From 7476abe8b5f62c02123aefa1a79d38f43d154fc7 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Mon, 4 Nov 2024 09:25:26 +0100
Subject: [PATCH] Catch OTP errors

---
 server/core/helpers/otp.ts | 34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/server/core/helpers/otp.ts b/server/core/helpers/otp.ts
index 673a043f6..814c76c10 100644
--- a/server/core/helpers/otp.ts
+++ b/server/core/helpers/otp.ts
@@ -1,6 +1,7 @@
-import { Secret, TOTP } from 'otpauth'
 import { CONFIG } from '@server/initializers/config.js'
 import { WEBSERVER } from '@server/initializers/constants.js'
+import { Secret, TOTP } from 'otpauth'
+import { logger } from './logger.js'
 import { decrypt } from './peertube-crypto.js'
 
 async function isOTPValid (options: {
@@ -9,22 +10,28 @@ async function isOTPValid (options: {
 }) {
   const { token, encryptedSecret } = options
 
-  const secret = await decrypt(encryptedSecret, CONFIG.SECRETS.PEERTUBE)
+  try {
+    const secret = await decrypt(encryptedSecret, CONFIG.SECRETS.PEERTUBE)
 
-  const totp = new TOTP({
-    ...baseOTPOptions(),
+    const totp = new TOTP({
+      ...baseOTPOptions(),
 
-    secret
-  })
+      secret
+    })
 
-  const delta = totp.validate({
-    token,
-    window: 1
-  })
+    const delta = totp.validate({
+      token,
+      window: 1
+    })
 
-  if (delta === null) return false
+    if (delta === null) return false
 
-  return true
+    return true
+  } catch (err) {
+    logger.error('Cannot decrypt/validate OTP', { err })
+
+    return false
+  }
 }
 
 function generateOTPSecret (email: string) {
@@ -42,8 +49,7 @@ function generateOTPSecret (email: string) {
 }
 
 export {
-  isOTPValid,
-  generateOTPSecret
+  generateOTPSecret, isOTPValid
 }
 
 // ---------------------------------------------------------------------------