mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-14 15:44:04 +00:00
c0c11c551c
The web 2FA login and password-reset paths validated the passcode and then wrote LastUsedPasscode in a non-atomic read-check-write sequence, so two parallel submissions of the same code could each authenticate (TOCTOU). The Basic-Auth X-Gitea-OTP path never recorded the used passcode at all, letting a captured code be replayed for its whole validity window. Add TwoFactor.ValidateAndConsumeTOTP, which validates and atomically marks the passcode used via a conditional UPDATE (rejecting replays and racing duplicates), and route the web login, password-reset, and Basic-Auth paths through it. Assisted-by: Claude:claude-opus-4-8