2FA (TOTP) can be bypassed by entering any string as a recovery code
justin-wilxite opened this issue · 1 comments
justin-wilxite commented
I may be missing something here, but it seems like there is no failure handling when a user provides a recovery code that isn't valid when trying to log in with TOTP.
If I alter line 561 of the unit test in totp_test.go
authboss/otp/twofactor/totp2fa/totp_test.go
Line 561 in d38273a
to this:
h.bodyReader.Return = mocks.Values{Recovery: "anything"}the test still passes.
This appears to allow a user to bypass 2FA
aarondl commented
Thanks for fixing this.