scripte/archivmail
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2a91f6e249d6c3a0ad09ee9e81fc492b20374a7d
archivmail/internal/auth/totp.go
T
sysops 2de340573b fix(security): behebe F-01/F-02/W-03/W-04 aus Security-Audit + PROJ-24 TOTP 2FA 
F-01: err.Error() wird nicht mehr an HTTP-Clients gesendet.
      Stattdessen generische Fehlermeldungen + Server-Log.
      Betrifft: handleCreateUser, handleUpdateUser, handleDeleteUser,
                handleSyncNow, handleSecurityConfig, handleUpload.

F-02: Login-Audit-Log enthält keinen rohen err.Error() mehr.
      Neue classifyLoginError() Funktion: invalid_password / ldap_error /
      account_disabled / unknown — schützt vor LDAP-Info-Leak via Audit-API.

W-03: remoteIP() trimmt jetzt Leerzeichen aus X-Forwarded-For.
      Vollständige Lösung erfordert Proxy-Konfiguration (W-03 bleibt WARN).

W-04: Attachment-Dateiname wird durch sanitizeFilename() bereinigt.
      Nur [a-zA-Z0-9._- ] erlaubt — verhindert Header-Injection.

PROJ-24: TOTP 2FA vollständig implementiert:
      - internal/auth/totp.go: GenerateSecret, ValidateTOTP, QRCodeSVG
      - internal/api/totp_handlers.go: Setup, Login-Step2, Admin-Reset
      - internal/userstore: SetTOTPSecret, EnableTOTP, DisableTOTP, ResetTOTP
      - Login-Flow: totp_pending JWT → /api/auth/totp → vollwertiger JWT
      - AES-256-GCM verschlüsseltes Secret in users.totp_secret

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 00:54:00 +01:00

51 lines
1.3 KiB
Go
Raw Blame History

package auth
import (
"bytes"
"image/png"
"time"
"github.com/pquerna/otp"
"github.com/pquerna/otp/totp"
)
// GenerateSecret creates a new TOTP secret for the given user.
// Returns the base32-encoded secret, the otpauth:// URL, and a QR code as PNG bytes.
func GenerateSecret(username, issuer string) (secret string, otpauthURL string, qrPNG []byte, err error) {
key, err := totp.Generate(totp.GenerateOpts{
Issuer: issuer,
AccountName: username,
SecretSize: 20,
Algorithm: otp.AlgorithmSHA1,
Digits: otp.DigitsSix,
Period: 30,
})
if err != nil {
return "", "", nil, err
}
secret = key.Secret()
otpauthURL = key.URL()
img, err := key.Image(200, 200)
if err != nil {
return secret, otpauthURL, nil, nil // QR code is optional
}
var buf bytes.Buffer
if encErr := png.Encode(&buf, img); encErr == nil {
qrPNG = buf.Bytes()
}
return secret, otpauthURL, qrPNG, nil
}
// ValidateTOTP checks whether the given code is valid for the base32 secret.
// Allows +/- 1 time step (30s) tolerance.
func ValidateTOTP(secret, code string) bool {
valid, err := totp.ValidateCustom(code, secret, time.Now().UTC(), totp.ValidateOpts{
Period: 30,
Skew: 1,
Digits: otp.DigitsSix,
Algorithm: otp.AlgorithmSHA1,
})
return err == nil && valid
}
Reference in New Issue View Git Blame Copy Permalink