lowered the default mfa duration and reorganized internal record pre/post handling

2026-04-26 16:32:07 +03:00
parent 37b258810a
commit 555a4f1a1e
10 changed files with 107 additions and 69 deletions
--- a/core/otp_model.go
+++ b/core/otp_model.go
@@ -3,8 +3,10 @@ package core
 import (
 	"context"
 	"errors"
+	"fmt"
 	"time"

+	"github.com/pocketbase/pocketbase/tools/hook"
 	"github.com/pocketbase/pocketbase/tools/types"
 )

@@ -124,4 +126,29 @@ func (app *BaseApp) registerOTPHooks() {
 			app.Logger().Warn("Failed to delete expired OTP sessions", "error", err)
 		}
 	})
+
+	// delete all record OTPs on tokenKey change to minimize the risk of hijacking attacks
+	app.OnRecordUpdateExecute().Bind(&hook.Handler[*RecordEvent]{
+		Func: func(e *RecordEvent) error {
+			err := e.Next()
+			if err != nil || !e.Record.Collection().IsAuth() {
+				return err
+			}
+
+			if e.Record.Original().TokenKey() != e.Record.TokenKey() {
+				err := e.App.DeleteAllOTPsByRecord(e.Record)
+				if err != nil {
+					return fmt.Errorf(
+						"[%s] failed to delete all previos OTPs for record %q: %w",
+						e.Record.Collection().Name,
+						e.Record.Id,
+						err,
+					)
+				}
+			}
+
+			return nil
+		},
+		Priority: 99,
+	})
 }