fix: totp (#967)

* fix: totp

* fix: changelog and test

* fix: version

Author: sattvikc

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [9.0.1] - 2024-03-20
+
+- Fixes verify TOTP and verify device APIs to treat any code as invalid
+- Fixes the computation of the number of failed attempts when return `INVALID_TOTP_ERROR`
+
 ## [9.0.0] - 2024-03-13
 
 ### Added

build.gradle

@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "9.0.0"
+version = "9.0.1"
 
 
 repositories {

src/main/java/io/supertokens/totp/Totp.java

@@ -203,17 +203,28 @@ private static void checkAndStoreCode(TenantIdentifier tenantIdentifier, Storage
 
                     // N represents # of invalid attempts that will trigger rate limiting:
                     int N = Config.getConfig(tenantIdentifier, main).getTotpMaxAttempts(); // (Default 5)
-                    // Count # of contiguous invalids in latest N attempts (stop at first valid):
-                    long invalidOutOfN = Arrays.stream(usedCodes).limit(N).takeWhile(usedCode -> !usedCode.isValid)
-                            .count();
+
+                    // filter only invalid codes, stop at first valid code
+                    TOTPUsedCode[] invalidUsedCodes = Arrays.stream(usedCodes).limit(N).takeWhile(
+                            usedCode -> !usedCode.isValid).toArray(TOTPUsedCode[]::new);
+
                     int rateLimitResetTimeInMs = Config.getConfig(tenantIdentifier, main)
                             .getTotpRateLimitCooldownTimeSec() *
                             1000; // (Default 15 mins)
 
+                    // Count how many of the latest invalid codes fall under the rate limiting compared
+                    // to the latest invalid attempt
+                    long invalidOutOfN = 0;
+                    if (invalidUsedCodes.length > 0) {
+                        invalidOutOfN = Arrays.stream(invalidUsedCodes).limit(N).takeWhile(
+                                usedCode -> usedCode.createdTime > invalidUsedCodes[0].createdTime - rateLimitResetTimeInMs
+                            ).count();
+                    }
+
                     // Check if the user has been rate limited:
                     if (invalidOutOfN == N) {
                         // All of the latest N attempts were invalid:
-                        long latestInvalidCodeCreatedTime = usedCodes[0].createdTime;
+                        long latestInvalidCodeCreatedTime = invalidUsedCodes[0].createdTime;
                         long now = System.currentTimeMillis();
 
                         if (now - latestInvalidCodeCreatedTime < rateLimitResetTimeInMs) {
@@ -225,6 +236,9 @@ private static void checkAndStoreCode(TenantIdentifier tenantIdentifier, Storage
                             // If we insert the used code here, then it will further delay the user from
                             // being able to login. So not inserting it here.
                         }
+
+                        // since we are past the cool down period, the user can retry all the attempts
+                        invalidOutOfN = 0;
                     }
 
                     // Check if the code is valid for any device:

src/main/java/io/supertokens/webserver/api/totp/VerifyTotpAPI.java

@@ -46,9 +46,6 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
         if (userId.isEmpty()) {
             throw new ServletException(new BadRequestException("userId cannot be empty"));
         }
-        if (totp.length() != 6) {
-            throw new ServletException(new BadRequestException("totp must be 6 characters long"));
-        }
 
         JsonObject result = new JsonObject();
 

src/main/java/io/supertokens/webserver/api/totp/VerifyTotpDeviceAPI.java

@@ -50,9 +50,6 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
         if (deviceName.isEmpty()) {
             throw new ServletException(new BadRequestException("deviceName cannot be empty"));
         }
-        if (totp.length() != 6) {
-            throw new ServletException(new BadRequestException("totp must be 6 characters long"));
-        }
 
         JsonObject result = new JsonObject();
 

src/test/java/io/supertokens/test/totp/TOTPRecipeTest.java

@@ -348,13 +348,33 @@ public void rateLimitCooldownTest() throws Exception {
         // Wait for 1 second (Should cool down rate limiting):
         Thread.sleep(1000);
         // But again try with invalid code:
-        assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0"));
+        InvalidTotpException invalidTotpException = assertThrows(InvalidTotpException.class,
+                () -> Totp.verifyCode(main, "user", "invalid0"));
+        assertEquals(1, invalidTotpException.currentAttempts);
+        invalidTotpException = assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0"));
+        assertEquals(2, invalidTotpException.currentAttempts);
+        invalidTotpException = assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0"));
+        assertEquals(3, invalidTotpException.currentAttempts);
+
         // This triggered rate limiting again. So even valid codes will fail for
         // another cooldown period:
-        assertThrows(LimitReachedException.class,
+        LimitReachedException limitReachedException = assertThrows(LimitReachedException.class,
                 () -> Totp.verifyCode(main, "user", generateTotpCode(main, device)));
+        assertEquals(3, limitReachedException.currentAttempts);
         // Wait for 1 second (Should cool down rate limiting):
         Thread.sleep(1000);
+
+        // test that after cool down, we can retry invalid codes N times again
+        invalidTotpException = assertThrows(InvalidTotpException.class,
+                () -> Totp.verifyCode(main, "user", "invalid0"));
+        assertEquals(1, invalidTotpException.currentAttempts);
+        invalidTotpException = assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0"));
+        assertEquals(2, invalidTotpException.currentAttempts);
+        invalidTotpException = assertThrows(InvalidTotpException.class, () -> Totp.verifyCode(main, "user", "invalid0"));
+        assertEquals(3, invalidTotpException.currentAttempts);
+
+        Thread.sleep(1100);
+
         // Now try with valid code:
         Totp.verifyCode(main, "user", generateTotpCode(main, device));
         // Now invalid code shouldn't trigger rate limiting. Unless you do it N times:

src/test/java/io/supertokens/test/totp/api/VerifyTotpAPITest.java

@@ -23,6 +23,8 @@
 import org.junit.Test;
 import org.junit.rules.TestRule;
 
+import java.io.IOException;
+
 import static io.supertokens.test.totp.TOTPRecipeTest.generateTotpCode;
 import static org.junit.Assert.*;
 
@@ -56,6 +58,21 @@ private Exception verifyTotpCodeRequest(TestingProcessManager.TestingProcess pro
                         "totp"));
     }
 
+    private void verifyTotpRequestThatReturnsInvalidCode(TestingProcessManager.TestingProcess process, JsonObject body)
+            throws HttpResponseException, IOException {
+        JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(
+                process.getProcess(),
+                "",
+                "http://localhost:3567/recipe/totp/verify",
+                body,
+                1000,
+                1000,
+                null,
+                Utils.getCdiVersionStringLatestForTests(),
+                "totp");
+        assertEquals("INVALID_TOTP_ERROR", resp.get("status").getAsString());
+    }
+
     private void checkFieldMissingErrorResponse(Exception ex, String fieldName) {
         assert ex instanceof HttpResponseException;
         HttpResponseException e = (HttpResponseException) ex;
@@ -149,18 +166,27 @@ public void testApi() throws Exception {
             checkResponseErrorContains(e, "userId cannot be empty"); // Note that this is not a field missing error
 
             body.addProperty("userId", device.userId);
-            e = verifyTotpCodeRequest(process, body);
-            checkResponseErrorContains(e, "totp must be 6 characters long");
+            verifyTotpRequestThatReturnsInvalidCode(process, body);
+
+            Thread.sleep(1100);
 
             // test totp of length 5:
             body.addProperty("totp", "12345");
-            e = verifyTotpCodeRequest(process, body);
-            checkResponseErrorContains(e, "totp must be 6 characters long");
+            verifyTotpRequestThatReturnsInvalidCode(process, body);
+
+            Thread.sleep(1100);
+
+            // test totp of alphabets:
+            body.addProperty("totp", "abcd");
+            verifyTotpRequestThatReturnsInvalidCode(process, body);
+
+            Thread.sleep(1100);
 
             // test totp of length 8:
             body.addProperty("totp", "12345678");
-            e = verifyTotpCodeRequest(process, body);
-            checkResponseErrorContains(e, "totp must be 6 characters long");
+            verifyTotpRequestThatReturnsInvalidCode(process, body);
+
+            Thread.sleep(1100);
 
             // but let's pass invalid code first
             body.addProperty("totp", "123456");

src/test/java/io/supertokens/test/totp/api/VerifyTotpDeviceAPITest.java

@@ -21,6 +21,8 @@
 import org.junit.Test;
 import org.junit.rules.TestRule;
 
+import java.io.IOException;
+
 import static org.junit.Assert.*;
 
 public class VerifyTotpDeviceAPITest {
@@ -53,6 +55,21 @@ private Exception updateDeviceRequest(TestingProcessManager.TestingProcess proce
                         "totp"));
     }
 
+    private void requestWithInvalidCode(TestingProcessManager.TestingProcess process, JsonObject body)
+            throws HttpResponseException, IOException {
+        JsonObject resp = HttpRequestForTesting.sendJsonPOSTRequest(
+                process.getProcess(),
+                "",
+                "http://localhost:3567/recipe/totp/device/verify",
+                body,
+                1000,
+                1000,
+                null,
+                Utils.getCdiVersionStringLatestForTests(),
+                "totp");
+        assertEquals("INVALID_TOTP_ERROR", resp.get("status").getAsString());
+    }
+
     private void checkFieldMissingErrorResponse(Exception ex, String fieldName) {
         assert ex instanceof HttpResponseException;
         HttpResponseException e = (HttpResponseException) ex;
@@ -126,7 +143,7 @@ public void testApi() throws Exception {
             checkFieldMissingErrorResponse(e, "totp");
         }
 
-        // Invalid userId/deviceName/skew/period
+        // Invalid userId/deviceName/totp
         {
             body.addProperty("totp", "");
             Exception e = updateDeviceRequest(process, body);
@@ -137,18 +154,27 @@ public void testApi() throws Exception {
             checkResponseErrorContains(e, "deviceName cannot be empty");
 
             body.addProperty("deviceName", device.deviceName);
-            e = updateDeviceRequest(process, body);
-            checkResponseErrorContains(e, "totp must be 6 characters long");
+            requestWithInvalidCode(process, body);
+
+            Thread.sleep(1100);
 
             // test totp of length 5:
             body.addProperty("totp", "12345");
-            e = updateDeviceRequest(process, body);
-            checkResponseErrorContains(e, "totp must be 6 characters long");
+            requestWithInvalidCode(process, body);
+
+            Thread.sleep(1100);
 
             // test totp of length 8:
             body.addProperty("totp", "12345678");
-            e = updateDeviceRequest(process, body);
-            checkResponseErrorContains(e, "totp must be 6 characters long");
+            requestWithInvalidCode(process, body);
+
+            Thread.sleep(1100);
+
+            // test totp of length alphabets:
+            body.addProperty("totp", "abcd");
+            requestWithInvalidCode(process, body);
+
+            Thread.sleep(2100);
 
             // but let's pass invalid code first
             body.addProperty("totp", "123456");
@@ -247,5 +273,4 @@ public void testApi() throws Exception {
         process.kill();
         assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
     }
-
 }