ZMS-45: Implement totp nonce system for safer totp checks

NickOvt · NickOvt · commit ea507c723914 · 2026-03-31T14:44:31.000+03:00
diff --git a/lib/api/2fa/totp.js b/lib/api/2fa/totp.js
@@ -223,6 +223,7 @@ module.exports = (db, server, userHandler) => {
             validationObjs: {
                 requestBody: {
                     token: Joi.string().length(6).required().description('6-digit number'),
+                    totpNonce: Joi.string().hex().length(40).required().description('Short-lived nonce returned by /authenticate'),
                     sess: sessSchema,
                     ip: sessIPSchema
                 },
@@ -264,6 +265,7 @@ module.exports = (db, server, userHandler) => {
             }
 
             let user = new ObjectId(result.value.user);
+            result.value.accessTokenHash = req.accessToken?.hash;
             let totp = await userHandler.checkTotp(user, result.value);
 
             if (!totp) {
diff --git a/lib/api/auth.js b/lib/api/auth.js
@@ -175,6 +175,7 @@ module.exports = (db, server, userHandler) => {
                             token: Joi.string().description(
                                 'If access token was requested then this is the value to use as access token when making API requests on behalf of logged in user.'
                             ),
+                            totpNonce: Joi.string().hex().length(40).description('Short-lived nonce for completing TOTP authentication'),
                             passwordPwned: booleanSchema.description(
                                 'Indicates whether account password has been found in the list of Pwned passwords and should be replaced'
                             )
@@ -273,6 +274,9 @@ module.exports = (db, server, userHandler) => {
             if (result.value.token) {
                 try {
                     authResponse.token = await userHandler.generateAuthToken(authData.user);
+                    if (Array.isArray(authData.require2fa) && authData.require2fa.includes('totp')) {
+                        authResponse.totpNonce = await userHandler.generateTotpNonce(authData.user, authResponse.token);
+                    }
                 } catch (err) {
                     let response = {
                         error: err.message,
@@ -380,9 +384,7 @@ module.exports = (db, server, userHandler) => {
                                         filter: Joi.string().description('Filter ID associated with the event'),
                                         credential: Joi.string().description('WebAuthn credential ID'),
                                         appId: Joi.string().description('Optional appId which is the URL of the app'),
-                                        require2fa: Joi.alternatives()
-                                            .try(Joi.string(), booleanSchema.allow(false))
-                                            .description('2FA requirement detail'),
+                                        require2fa: Joi.alternatives().try(Joi.string(), booleanSchema.allow(false)).description('2FA requirement detail'),
                                         last: Joi.date().required().description('Date of the last update of data'),
                                         events: Joi.number().required().description('Number of times same auth log has occurred'),
                                         source: Joi.string().description('Source of auth. Example: `master` if password auth was used'),
@@ -564,9 +566,7 @@ module.exports = (db, server, userHandler) => {
                             filter: Joi.string().description('Filter ID associated with the event'),
                             credential: Joi.string().description('WebAuthn credential ID'),
                             appId: Joi.string().description('Optional appId which is the URL of the app'),
-                            require2fa: Joi.alternatives()
-                                .try(Joi.string(), booleanSchema.allow(false))
-                                .description('2FA requirement detail'),
+                            require2fa: Joi.alternatives().try(Joi.string(), booleanSchema.allow(false)).description('2FA requirement detail'),
                             last: Joi.date().required().description('Date of the last update of Event'),
                             events: Joi.number().required().description('Number of times same auth Event has occurred'),
                             source: Joi.string().description('Source of auth. Example: `master` if password auth was used'),
diff --git a/lib/consts.js b/lib/consts.js
@@ -62,6 +62,7 @@ module.exports = {
     TOTP_FAILURES: 6,
     // TOTP authentication window in seconds, starts counting from first invalid authentication
     TOTP_WINDOW: 180,
+    TOTP_NONCE_TTL: 10 * 60,
 
     SCOPES: ['imap', 'pop3', 'smtp'],
 
diff --git a/lib/user-handler.js b/lib/user-handler.js
@@ -2291,9 +2291,52 @@ class UserHandler {
         return true;
     }
 
+    async generateTotpNonce(user, accessToken) {
+        const tokenHash = crypto.createHash('sha256').update(accessToken).digest('hex');
+        const totpNonce = crypto.randomBytes(20).toString('hex');
+
+        try {
+            await this.redis.set(getTotpNonceKey(user, totpNonce), tokenHash, 'EX', consts.TOTP_NONCE_TTL);
+        } catch {
+            // ignore
+        }
+
+        return totpNonce;
+    }
+
+    async validateTotpNonce(user, totpNonce, accessTokenHash) {
+        if (!accessTokenHash) {
+            const err = new Error('Authentication token is required');
+            err.response = 'NO';
+            err.responseCode = 403;
+            err.code = 'AuthenticationRequired';
+            throw err;
+        }
+
+        let storedAccessTokenHash;
+        const totpNonceKey = getTotpNonceKey(user, totpNonce);
+
+        try {
+            storedAccessTokenHash = await this.redis.get(totpNonceKey);
+        } catch {
+            // ignore
+        }
+
+        if (!storedAccessTokenHash || storedAccessTokenHash !== accessTokenHash) {
+            const err = new Error('Invalid or expired TOTP nonce');
+            err.response = 'NO';
+            err.responseCode = 403;
+            err.code = 'InvalidTotpNonce';
+            throw err;
+        }
+
+        return totpNonceKey;
+    }
+
     async checkTotp(user, data) {
         let userRlKey = `totp:${user}`;
         let totpSuccessKey = `totp:${user}:${data.token}`;
+        let totpNonceKey = await this.validateTotpNonce(user, data.totpNonce, data.accessTokenHash);
 
         try {
             let rateLimitRes = await this.rateLimit(userRlKey, data, 0);
@@ -2401,6 +2444,24 @@ class UserHandler {
             // ignore
         }
 
+        if (verified) {
+            let nonceConsumed;
+            try {
+                nonceConsumed = await this.redis.del(totpNonceKey);
+            } catch {
+                // ignore
+            }
+
+            if (!nonceConsumed) {
+                verified = false;
+                const nonceError = new Error('Invalid or expired TOTP nonce');
+                nonceError.response = 'NO';
+                nonceError.responseCode = 403;
+                nonceError.code = 'InvalidTotpNonce';
+                throw nonceError;
+            }
+        }
+
         if (verified) {
             try {
                 await this.redis
@@ -4030,6 +4091,10 @@ function rateLimitResponse(res) {
     return err;
 }
 
+function getTotpNonceKey(user, totpNonce) {
+    return `totpnonce:${user}:${crypto.createHash('sha256').update(totpNonce).digest('hex')}`;
+}
+
 // high collision hash function
 function getStringSelector(str) {
     let hash = crypto.createHash('sha1').update(str).digest();
diff --git a/test/api/totp-test.js b/test/api/totp-test.js
@@ -0,0 +1,115 @@
+/*eslint no-unused-expressions: 0, prefer-arrow-callback: 0 */
+
+'use strict';
+
+const supertest = require('supertest');
+const chai = require('chai');
+const speakeasy = require('speakeasy');
+
+const expect = chai.expect;
+chai.config.includeStack = true;
+const config = require('@zone-eu/wild-config');
+
+const server = supertest.agent(`http://127.0.0.1:${config.api.port}`);
+
+describe('API TOTP', function () {
+    this.timeout(10000); // eslint-disable-line no-invalid-this
+
+    let user;
+    let seed;
+    let accessToken;
+    let totpNonce;
+
+    it('should POST /users expect success / create a user with TOTP', async () => {
+        const response = await server
+            .post('/users')
+            .send({
+                username: 'totpnonceuser',
+                name: 'Totp Nonce User',
+                address: 'totpnonce@example.com',
+                password: 'totpsecretvalue'
+            })
+            .expect(200);
+
+        expect(response.body.success).to.be.true;
+        user = response.body.id;
+    });
+
+    it('should POST /users/{user}/2fa/totp/setup expect success', async () => {
+        const response = await server
+            .post(`/users/${user}/2fa/totp/setup`)
+            .send({
+                issuer: 'WildDuck Test'
+            })
+            .expect(200);
+
+        expect(response.body.success).to.be.true;
+        expect(response.body.seed).to.exist;
+
+        seed = response.body.seed;
+    });
+
+    it('should POST /users/{user}/2fa/totp/enable expect success', async () => {
+        const response = await server
+            .post(`/users/${user}/2fa/totp/enable`)
+            .send({
+                token: speakeasy.totp({
+                    secret: seed,
+                    encoding: 'base32'
+                })
+            })
+            .expect(200);
+
+        expect(response.body.success).to.be.true;
+    });
+
+    it('should POST /authenticate expect success / return auth token and totpNonce', async () => {
+        const response = await server
+            .post('/authenticate')
+            .send({
+                username: 'totpnonceuser',
+                password: 'totpsecretvalue',
+                token: true
+            })
+            .expect(200);
+
+        expect(response.body.success).to.be.true;
+        expect(response.body.id).to.equal(user);
+        expect(response.body.require2fa).to.deep.equal(['totp']);
+        expect(response.body.token).to.match(/^[0-9a-f]{40}$/);
+        expect(response.body.totpNonce).to.match(/^[0-9a-f]{40}$/);
+
+        accessToken = response.body.token;
+        totpNonce = response.body.totpNonce;
+    });
+
+    it('should POST /users/{user}/2fa/totp/check expect success', async () => {
+        const response = await server
+            .post(`/users/${user}/2fa/totp/check?accessToken=${accessToken}`)
+            .send({
+                token: speakeasy.totp({
+                    secret: seed,
+                    encoding: 'base32'
+                }),
+                totpNonce
+            })
+            .expect(200);
+
+        expect(response.body.success).to.be.true;
+    });
+
+    it('should POST /users/{user}/2fa/totp/check expect failure / reject reused totpNonce', async () => {
+        const response = await server
+            .post(`/users/${user}/2fa/totp/check?accessToken=${accessToken}`)
+            .send({
+                token: speakeasy.totp({
+                    secret: seed,
+                    encoding: 'base32'
+                }),
+                totpNonce
+            })
+            .expect(403);
+
+        expect(response.body.code).to.equal('InvalidTotpNonce');
+    });
+});
