ghost 6.0.5 → 6.0.7

package/core/server/services/members/SingleUseTokenProvider.js

@@ -1,5 +1,16 @@
 // @ts-check
 const {ValidationError} = require('@tryghost/errors');
+const tpl = require('@tryghost/tpl');
+const crypto = require('node:crypto');
+const {hotp} = require('otplib');
+
+const messages = {
+    OTC_SECRET_NOT_CONFIGURED: 'OTC secret not configured',
+    INVALID_OTC_VERIFICATION_HASH: 'Invalid OTC verification hash',
+    INVALID_TOKEN: 'Invalid token provided',
+    TOKEN_EXPIRED: 'Token expired',
+    DERIVE_OTC_MISSING_INPUT: 'tokenId and tokenValue are required'
+};
 
 class SingleUseTokenProvider {
     /**
@@ -8,12 +19,14 @@ class SingleUseTokenProvider {
      * @param {number} dependencies.validityPeriod - How long a token is valid for from it's creation in milliseconds.
      * @param {number} dependencies.validityPeriodAfterUsage - How long a token is valid after first usage, in milliseconds.
      * @param {number} dependencies.maxUsageCount - How many times a token can be used.
+     * @param {string} [dependencies.secret] - Secret for generating and verifying OTP codes.
      */
-    constructor({SingleUseTokenModel, validityPeriod, validityPeriodAfterUsage, maxUsageCount}) {
+    constructor({SingleUseTokenModel, validityPeriod, validityPeriodAfterUsage, maxUsageCount, secret}) {
         this.model = SingleUseTokenModel;
         this.validityPeriod = validityPeriod;
         this.validityPeriodAfterUsage = validityPeriodAfterUsage;
         this.maxUsageCount = maxUsageCount;
+        this.secret = secret;
     }
 
     /**
@@ -39,6 +52,9 @@ class SingleUseTokenProvider {
      * If the token is invalid the returned Promise will reject.
      *
      * @param {string} token
+     * @param {Object} [options] - Optional configuration object
+     * @param {Object} [options.transacting] - Database transaction object
+     * @param {string} [options.otcVerification] - OTC verification hash for additional validation
      *
      * @returns {Promise<Object<string, any>>}
      */
@@ -52,17 +68,29 @@ class SingleUseTokenProvider {
             });
         }
 
+        if (options.otcVerification) {
+            const isValidOTCVerification = await this._validateOTCVerificationHash(options.otcVerification, token);
+            if (!isValidOTCVerification) {
+                throw new ValidationError({
+                    message: tpl(messages.INVALID_OTC_VERIFICATION_HASH),
+                    code: 'INVALID_OTC_VERIFICATION_HASH'
+                });
+            }
+        }
+
         const model = await this.model.findOne({token}, {transacting: options.transacting, forUpdate: true});
 
         if (!model) {
             throw new ValidationError({
-                message: 'Invalid token provided'
+                message: tpl(messages.INVALID_TOKEN),
+                code: 'INVALID_TOKEN'
             });
         }
 
         if (model.get('used_count') >= this.maxUsageCount) {
             throw new ValidationError({
-                message: 'Token expired'
+                message: tpl(messages.TOKEN_EXPIRED),
+                code: 'TOKEN_EXPIRED'
             });
         }
 
@@ -75,7 +103,8 @@ class SingleUseTokenProvider {
 
             if (timeSinceFirstUsage > this.validityPeriodAfterUsage) {
                 throw new ValidationError({
-                    message: 'Token expired'
+                    message: tpl(messages.TOKEN_EXPIRED),
+                    code: 'TOKEN_EXPIRED'
                 });
             }
         }
@@ -83,7 +112,8 @@ class SingleUseTokenProvider {
 
         if (tokenLifetimeMilliseconds > this.validityPeriod) {
             throw new ValidationError({
-                message: 'Token expired'
+                message: tpl(messages.TOKEN_EXPIRED),
+                code: 'TOKEN_EXPIRED'
             });
         }
 
@@ -106,6 +136,189 @@ class SingleUseTokenProvider {
             return {};
         }
     }
+
+    /**
+     * @private
+     * @method deriveCounter
+     * Derives a counter from a token ID and value
+     *
+     * @param {string} tokenId
+     * @param {string} tokenValue
+     * @returns {number}
+     */
+    deriveCounter(tokenId, tokenValue) {
+        const msg = `${tokenId}|${tokenValue}`;
+        const digest = crypto.createHash('sha256').update(msg).digest();
+        return digest.readUInt32BE(0);
+    }
+
+    /**
+     * @method deriveOTC
+     * Derives an OTC (one-time code) from a token ID and value
+     *
+     * @param {string} tokenId - Token ID
+     * @param {string} tokenValue - Token value
+     * @returns {string} The generated one-time code
+     */
+    deriveOTC(tokenId, tokenValue) {
+        if (!this.secret) {
+            throw new ValidationError({
+                message: tpl(messages.OTC_SECRET_NOT_CONFIGURED),
+                code: 'OTC_SECRET_NOT_CONFIGURED'
+            });
+        }
+
+        if (!tokenId || !tokenValue) {
+            throw new ValidationError({
+                message: tpl(messages.DERIVE_OTC_MISSING_INPUT),
+                code: 'DERIVE_OTC_MISSING_INPUT'
+            });
+        }
+
+        const counter = this.deriveCounter(tokenId, tokenValue);
+        return hotp.generate(this.secret, counter);
+    }
+
+    /**
+     * @method verifyOTC
+     * Verifies an OTC (one-time code) by looking up the token and performing HOTP verification
+     *
+     * @param {string} otcRef - Reference for the one-time code
+     * @param {string} otc - The one-time code to verify
+     * @returns {Promise<boolean>} Returns true if the OTC is valid, false otherwise
+     */
+    async verifyOTC(otcRef, otc) {
+        if (!this.secret || !otcRef || !otc) {
+            return false;
+        }
+
+        try {
+            const model = await this.model.findOne({id: otcRef});
+
+            if (!model) {
+                return false;
+            }
+
+            const tokenValue = model.get('token');
+            const counter = this.deriveCounter(otcRef, tokenValue);
+            return hotp.verify({token: otc, secret: this.secret, counter});
+        } catch (err) {
+            return false;
+        }
+    }
+
+    /**
+     * @method getIdByToken
+     * Retrieves the ID associated with a given token.
+     *
+     * @param {string} token - The token to look up.
+     * @returns {Promise<string|null>} The ID if found, or null if not found or on error.
+     */
+    async getIdByToken(token) {
+        try {
+            const model = await this.model.findOne({token});
+            return model ? model.get('id') : null;
+        } catch (err) {
+            return null;
+        }
+    }
+
+    /**
+     * @method getTokenByRef
+     * Retrieves the token associated with a given reference.
+     *
+     * @param {string} ref - The reference to look up.
+     * @returns {Promise<string|null>} The token if found, or null if not found or on error.
+     */
+    async getTokenByRef(ref) {
+        try {
+            const model = await this.model.findOne({id: ref});
+            return model ? model.get('token') : null;
+        } catch (err) {
+            return null;
+        }
+    }
+
+    /**
+     * @method createOTCVerificationHash
+     * Creates an OTC verification hash for a given token and one-time code.
+     *
+     * @param {string} otc - The one-time code
+     * @param {string} token - The token value
+     * @param {number} [timestamp] - Optional timestamp to use for the hash, defaults to current time
+     * @returns {string} The OTC verification hash
+     */
+    createOTCVerificationHash(otc, token, timestamp) {
+        if (!this.secret) {
+            throw new ValidationError({
+                message: tpl(messages.OTC_SECRET_NOT_CONFIGURED),
+                code: 'OTC_SECRET_NOT_CONFIGURED'
+            });
+        }
+
+        // timestamp allows us to restrict the hash's lifetime window
+        timestamp ??= Math.floor(Date.now() / 1000);
+
+        const dataToHash = `${otc}:${token}:${timestamp}`;
+
+        const secret = Buffer.from(this.secret, 'hex');
+        const hmac = crypto.createHmac('sha256', secret);
+        hmac.update(dataToHash);
+
+        return hmac.digest('hex');
+    }
+
+    /**
+     * @private
+     * @method _validateOTCVerificationHash
+     * Validates OTC verification hash by recreating and comparing the hash.
+     * Private because it's only used internally by the public validate method.
+     *
+     * @param {string} otcVerificationHash - The hash to validate (timestamp:hash format)
+     * @param {string} token - The token value
+     * @returns {Promise<boolean>} - True if hash is valid, false otherwise
+     */
+    async _validateOTCVerificationHash(otcVerificationHash, token) {
+        try {
+            if (!this.secret || !otcVerificationHash || !token) {
+                return false;
+            }
+
+            // Parse timestamp:hash format
+            const parts = otcVerificationHash.split(':');
+            if (parts.length !== 2) {
+                return false;
+            }
+
+            const timestamp = parseInt(parts[0]);
+            const providedHash = parts[1];
+
+            // Check if hash is expired (5 minute window)
+            const now = Math.floor(Date.now() / 1000);
+            const maxAge = 5 * 60; // 5 minutes in seconds
+            if (now - timestamp > maxAge) {
+                return false;
+            }
+
+            const tokenId = await this.getIdByToken(token);
+            if (!tokenId) {
+                return false;
+            }
+
+            // Derive the original OTC that was used to create this hash
+            const otc = this.deriveOTC(tokenId, token);
+
+            const expectedHash = this.createOTCVerificationHash(otc, token, timestamp);
+
+            // Compare the hashes using constant-time comparison to prevent timing attacks
+            return crypto.timingSafeEqual(
+                Buffer.from(providedHash, 'hex'),
+                Buffer.from(expectedHash, 'hex')
+            );
+        } catch (err) {
+            return false;
+        }
+    }
 }
 
 module.exports = SingleUseTokenProvider;

package/core/server/services/members/api.js

@@ -57,7 +57,8 @@ function createApiInstance(config) {
                 SingleUseTokenModel: models.SingleUseToken,
                 validityPeriod: MAGIC_LINK_TOKEN_VALIDITY,
                 validityPeriodAfterUsage: MAGIC_LINK_TOKEN_VALIDITY_AFTER_USAGE,
-                maxUsageCount: MAGIC_LINK_TOKEN_MAX_USAGE_COUNT
+                maxUsageCount: MAGIC_LINK_TOKEN_MAX_USAGE_COUNT,
+                secret: settingsCache.get('members_email_auth_secret')
             })
         },
         mail: {
@@ -75,7 +76,7 @@ function createApiInstance(config) {
                     return ghostMailer.send(msg);
                 }
             },
-            getSubject(type) {
+            getSubject(type, otc) {
                 const siteTitle = settingsCache.get('title');
                 switch (type) {
                 case 'subscribe':
@@ -88,10 +89,14 @@ function createApiInstance(config) {
                     return `📫 ${t(`Confirm your email update for {siteTitle}!`, {siteTitle, interpolation: {escapeValue: false}})}`;
                 case 'signin':
                 default:
-                    return `🔑 ${t(`Secure sign in link for {siteTitle}`, {siteTitle, interpolation: {escapeValue: false}})}`;
+                    if (otc) {
+                        return `🔑 ${t('Sign in to {siteTitle} with code {otc}', {siteTitle, otc, interpolation: {escapeValue: false}})}`;
+                    } else {
+                        return `🔑 ${t(`Secure sign in link for {siteTitle}`, {siteTitle, interpolation: {escapeValue: false}})}`;
+                    }
                 }
             },
-            getText(url, type, email) {
+            getText(url, type, email, otc) {
                 const siteTitle = settingsCache.get('title');
                 switch (type) {
                 case 'subscribe':
@@ -162,10 +167,14 @@ function createApiInstance(config) {
                         `;
                 case 'signin':
                 default:
+                    /* eslint-disable indent */
                     return trimLeadingWhitespace`
                         ${t(`Hey there,`)}
 
-                        ${t('Welcome back! Use this link to securely sign in to your {siteTitle} account:', {siteTitle, interpolation: {escapeValue: false}})}
+                        ${otc
+                            ? `${t('Your verification code for {siteTitle}', {siteTitle, interpolation: {escapeValue: false}})}: ${otc}\n\n${t('Or use this link to securely sign in', {interpolation: {escapeValue: false}})}:`
+                            : `${t('Welcome back! Use this link to securely sign in to your {siteTitle} account:', {siteTitle, interpolation: {escapeValue: false}})}`
+                        }
 
                         ${url}
 
@@ -177,10 +186,11 @@ function createApiInstance(config) {
 
                         ${t('Sent to {email}', {email})}
                         ${t('If you did not make this request, you can safely ignore this email.')}
-                        `;
+                    `;
+                    /* eslint-enable indent */
                 }
             },
-            getHTML(url, type, email) {
+            getHTML(url, type, email, otc) {
                 const siteTitle = settingsCache.get('title');
                 const siteUrl = urlUtils.urlFor('home', true);
                 const domain = urlUtils.urlFor('home', true).match(new RegExp('^https?://([^/:?#]+)(?:[/:?#]|$)', 'i'));
@@ -197,7 +207,7 @@ function createApiInstance(config) {
                     return updateEmail({t, url, email, siteTitle, accentColor, siteDomain, siteUrl});
                 case 'signin':
                 default:
-                    return signinEmail({t, url, email, siteTitle, accentColor, siteDomain, siteUrl});
+                    return signinEmail({t, url, otc, email, siteTitle, accentColor, siteDomain, siteUrl});
                 }
             }
         },

package/core/server/services/members/emails/signin.js

@@ -1,10 +1,14 @@
-module.exports = ({t, siteTitle, email, url, accentColor = '#15212A', siteDomain, siteUrl}) => `
+/* eslint-disable indent */
+module.exports = ({t, siteTitle, email, url, otc, accentColor = '#15212A', siteDomain, siteUrl}) => `
 <!doctype html>
 <html>
   <head>
     <meta name="viewport" content="width=device-width">
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-    <title>🔑 ${t('Secure sign in link for {siteTitle}', {siteTitle, interpolation: {escapeValue: false}})}</title>
+    ${otc
+        ? `<title>🔑 ${t('Sign in to {siteTitle} with code {otc}', {siteTitle, otc, interpolation: {escapeValue: false}})}</title>`
+        : `<title>🔑 ${t('Secure sign in link for {siteTitle}', {siteTitle, interpolation: {escapeValue: false}})}</title>`
+    }
     <style>
     /* -------------------------------------
         RESPONSIVE AND MOBILE FRIENDLY STYLES
@@ -107,7 +111,10 @@ module.exports = ({t, siteTitle, email, url, accentColor = '#15212A', siteDomain
           <div class="content" style="box-sizing: border-box; display: block; Margin: 0 auto; max-width: 600px; padding: 30px 20px;">
 
             <!-- START CENTERED CONTAINER -->
-            <span class="preheader" style="color: transparent; display: none; height: 0; max-height: 0; max-width: 0; opacity: 0; overflow: hidden; mso-hide: all; visibility: hidden; width: 0;">${t('Welcome back to {siteTitle}!', {siteTitle, interpolation: {escapeValue: false}})}</span>
+            <span class="preheader" style="color: transparent; display: none; height: 0; max-height: 0; max-width: 0; opacity: 0; overflow: hidden; mso-hide: all; visibility: hidden; width: 0;">${otc ? t('Welcome back to {siteTitle}! Your verification code is {otc}.', {siteTitle, otc, interpolation: {escapeValue: false}}) : t('Welcome back to {siteTitle}!', {siteTitle, interpolation: {escapeValue: false}})}</span>
+            <div style="display:none; max-height:0; overflow:hidden; mso-hide: all;" aria-hidden="true" role="presentation">
+              &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+            </div>
             <table class="main" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; background: #ffffff; border-radius: 8px;">
 
               <!-- START MAIN CONTENT AREA -->
@@ -117,7 +124,36 @@ module.exports = ({t, siteTitle, email, url, accentColor = '#15212A', siteDomain
                     <tr>
                       <td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top;">
                         <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 20px; color: #15212A; font-weight: bold; line-height: 24px; margin: 0; margin-bottom: 15px;">${t('Hey there,')}</p>
-                        <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px; margin-bottom: 32px;">${t('Welcome back! Use this link to securely sign in to your {siteTitle} account:', {siteTitle, interpolation: {escapeValue: false}})}</p>
+                        ${otc ?
+                        `<p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px; margin-bottom: 24px;">${t(`Welcome back! Here's your code to sign in to {siteTitle}. For your security, it's only valid for 24 hours`, {siteTitle, interpolation: {escapeValue: false}})}:</p>
+                        <table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; box-sizing: border-box; margin-bottom: 32px;">
+                          <tbody>
+                            <tr>
+                              <td style="padding: 16px; background-color: #F4F5F6; border-radius: 8px; text-align: center; vertical-align: middle;" valign="middle">
+                                <h2 style="text-align: center; vertical-align: center; letter-spacing: 5px; font-size: 24px; color: #15212A; font-weight: 600; line-height: 24px; margin: 0;">${otc}</h2>
+                              </td>
+                            </tr>
+                          </tbody>
+                        </table>
+                        <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px; margin-bottom: 24px;">${t('Or, skip the code and sign in directly')}:</p>
+                        <table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; box-sizing: border-box;">
+                          <tbody>
+                            <tr>
+                              <td align="center" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; vertical-align: top; padding-bottom: 35px;">
+                                <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%;">
+                                  <tbody>
+                                    <tr>
+                                      <td align="center" style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; vertical-align: top; background-color: ${accentColor}; border-radius: 5px; text-align: center;"> <a href="${url}" target="_blank" style="display: inline-block; color: #ffffff; background-color: ${accentColor}; border: solid 1px ${accentColor}; border-radius: 5px; box-sizing: border-box; cursor: pointer; text-decoration: none; font-size: 16px; font-weight: normal; margin: 0; padding: 9px 22px 10px; border-color: ${accentColor};">${t('Sign in now')}</a> </td>
+                                    </tr>
+                                  </tbody>
+                                </table>
+                              </td>
+                            </tr>
+                          </tbody>
+                        </table>
+                        <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 15px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px;">${t('You can also copy & paste this URL into your browser:')}:</p>`
+                        :
+                        `<p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px; margin-bottom: 32px;">${t('Welcome back! Use this link to securely sign in to your {siteTitle} account:', {siteTitle, interpolation: {escapeValue: false}})}</p>
                         <table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; box-sizing: border-box;">
                           <tbody>
                             <tr>
@@ -136,7 +172,8 @@ module.exports = ({t, siteTitle, email, url, accentColor = '#15212A', siteDomain
                         <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; line-height: 24px; margin: 0; margin-bottom: 11px;">${t('For your security, the link will expire in 24 hours time.')}</p>
                         <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; line-height: 24px; margin: 0; margin-bottom: 30px;">${t('See you soon!')}</p>
                         <hr/>
-                        <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 15px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px;">${t('You can also copy & paste this URL into your browser:')}</p>
+                        <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 15px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px;">${t('You can also copy & paste this URL into your browser:')}</p>`
+                        }
                         <p style="word-break: break-all; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 15px; line-height: 22px; margin-top:0; color: #3A464C;">${url}</p>
                       </td>
                     </tr>

package/core/server/services/members/members-api/controllers/RouterController.js

@@ -25,9 +25,31 @@ const messages = {
     invalidType: 'Invalid checkout type.',
     notConfigured: 'This site is not accepting payments at the moment.',
     invalidNewsletters: 'Cannot subscribe to invalid newsletters {newsletters}',
-    archivedNewsletters: 'Cannot subscribe to archived newsletters {newsletters}'
+    archivedNewsletters: 'Cannot subscribe to archived newsletters {newsletters}',
+    otcNotSupported: 'OTC verification not supported.',
+    invalidCode: 'Invalid verification code.',
+    failedToVerifyCode: 'Failed to verify code, please try again.'
 };
 
+// helper utility for logic shared between sendMagicLink and verifyOTC
+function extractRefererOrRedirect(req) {
+    const {autoRedirect, redirect} = req.body;
+
+    if (autoRedirect === false) {
+        return null;
+    }
+
+    if (redirect) {
+        try {
+            return new URL(redirect).href;
+        } catch (e) {
+            logging.warn(e);
+        }
+    }
+
+    return req.get('referer') || null;
+}
+
 module.exports = class RouterController {
     /**
      * RouterController
@@ -558,21 +580,10 @@ module.exports = class RouterController {
     }
 
     async sendMagicLink(req, res) {
-        const {email, honeypot, autoRedirect} = req.body;
-        let {emailType, redirect} = req.body;
+        const {email, honeypot} = req.body;
+        let {emailType} = req.body;
 
-        let referrer = req.get('referer');
-        if (autoRedirect === false){
-            referrer = null;
-        }
-        if (redirect) {
-            try {
-                // Validate URL
-                referrer = new URL(redirect).href;
-            } catch (e) {
-                logging.warn(e);
-            }
-        }
+        const referrer = extractRefererOrRedirect(req);
 
         if (!email) {
             throw new errors.BadRequestError({
@@ -626,7 +637,12 @@ module.exports = class RouterController {
             if (emailType === 'signup' || emailType === 'subscribe') {
                 await this._handleSignup(req, normalizedEmail, referrer);
             } else {
-                await this._handleSignin(req, normalizedEmail, referrer);
+                const signIn = await this._handleSignin(req, normalizedEmail, referrer);
+
+                if (this.labsService.isSet('membersSigninOTC') && signIn.otcRef) {
+                    res.writeHead(201, {'Content-Type': 'application/json'});
+                    return res.end(JSON.stringify({otc_ref: signIn.otcRef}));
+                }
             }
 
             res.writeHead(201);
@@ -644,6 +660,71 @@ module.exports = class RouterController {
         }
     }
 
+    async verifyOTC(req, res) {
+        const {otc, otcRef} = req.body;
+
+        if (!otc || !otcRef) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.badRequest),
+                context: 'otc and otcRef are required',
+                code: 'OTC_VERIFICATION_MISSING_PARAMS'
+            });
+        }
+
+        const tokenProvider = this._magicLinkService.tokenProvider;
+        if (!tokenProvider || typeof tokenProvider.verifyOTC !== 'function') {
+            throw new errors.BadRequestError({
+                message: tpl(messages.otcNotSupported),
+                code: 'OTC_NOT_SUPPORTED'
+            });
+        }
+
+        const isValidOTC = await tokenProvider.verifyOTC(otcRef, otc);
+        if (!isValidOTC) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidCode),
+                code: 'INVALID_OTC'
+            });
+        }
+
+        const tokenValue = await tokenProvider.getTokenByRef(otcRef);
+        if (!tokenValue) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidCode),
+                code: 'INVALID_OTC_REF'
+            });
+        }
+
+        const otcVerificationHash = await this._createHashFromOTCAndToken(otc, tokenValue);
+        if (!otcVerificationHash) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.failedToVerifyCode),
+                code: 'OTC_VERIFICATION_FAILED'
+            });
+        }
+
+        const referrer = extractRefererOrRedirect(req);
+
+        const redirectUrl = this._magicLinkService.getSigninURL(tokenValue, 'signin', referrer, otcVerificationHash);
+        if (!redirectUrl) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.failedToVerifyCode),
+                code: 'OTC_VERIFICATION_FAILED'
+            });
+        }
+
+        return res.json({redirectUrl});
+    }
+
+    async _createHashFromOTCAndToken(otc, token) {
+        // timestamp for anti-replay protection (5 minute window)
+        const timestamp = Math.floor(Date.now() / 1000);
+
+        const hash = this._magicLinkService.tokenProvider.createOTCVerificationHash(otc, token, timestamp);
+
+        return `${timestamp}:${hash}`;
+    }
+
     async _handleSignup(req, normalizedEmail, referrer = null) {
         if (!this._allowSelfSignup()) {
             if (this._settingsCache.get('members_signup_access') === 'paid') {
@@ -679,7 +760,13 @@ module.exports = class RouterController {
     }
 
     async _handleSignin(req, normalizedEmail, referrer = null) {
-        const {emailType} = req.body;
+        const {emailType, includeOTC: reqIncludeOTC} = req.body;
+
+        let includeOTC = false;
+
+        if (this.labsService.isSet('membersSigninOTC') && (reqIncludeOTC === true || reqIncludeOTC === 'true')) {
+            includeOTC = true;
+        }
 
         const member = await this._memberRepository.get({email: normalizedEmail});
 
@@ -690,7 +777,7 @@ module.exports = class RouterController {
         }
 
         const tokenData = {};
-        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer});
+        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer, includeOTC});
     }
 
     /**

package/core/server/services/members/members-api/members-api.js

@@ -158,7 +158,8 @@ module.exports = function MembersAPI({
         getText,
         getHTML,
         getSubject,
-        sentry
+        sentry,
+        labsService
     });
 
     const paymentsService = new PaymentsService({
@@ -207,7 +208,7 @@ module.exports = function MembersAPI({
 
     const users = memberRepository;
 
-    async function sendEmailWithMagicLink({email, requestedType, tokenData, options = {forceEmailType: false}, referrer = null}) {
+    async function sendEmailWithMagicLink({email, requestedType, tokenData, options = {forceEmailType: false}, referrer = null, includeOTC = false}) {
         let type = requestedType;
         if (!options.forceEmailType) {
             const member = await users.get({email});
@@ -217,7 +218,7 @@ module.exports = function MembersAPI({
                 type = 'signup';
             }
         }
-        return magicLinkService.sendMagicLink({email, type, tokenData: Object.assign({email, type}, tokenData), referrer});
+        return magicLinkService.sendMagicLink({email, type, tokenData: Object.assign({email, type}, tokenData), referrer, includeOTC});
     }
 
     /**
@@ -234,12 +235,12 @@ module.exports = function MembersAPI({
         });
     }
 
-    async function getTokenDataFromMagicLinkToken(token) {
-        return await magicLinkService.getDataFromToken(token);
+    async function getTokenDataFromMagicLinkToken(token, otcVerification) {
+        return await magicLinkService.getDataFromToken(token, otcVerification);
     }
 
-    async function getMemberDataFromMagicLinkToken(token) {
-        const {email, labels = [], name = '', oldEmail, newsletters, attribution, reqIp, type} = await getTokenDataFromMagicLinkToken(token);
+    async function getMemberDataFromMagicLinkToken(token, otcVerification) {
+        const {email, labels = [], name = '', oldEmail, newsletters, attribution, reqIp, type} = await getTokenDataFromMagicLinkToken(token, otcVerification);
         if (!email) {
             return null;
         }
@@ -339,6 +340,10 @@ module.exports = function MembersAPI({
             body.json(),
             forwardError((req, res) => routerController.sendMagicLink(req, res))
         ),
+        verifyOTC: Router().use(
+            body.json(),
+            forwardError((req, res) => routerController.verifyOTC(req, res))
+        ),
         createCheckoutSession: Router().use(
             body.json(),
             forwardError((req, res) => routerController.createCheckoutSession(req, res))