Fixed issue/request #705

Added a config option to disable time drifted totp codes. Default is false, since this is what the RFC recommends.
2025-10-25 08:10:38 +03:00 · 2019-11-07 17:11:29 +01:00
parent 9ff577a7b4
commit 3f6809bcdf
3 changed files with 22 additions and 2 deletions
--- a/.env.template
+++ b/.env.template
@@ -140,6 +140,18 @@
 ## After that, you should be able to follow the rest of the guide linked above,
 ## ignoring the fields that ask for the values that you already configured beforehand.

+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+## 
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT = false
+
 ## Rocket specific settings, check Rocket documentation to learn more
 # ROCKET_ENV=staging
 # ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app