diff --git a/src/Identity/IdentityServer/BaseRequestValidator.cs b/src/Identity/IdentityServer/BaseRequestValidator.cs index 3e35cb5335..97b4783b74 100644 --- a/src/Identity/IdentityServer/BaseRequestValidator.cs +++ b/src/Identity/IdentityServer/BaseRequestValidator.cs @@ -147,26 +147,20 @@ public abstract class BaseRequestValidator where T : class var verified = await VerifyTwoFactor(user, twoFactorOrganization, twoFactorProviderType, twoFactorToken); - var cacheKey = "TOTP_" + user.Email; + var cacheKey = "TOTP_" + user.Email + "_" + twoFactorToken; var isOtpCached = Core.Utilities.DistributedCacheExtensions.TryGetValue(_distributedCache, cacheKey, out string _); - if (isOtpCached) + if (!verified || isBot || isOtpCached) { - await BuildErrorResultAsync("Two-step token is invalid. Try again.", true, context, user); - return; - } - - if ((!verified || isBot) && twoFactorProviderType != TwoFactorProviderType.Remember) - { - await UpdateFailedAuthDetailsAsync(user, true, !validatorContext.KnownDevice); - await BuildErrorResultAsync("Two-step token is invalid. Try again.", true, context, user); - return; - } - else if ((!verified || isBot) && twoFactorProviderType == TwoFactorProviderType.Remember) - { - // Delay for brute force. - await Task.Delay(2000); - await BuildTwoFactorResultAsync(user, twoFactorOrganization, context); + if (twoFactorProviderType != TwoFactorProviderType.Remember) + { + await UpdateFailedAuthDetailsAsync(user, true, !validatorContext.KnownDevice); + await BuildErrorResultAsync("Two-step token is invalid. Try again.", true, context, user); + } + else if (twoFactorProviderType == TwoFactorProviderType.Remember) + { + await BuildTwoFactorResultAsync(user, twoFactorOrganization, context); + } return; } await Core.Utilities.DistributedCacheExtensions.SetAsync(_distributedCache, cacheKey, twoFactorToken, _cacheEntryOptions);