You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Below is a summary of compliance checks for this PR:
Security Compliance
⚪
Backup code handling
Description: Backup codes are only replaced with null upon use and the entire array is re-encrypted, potentially leaving unused plaintext-like null placeholders and not rotating the encryption key or re-randomizing structure, which could aid traffic analysis; consider removing consumed entries entirely and enforcing rate-limiting on backup code attempts. next-auth-options.ts [123-156]
Referred Code
thrownewError(ErrorCode.IncorrectEmailPassword);}constisCorrectPassword=awaitverifyPassword(credentials.password,user.password);if(!isCorrectPassword){thrownewError(ErrorCode.IncorrectEmailPassword);}}if(user.twoFactorEnabled&&credentials.backupCode){if(!process.env.CALENDSO_ENCRYPTION_KEY){console.error("Missing encryption key; cannot proceed with backup code login.");thrownewError(ErrorCode.InternalServerError);}if(!user.backupCodes)thrownewError(ErrorCode.MissingBackupCodes);constbackupCodes=JSON.parse(symmetricDecrypt(user.backupCodes,process.env.CALENDSO_ENCRYPTION_KEY));// check if user-supplied code matches one
... (clipped13lines)
Backup code reuse risk
Description: Disabling 2FA via backup code does not consume a single-use code and instead clears all codes after disabling, enabling unlimited retry attempts on the same code during this flow; add rate limiting and consume the code upon successful verification. disable.ts [47-66]
Referred Code
// if user has 2fa and using backup codeif(user.twoFactorEnabled&&req.body.backupCode){if(!process.env.CALENDSO_ENCRYPTION_KEY){console.error("Missing encryption key; cannot proceed with backup code login.");thrownewError(ErrorCode.InternalServerError);}if(!user.backupCodes){returnres.status(400).json({error: ErrorCode.MissingBackupCodes});}constbackupCodes=JSON.parse(symmetricDecrypt(user.backupCodes,process.env.CALENDSO_ENCRYPTION_KEY));// check if user-supplied code matches oneconstindex=backupCodes.indexOf(req.body.backupCode.replaceAll("-",""));if(index===-1){returnres.status(400).json({error: ErrorCode.IncorrectBackupCode});}// we delete all stored backup codes at the end, no need to do this here
Ticket Compliance
⚪
🎫 No ticket provided
Create ticket/issue
Codebase Duplication Compliance
⚪
Codebase context is not defined
Follow the guide to enable codebase context checks.
Custom Compliance
🟢
Generic: Meaningful Naming and Self-Documenting Code
Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting
Status: Passed
Generic: Secure Error Handling
Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging.
Status: Passed
⚪
Generic: Comprehensive Audit Trails
Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance.
Status: Missing audit log: New critical actions around disabling 2FA and using backup codes lack explicit audit logging in the added code.
Referred Code
// if user has 2fa and using backup codeif(user.twoFactorEnabled&&req.body.backupCode){if(!process.env.CALENDSO_ENCRYPTION_KEY){console.error("Missing encryption key; cannot proceed with backup code login.");thrownewError(ErrorCode.InternalServerError);}if(!user.backupCodes){returnres.status(400).json({error: ErrorCode.MissingBackupCodes});}constbackupCodes=JSON.parse(symmetricDecrypt(user.backupCodes,process.env.CALENDSO_ENCRYPTION_KEY));// check if user-supplied code matches oneconstindex=backupCodes.indexOf(req.body.backupCode.replaceAll("-",""));if(index===-1){returnres.status(400).json({error: ErrorCode.IncorrectBackupCode});}// we delete all stored backup codes at the end, no need to do this here
... (clipped41lines)
Generic: Robust Error Handling and Edge Case Management
Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation
Status: Env key assumption: The setup handler uses encryption without validating the presence of the required encryption key before encrypting backup codes, which may fail at runtime if the key is unset.
Referred Code
// generate backup codes with 10 character lengthconstbackupCodes=Array.from(Array(10),()=>crypto.randomBytes(5).toString("hex"));awaitprisma.user.update({where: {id: session.user.id,},data: {backupCodes: symmetricEncrypt(JSON.stringify(backupCodes),process.env.CALENDSO_ENCRYPTION_KEY),twoFactorEnabled: false,twoFactorSecret: symmetricEncrypt(secret,process.env.CALENDSO_ENCRYPTION_KEY),},});constname=user.email||user.username||user.id.toString();constkeyUri=authenticator.keyuri(name,"Cal",secret);constdataUri=awaitqrcode.toDataURL(keyUri);returnres.json({ secret, keyUri, dataUri, backupCodes });}
Generic: Secure Logging Practices
Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data.
Status: Generic console error: A console.error message is added for missing encryption key without structured logging and may bypass centralized secure logging practices.
Referred Code
if(!process.env.CALENDSO_ENCRYPTION_KEY){console.error("Missing encryption key; cannot proceed with backup code login.");thrownewError(ErrorCode.InternalServerError);}
Generic: Security-First Input Validation and Data Handling
Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities
Status: Backup code handling: Backup codes are decrypted and processed from credentials without explicit input validation beyond simple formatting and rely on env key presence, requiring verification of rate limiting and sanitization at this layer.
Referred Code
if(user.twoFactorEnabled&&credentials.backupCode){if(!process.env.CALENDSO_ENCRYPTION_KEY){console.error("Missing encryption key; cannot proceed with backup code login.");thrownewError(ErrorCode.InternalServerError);}if(!user.backupCodes)thrownewError(ErrorCode.MissingBackupCodes);constbackupCodes=JSON.parse(symmetricDecrypt(user.backupCodes,process.env.CALENDSO_ENCRYPTION_KEY));// check if user-supplied code matches oneconstindex=backupCodes.indexOf(credentials.backupCode.replaceAll("-",""));if(index===-1)thrownewError(ErrorCode.IncorrectBackupCode);// delete verified backup code and re-encrypt remainingbackupCodes[index]=null;awaitprisma.user.update({where: {id: user.id,
... (clipped6lines)
Compliance status legend
🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label
const backupCodes = JSON.parse(symmetricDecrypt(user.backupCodes, process.env.CALENDSO_ENCRYPTION_KEY));
-// check if user-supplied code matches one-const index = backupCodes.indexOf(req.body.backupCode.replaceAll("-", ""));-if (index === -1) {+// check if user-supplied code matches one in constant time to prevent timing attacks+const userCode = req.body.backupCode.replaceAll("-", "");+const match = backupCodes.some((code: string | null) => {+ if (!code || code.length !== userCode.length) {+ return false;+ }+ let result = 0;+ for (let i = 0; i < code.length; i++) {+ result |= code.charCodeAt(i) ^ userCode.charCodeAt(i);+ }+ return result === 0;+});++if (!match) {
return res.status(400).json({ error: ErrorCode.IncorrectBackupCode });
}
// we delete all stored backup codes at the end, no need to do this here
Apply / Chat
Suggestion importance[1-10]: 8
__
Why: The suggestion correctly identifies a potential timing attack vulnerability and proposes a standard mitigation using a constant-time comparison, which is a security best practice.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
PR #2
PR Type
Enhancement
Description
Add backup codes feature for two-factor authentication recovery
Generate and display 10 backup codes during 2FA setup with download/copy options
Allow users to disable 2FA or login using backup codes when authenticator unavailable
Store encrypted backup codes in database and validate during authentication
Add UI components and error handling for backup code workflows
Diagram Walkthrough
File Walkthrough
10 files
New backup code input componentAdd autoFocus prop to TwoFactor componentAdd backup code support to disable 2FA modalAdd backup codes display and download functionalityUpdate disable API to accept backup code parameterAdd backup code validation for disabling 2FAGenerate and return backup codes during 2FA setupAdd backup code login option with lost access flowAdd backup code error codesAdd backup code authentication logic to credentials provider2 files
Add backup code download and copy testsAdd backupCodes field to test user builder1 files
Add backup code related translation strings2 files
Add backupCodes column to users tableAdd backupCodes field to User model1 files
Add tabIndex to password visibility toggle button