fixed critical login TOTP bypass bug! whoops!!!!!

2025-01-26 23:41:35 +00:00 · 2025-01-26 23:41:35 +00:00 · 1efe52a8cb
commit 1efe52a8cb
parent 2e93c3c5e5
7 changed files with 166 additions and 99 deletions
--- a/admin/accounthttp.go
+++ b/admin/accounthttp.go
@ -134,7 +134,7 @@ func deleteAccountHandler(app *model.AppState) http.Handler {
            return
        }

-        if !r.Form.Has("password") || !r.Form.Has("totp") {
+        if !r.Form.Has("password") {
            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
            return
        }
@ -153,23 +153,6 @@ func deleteAccountHandler(app *model.AppState) http.Handler {
            return
        }

-        totpMethod, err := controller.CheckTOTPForAccount(app.DB, session.Account.ID, r.Form.Get("totp"))
-        if err != nil {
-            fmt.Fprintf(os.Stderr, "Failed to fetch account: %v\n", err)
-            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
-            return
-        }
-        if totpMethod == nil {
-            fmt.Printf(
-                "[%s] WARN: Account \"%s\" attempted account deletion with incorrect TOTP.\n",
-                time.Now().Format(time.UnixDate),
-                session.Account.Username,
-            )
-            controller.SetSessionError(app.DB, session, "Incorrect TOTP.")
-            http.Redirect(w, r, "/admin/account", http.StatusFound)
-        }
-
        err = controller.DeleteAccount(app.DB, session.Account.ID)
        if err != nil {
            fmt.Fprintf(os.Stderr, "Failed to delete account: %v\n", err)