factor-authentication/totp.ts b/server/lib/two-factor-authentication/totp.ts
index 877cbcfef93..82ce9a6d914 100644
--- a/server/lib/two-factor-authentication/totp.ts
+++ b/server/lib/two-factor-authentication/totp.ts
@@ -37,11 +37,16 @@ export default {
  * twoFactorAuthenticatorCode = 6-digit TOTP
  */
 function validateTOTPToken(encryptedSecret: string, token: string): boolean {
-  const decryptedTwoFactorAuthToken = crypto.decrypt(encryptedSecret);
-  return speakeasy.totp.verify({
-    secret: decryptedTwoFactorAuthToken,
-    encoding: 'base32',
-    token: token,
-    window: 2,
-  });
+  try {
+    const decryptedTwoFactorAuthToken = crypto.decrypt(encryptedSecret);
+    return speakeasy.totp.verify({
+      secret: decryptedTwoFactorAuthToken,
+      encoding: 'base32',
+      token: token,
+      window: 2,
+    });
+  } catch {
+    // An error can be thrown if the token is malformed. We simply return false in this case.
+    return false;
+  }
 }