Accept the TOTP token before and after the current

1 year ago · 6a8d2753e0
2 changed files with 23 additions and 1 deletions
--- a/tildes/tests/test_user.py
+++ b/tildes/tests/test_user.py
@ -1,6 +1,10 @@
 # Copyright (c) 2018 Tildes contributors <code@tildes.net>
 # SPDX-License-Identifier: AGPL-3.0-or-later

+from datetime import datetime
+
+from dateutil import tz
+from freezegun import freeze_time
 from marshmallow.exceptions import ValidationError
 from pyramid.security import principals_allowed_by_permission
 from pytest import raises
@ -160,3 +164,21 @@ def test_ban_permission_manually_granted():

    principals = principals_allowed_by_permission(user, "ban")
    assert principals == {"*:user.ban"}
+
+
+def test_totp_token_window():
+    """Ensure the TOTP token accepts the one directly before and after the current."""
+    user = User("Test_User", "password")
+    user.two_factor_enabled = True
+    user.two_factor_secret = "USKIRUUOFM54XGSXELCOM6K7KODOB2EC"
+
+    invalid_tokens = ["896500", "075549"]
+    valid_tokens = ["293601", "733932", "295043"]
+
+    target_time = datetime(2023, 6, 16, 23, 55, tzinfo=tz.UTC)
+    with freeze_time(target_time):
+        for token in valid_tokens:
+            assert user.is_correct_two_factor_code(token)
+
+        for token in invalid_tokens:
+            assert not user.is_correct_two_factor_code(token)
--- a/tildes/tildes/models/user/user.py
+++ b/tildes/tildes/models/user/user.py
@ -279,7 +279,7 @@ class User(DatabaseModel):
        # some possible user input (such as unicode) can cause an error in the totp
        # library, catch that and treat it the same as an invalid code
        try:
-            is_valid_code = totp.verify(code)
+            is_valid_code = totp.verify(code, valid_window=1)
        except TypeError:
            is_valid_code = False