From a628358c9f0590b8b0d61a68c9c71f6ef225f118 Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Mon, 6 May 2024 15:02:14 -0400
Subject: [PATCH] Fix OTP time window

---
 package-lock.json                                | 1 -
 package.json                                     | 1 -
 packages/backend/src/services/auth/OTPService.js | 8 ++++++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index f3e5b6a2..5f13df72 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -13,7 +13,6 @@
         "packages/*"
       ],
       "dependencies": {
-        "otpauth": "9.2.4",
         "uuid": "^9.0.1"
       },
       "devDependencies": {
diff --git a/package.json b/package.json
index 5bbe3a17..203820aa 100644
--- a/package.json
+++ b/package.json
@@ -43,7 +43,6 @@
     ]
   },
   "dependencies": {
-    "otpauth": "9.2.4",
     "uuid": "^9.0.1"
   }
 }
diff --git a/packages/backend/src/services/auth/OTPService.js b/packages/backend/src/services/auth/OTPService.js
index e11f3baf..4d14dcb4 100644
--- a/packages/backend/src/services/auth/OTPService.js
+++ b/packages/backend/src/services/auth/OTPService.js
@@ -48,8 +48,12 @@ class OTPService extends BaseService {
             secret,
         });
 
-        const ok = totp.validate({ token: code });
-        return ok;
+        const allowed = [-1, 0, 1];
+
+        const delta = totp.validate({ token: code });
+        if ( delta === null ) return false;
+        if ( ! allowed.includes(delta) ) return false;
+        return true;
     }
 
     gen_otp_secret_ () {