From 846c03f154ff9953641628e33632f4ba951b8bf9 Mon Sep 17 00:00:00 2001
From: Pascal de Bruijn <pascal.debruijn@dustin.nl>
Date: Wed, 7 Sep 2022 14:23:34 +0200
Subject: [PATCH] models/user.py: add non-zero valid_window to totp.verify

PyOTP's totp.verify defaults to the valid_window of zero, which means
it will reject valid codes, if submitted just past the 30 sec window.
It also means, users will run into authentication issues very quickly
if their phones time-sync isn't perfect.

Therefore valid_window should at the very least be 1 or more, settting
it higher trades security for robustness, especially with regard to
time desync issues.
---
 powerdnsadmin/models/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/powerdnsadmin/models/user.py b/powerdnsadmin/models/user.py
index 2f8b87c..228f8f3 100644
--- a/powerdnsadmin/models/user.py
+++ b/powerdnsadmin/models/user.py
@@ -94,7 +94,7 @@ class User(db.Model):
 
     def verify_totp(self, token):
         totp = pyotp.TOTP(self.otp_secret)
-        return totp.verify(token)
+        return totp.verify(token, valid_window = 5)
 
     def get_hashed_password(self, plain_text_password=None):
         # Hash a password for the first time