replace yubikeyotp to avoid form-data cve

Signed-off-by: si458 <simonsmith5521@gmail.com>
2025-11-07 04:42:54 -05:00 · 2025-09-09 15:38:57 +01:00
parent 4bff9f1788
commit 6bcf39610a
5 changed files with 11 additions and 18 deletions
--- a/webserver.js
+++ b/webserver.js
@@ -1073,10 +1073,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF

            // If we have a match, check the OTP
            if (match === true) {
-                var yubikeyotp = require('yubikeyotp');
-                var request = { otp: token, id: domain.yubikey.id, key: domain.yubikey.secret, timestamp: true }
-                if (domain.yubikey.proxy) { request.requestParams = { proxy: domain.yubikey.proxy }; }
-                yubikeyotp.verifyOTP(request, function (err, results) {
+                var yub = require('yub');
+                yub.init(domain.yubikey.id, domain.yubikey.secret);
+                yub.verify(token, function (err, results) {
                    if ((results != null) && (results.status == 'OK')) {
                        parent.debug('web', 'checkUserOneTimePassword: success (Yubikey).');
                        func(true, { twoFactorType: 'hwotp' });