feat(labrinth): totp skew (#2887)

apps/labrinth/src/routes/internal/flows.rs

@@ -1678,26 +1678,26 @@ async fn validate_2fa_code(
             .map_err(|_| AuthenticationError::InvalidCredentials)?,
     )
     .map_err(|_| AuthenticationError::InvalidCredentials)?;
-    let token = totp
-        .generate_current()
-        .map_err(|_| AuthenticationError::InvalidCredentials)?;
 
     const TOTP_NAMESPACE: &str = "used_totp";
     let mut conn = redis.connect().await?;
 
     // Check if TOTP has already been used
     if conn
-        .get(TOTP_NAMESPACE, &format!("{}-{}", token, user_id.0))
+        .get(TOTP_NAMESPACE, &format!("{}-{}", input, user_id.0))
         .await?
         .is_some()
     {
         return Err(AuthenticationError::InvalidCredentials);
     }
 
-    if input == token {
+    if totp
+        .check_current(input.as_str())
+        .map_err(|_| AuthenticationError::InvalidCredentials)?
+    {
         conn.set(
             TOTP_NAMESPACE,
-            &format!("{}-{}", token, user_id.0),
+            &format!("{}-{}", input, user_id.0),
             "",
             Some(60),
         )