- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
for inactive/locked users, locked_until check in loadAuthData, TOTP
fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
numbering.service releaseSequence no-op, nas-offers filename sanitize,
Content-Disposition header injection fix, mojibake Czech strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
32 lines
1.1 KiB
TypeScript
32 lines
1.1 KiB
TypeScript
import * as OTPAuthLib from "otpauth";
|
|
import { decrypt } from "./encryption";
|
|
import { config } from "../config/env";
|
|
|
|
export const OTPAuth = {
|
|
verify(
|
|
encryptedSecret: string,
|
|
code: string,
|
|
): { valid: boolean; counter: number | null } {
|
|
try {
|
|
const secret = decrypt(encryptedSecret);
|
|
const totp = new OTPAuthLib.TOTP({
|
|
secret: OTPAuthLib.Secret.fromBase32(secret),
|
|
algorithm: config.totp.algorithm,
|
|
digits: config.totp.digits,
|
|
period: config.totp.period,
|
|
});
|
|
const delta = totp.validate({ token: code, window: 1 });
|
|
if (delta === null) {
|
|
return { valid: false, counter: null };
|
|
}
|
|
const currentCounter = Math.floor(Date.now() / 1000 / config.totp.period);
|
|
// Only advance counter for current or past codes, not future ones
|
|
const counterDelta = Math.min(delta, 0);
|
|
return { valid: true, counter: currentCounter + counterDelta };
|
|
} catch (err) {
|
|
console.error("TOTP verification error:", err);
|
|
return { valid: false, counter: null };
|
|
}
|
|
},
|
|
};
|