Skip to content

Commit cc499fd

Browse files
dblythydblythy
committed
stringify recovery keys
1 parent f5dcc06 commit cc499fd

File tree

2 files changed

+17
-4
lines changed

2 files changed

+17
-4
lines changed

spec/ParseUser.MFA.spec.js

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -207,7 +207,16 @@ describe('MFA', () => {
207207
await verifyMfa(user, token);
208208
await Parse.User.logOut();
209209
try {
210-
await loginWithMFA('username', 'password', null, ['12345678910', '12345678910']);
210+
await loginWithMFA('username', 'password', null, [
211+
'01234567890123456789',
212+
'01234567890123456789',
213+
]);
214+
fail('should have not been able to login with invalid recovery keys');
215+
} catch (err) {
216+
expect(err.text).toMatch('{"code":210,"error":"Invalid MFA recovery tokens"}');
217+
}
218+
try {
219+
await loginWithMFA('username', 'password', null, ['a', 'b']);
211220
fail('should have not been able to login with invalid recovery keys');
212221
} catch (err) {
213222
expect(err.text).toMatch('{"code":210,"error":"Invalid MFA recovery tokens"}');

src/Routers/UsersRouter.js

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -134,10 +134,14 @@ export class UsersRouter extends ClassesRouter {
134134
}
135135
}
136136
const mfaEnabled = req.config.multiFactorAuth || {};
137-
if (mfaEnabled.enableMfa && recoveryKeys && user._mfa) {
137+
if (mfaEnabled.enableMfa && recoveryKeys && user.mfaEnabled) {
138138
const mfaRecTokens = user._mfa_recovery;
139139
let firstAllowed = false;
140140
let secondAllowed = false;
141+
const recoveryKeysStr = `${recoveryKeys}`;
142+
if (recoveryKeysStr.length < 41) {
143+
throw new Parse.Error(210, 'Invalid MFA recovery tokens');
144+
}
141145
for (const recToken of mfaRecTokens) {
142146
const setAllowedFromMatch = async (recoveryKey, first) => {
143147
const doesMatch = await passwordCrypto.compare(recoveryKey, recToken);
@@ -150,8 +154,8 @@ export class UsersRouter extends ClassesRouter {
150154
secondAllowed = true;
151155
}
152156
};
153-
await setAllowedFromMatch(recoveryKeys.substring(0, 20), true);
154-
await setAllowedFromMatch(recoveryKeys.substring(21, 41));
157+
await setAllowedFromMatch(recoveryKeysStr.substring(0, 20), true);
158+
await setAllowedFromMatch(recoveryKeysStr.substring(21, 41));
155159
}
156160
if (!firstAllowed || !secondAllowed) {
157161
throw new Parse.Error(210, 'Invalid MFA recovery tokens');

0 commit comments

Comments
 (0)