ari/arimelody.me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fixed critical login TOTP bypass bug! whoops!!!!!

Browse source
This commit is contained in:
ari melody 2025-01-26 23:41:35 +00:00
parent 2e93c3c5e5
commit 1efe52a8cb
Signed by: ari
GPG key ID: CF99829C92678188
7 changed files with 166 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

21
controller/session.go
View file

@ -49,6 +49,17 @@ func CreateSession(db *sqlx.DB, userAgent string) (*model.Session, error) {
// return err
// }
func SetSessionAttemptAccount(db *sqlx.DB, session *model.Session, account *model.Account) error {
var err error
session.AttemptAccount = account
if account == nil {
_, err = db.Exec("UPDATE session SET attempt_account=NULL WHERE token=$1", session.Token)
} else {
_, err = db.Exec("UPDATE session SET attempt_account=$2 WHERE token=$1", session.Token, account.ID)
}
return err
}
func SetSessionAccount(db *sqlx.DB, session *model.Session, account *model.Account) error {
var err error
session.Account = account
@ -89,7 +100,8 @@ func SetSessionError(db *sqlx.DB, session *model.Session, message string) error
func GetSession(db *sqlx.DB, token string) (*model.Session, error) {
type dbSession struct {
model.Session
AccountID sql.NullString `db:"account"`
AttemptAccountID sql.NullString `db:"attempt_account"`
AccountID sql.NullString `db:"account"`
}
session := dbSession{}
@ -109,6 +121,13 @@ func GetSession(db *sqlx.DB, token string) (*model.Session, error) {
}
}
if session.AttemptAccountID.Valid {
session.AttemptAccount, err = GetAccountByID(db, session.AttemptAccountID.String)
if err != nil {
return nil, err
}
}
return &session.Session, err
}