Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-06-14 11:07:45 +02:00
Code Issues Activity
gitea/models/auth
History
Nicolas c0c11c551c
fix: enforce single-use TOTP passcodes across all 2FA surfaces 
The web 2FA login and password-reset paths validated the passcode and then
wrote LastUsedPasscode in a non-atomic read-check-write sequence, so two
parallel submissions of the same code could each authenticate (TOCTOU). The
Basic-Auth X-Gitea-OTP path never recorded the used passcode at all, letting
a captured code be replayed for its whole validity window.

Add TwoFactor.ValidateAndConsumeTOTP, which validates and atomically marks
the passcode used via a conditional UPDATE (rejecting replays and racing
duplicates), and route the web login, password-reset, and Basic-Auth paths
through it.

Assisted-by: Claude:claude-opus-4-8
2026-06-13 18:38:06 +02:00
..
access_token_scope_test.go
Enable addtional linters (#34085)
2025-04-01 10:14:01 +00:00
access_token_scope.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
access_token_test.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
access_token.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
auth_token.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
main_test.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
oauth2_list.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
oauth2_test.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
oauth2.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
session.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
source_test.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
source.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
twofactor_test.go
fix: enforce single-use TOTP passcodes across all 2FA surfaces
2026-06-13 18:38:06 +02:00
twofactor.go
fix: enforce single-use TOTP passcodes across all 2FA surfaces
2026-06-13 18:38:06 +02:00
webauthn_test.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00
webauthn.go
chore: Move import path from code.gitea.io/gitea to gitea.dev (#37873)
2026-05-26 15:49:31 -07:00