Revert "pikvm/pikvm#1459: TOTP valid_window=5"

mdevaev · mdevaev · commit da4da975ef54 · 2025-01-15T02:49:10.000+02:00
This reverts commit b6c73ac.
diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py
@@ -370,7 +370,6 @@ def _get_config_scheme() -> dict:
                 },
 
                 "totp": {
-                    "valid_window": Option(1, type=functools.partial(valid_number, min=0, max=5)),
                     "secret": {
                         "file": Option("/etc/kvmd/totp.secret", type=valid_abs_path, if_empty=""),
                     },
diff --git a/kvmd/apps/kvmd/__init__.py b/kvmd/apps/kvmd/__init__.py
@@ -86,7 +86,6 @@ def main(argv: (list[str] | None)=None) -> None:
             external_kwargs=(config.auth.external._unpack(ignore=["type"]) if config.auth.external.type else {}),
 
             totp_secret_path=config.auth.totp.secret.file,
-            totp_valid_window=config.auth.totp.valid_window,
         ),
         info_manager=InfoManager(global_config),
         log_reader=(LogReader() if config.log_reader.enabled else None),
diff --git a/kvmd/apps/kvmd/auth.py b/kvmd/apps/kvmd/auth.py
@@ -34,7 +34,7 @@
 
 
 # =====
-class AuthManager:  # pylint: disable=too-many-instance-attributes
+class AuthManager:
     def __init__(
         self,
         enabled: bool,
@@ -47,7 +47,6 @@ def __init__(
         external_type: str,
         external_kwargs: dict,
 
-        totp_valid_window: int,
         totp_secret_path: str,
     ) -> None:
 
@@ -71,7 +70,6 @@ def __init__(
             self.__external_service = get_auth_service_class(external_type)(**external_kwargs)
             get_logger().info("Using external auth service %r", self.__external_service.get_plugin_name())
 
-        self.__totp_valid_window = totp_valid_window
         self.__totp_secret_path = totp_secret_path
 
         self.__tokens: dict[str, str] = {}  # {token: user}
@@ -97,7 +95,7 @@ async def authorize(self, user: str, passwd: str) -> bool:
                 secret = file.read().strip()
             if secret:
                 code = passwd[-6:]
-                if not pyotp.TOTP(secret).verify(code, valid_window=self.__totp_valid_window):
+                if not pyotp.TOTP(secret).verify(code):
                     get_logger().error("Got access denied for user %r by TOTP", user)
                     return False
                 passwd = passwd[:-6]
diff --git a/testenv/tests/apps/kvmd/test_auth.py b/testenv/tests/apps/kvmd/test_auth.py
@@ -69,7 +69,6 @@ async def _get_configured_manager(
         external_type=("htpasswd" if external_path else ""),
         external_kwargs=(_make_service_kwargs(external_path) if external_path else {}),
 
-        totp_valid_window=0,
         totp_secret_path="",
     )
 
@@ -201,7 +200,6 @@ async def test_ok__disabled() -> None:
             external_type="",
             external_kwargs={},
 
-            totp_valid_window=0,
             totp_secret_path="",
         )
 

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,6 @@ async def _get_configured_manager(`
`69`	`69`	`external_type=("htpasswd" if external_path else ""),`
`70`	`70`	`external_kwargs=(_make_service_kwargs(external_path) if external_path else {}),`
`71`	`71`
`72`		`- totp_valid_window=0,`
`73`	`72`	`totp_secret_path="",`
`74`	`73`	`)`
`75`	`74`
`@@ -201,7 +200,6 @@ async def test_ok__disabled() -> None:`
`201`	`200`	`external_type="",`
`202`	`201`	`external_kwargs={},`
`203`	`202`
`204`		`- totp_valid_window=0,`
`205`	`203`	`totp_secret_path="",`
`206`	`204`	`)`
`207`	`205`