From 919c37d1f9b5c08772f9f458a2fd58c0e082bae2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=80=97=E5=AD=90?= <haozi@loli.email>
Date: Sun, 18 May 2025 22:44:43 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=B8=A4=E6=AD=A5=E9=AA=8C=E8=AF=81?=
 =?UTF-8?q?=E7=AE=97=E6=B3=95=E9=94=99=E8=AF=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/data/user.go | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/internal/data/user.go b/internal/data/user.go
index defe618a..b57c5bf8 100644
--- a/internal/data/user.go
+++ b/internal/data/user.go
@@ -3,6 +3,7 @@ package data
 import (
 	"errors"
 	"image"
+	"time"
 
 	"github.com/go-rat/utils/hash"
 	"github.com/leonelquinteros/gotext"
@@ -165,8 +166,14 @@ func (r *userRepo) UpdateTwoFA(id uint, code, secret string) error {
 	}
 
 	// 保存前先验证一次，防止错误开启
-	if secret != "" && !totp.Validate(code, secret) {
-		return errors.New(r.t.Get("invalid 2FA code"))
+	if secret != "" {
+		if valid, _ := totp.ValidateCustom(code, secret, time.Now().UTC(), totp.ValidateOpts{
+			Skew:      1,
+			Digits:    otp.DigitsSix,
+			Algorithm: otp.AlgorithmSHA256,
+		}); !valid {
+			return errors.New(r.t.Get("invalid 2FA code"))
+		}
 	}
 
 	user.TwoFA = secret
@@ -183,7 +190,11 @@ func (r *userRepo) CheckTwoFA(id uint, code string) (bool, error) {
 		return true, nil // 未开启2FA，无需验证
 	}
 
-	if !totp.Validate(code, user.TwoFA) {
+	if valid, _ := totp.ValidateCustom(code, user.TwoFA, time.Now().UTC(), totp.ValidateOpts{
+		Skew:      1,
+		Digits:    otp.DigitsSix,
+		Algorithm: otp.AlgorithmSHA256,
+	}); !valid {
 		return false, errors.New(r.t.Get("invalid 2FA code"))
 	}