[WIP] Totp Active Scan Rules

[AliceMilshtein]

Overview

Briefly describe the purpose, goals, and changes or improvements made in this pull request.

Related Issues

Specify any related issues or pull requests by linking to them.

Checklist

• [ ] Update help
• [ ] Update changelog
• [ ] Run ./gradlew spotlessApply for code formatting
• [ ] Write tests
• [ ] Check code coverage
• [ ] Sign-off commits
• [ ] Squash commits
• [ ] Use a descriptive title

For more details, please refer to the developer rules and guidelines.

[github-actions[bot]]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[psiinon]

Checkmarx One – Scan Summary & Details – 872bcac0-8b30-474d-b823-2d6ff9d08ebb

Great job, no security vulnerabilities found in this Pull Request

[psiinon]

The build is failing due to formatting issues. Run ./gradlew :addOns:ascanrulesAlpha:spotlessApply to fix these violations.

[AliceMilshtein]

I have read the CLA Document and I hereby sign the CLA

[kingthorin]

I haven't had a detailed look but I did notice that some new classes have 2023 license headers :wink:

[psiinon]

Just started playing with the examples in the dev add-on :) They are all under /api/openapi which is really for OpenAPI related content. I think they would make more sense being under something like /auth, /auth/totp or /totp.

[psiinon]

I also noticed that in many (all) cases pressing RETURN did not submit the TOTP token. Was that deliberate? Most reasonable web apps I've used do accept RETURN as submit, but I can definitely see the point of having some that dont work in that way.

[psiinon]

@AliceMilshtein this PR still has conflicts

[psiinon]

I fixed the conflict locally and had a go with the test apps. ~~With http://localhost:9091/auth/totp/simple-auth-otp-blank-code-vuln/ I submitted the creds but got an error logged: /~~ Ignore that - I hadnt updated the authhelper 😁