Potential vulnerability to timing attacks in 2FA recovery code and TOTP verification
Similar to #105 (closed), but unreleated to database queries.
Recovery codes are currently verified by simple comparisons of stored hashes and hashed user input (hashed with crypt in this case). The codes have a relativly low entropy (64 bits), but the (salted) hashing and the heavly applied rate-limiting probably makes attacks difficult/impossible.
TOTP codes are currently verified by simple comparisons of the computed codes and the user input. Since the codes are very short-lived and the rate-limiting applies here too, attacks are probably not possible. On the other hand, the codes are derived from a constant secret with SHA1 (to my knowledge there are no preimage attacks on SHA1).
Not sure about the impact, but this should be very easy to fix.