server/controllers/api/users/two-factor.ts

   1 import express from 'express'
   2 import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
   3 import { Redis } from '@server/lib/redis'
   4 import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares'
   5 import {
   6   confirmTwoFactorValidator,
   7   disableTwoFactorValidator,
   8   requestOrConfirmTwoFactorValidator
   9 } from '@server/middlewares/validators/two-factor'
  10 import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
  11
  12 const twoFactorRouter = express.Router()
  13
  14 twoFactorRouter.post('/:id/two-factor/request',
  15   authenticate,
  16   asyncMiddleware(usersCheckCurrentPassword),
  17   asyncMiddleware(requestOrConfirmTwoFactorValidator),
  18   asyncMiddleware(requestTwoFactor)
  19 )
  20
  21 twoFactorRouter.post('/:id/two-factor/confirm-request',
  22   authenticate,
  23   asyncMiddleware(requestOrConfirmTwoFactorValidator),
  24   confirmTwoFactorValidator,
  25   asyncMiddleware(confirmRequestTwoFactor)
  26 )
  27
  28 twoFactorRouter.post('/:id/two-factor/disable',
  29   authenticate,
  30   asyncMiddleware(usersCheckCurrentPassword),
  31   asyncMiddleware(disableTwoFactorValidator),
  32   asyncMiddleware(disableTwoFactor)
  33 )
  34
  35 // ---------------------------------------------------------------------------
  36
  37 export {
  38   twoFactorRouter
  39 }
  40
  41 // ---------------------------------------------------------------------------
  42
  43 async function requestTwoFactor (req: express.Request, res: express.Response) {
  44   const user = res.locals.user
  45
  46   const { secret, uri } = generateOTPSecret(user.email)
  47   const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret)
  48
  49   return res.json({
  50     otpRequest: {
  51       requestToken,
  52       secret,
  53       uri
  54     }
  55   } as TwoFactorEnableResult)
  56 }
  57
  58 async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
  59   const requestToken = req.body.requestToken
  60   const otpToken = req.body.otpToken
  61   const user = res.locals.user
  62
  63   const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
  64   if (!secret) {
  65     return res.fail({
  66       message: 'Invalid request token',
  67       status: HttpStatusCode.FORBIDDEN_403
  68     })
  69   }
  70
  71   if (isOTPValid({ secret, token: otpToken }) !== true) {
  72     return res.fail({
  73       message: 'Invalid OTP token',
  74       status: HttpStatusCode.FORBIDDEN_403
  75     })
  76   }
  77
  78   user.otpSecret = secret
  79   await user.save()
  80
  81   return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
  82 }
  83
  84 async function disableTwoFactor (req: express.Request, res: express.Response) {
  85   const user = res.locals.user
  86
  87   user.otpSecret = null
  88   await user.save()
  89
  90   return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
  91 }