server/middlewares/validators/two-factor.ts

   1 import express from 'express'
   2 import { body, param } from 'express-validator'
   3 import { HttpStatusCode, UserRight } from '@shared/models'
   4 import { exists, isIdValid } from '../../helpers/custom-validators/misc'
   5 import { areValidationErrors, checkUserIdExist } from './shared'
   6
   7 const requestOrConfirmTwoFactorValidator = [
   8   param('id').custom(isIdValid),
   9
  10   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  11     if (areValidationErrors(req, res)) return
  12
  13     if (!await checkCanEnableOrDisableTwoFactor(req.params.id, res)) return
  14
  15     if (res.locals.user.otpSecret) {
  16       return res.fail({
  17         status: HttpStatusCode.BAD_REQUEST_400,
  18         message: `Two factor is already enabled.`
  19       })
  20     }
  21
  22     return next()
  23   }
  24 ]
  25
  26 const confirmTwoFactorValidator = [
  27   body('requestToken').custom(exists),
  28   body('otpToken').custom(exists),
  29
  30   (req: express.Request, res: express.Response, next: express.NextFunction) => {
  31     if (areValidationErrors(req, res)) return
  32
  33     return next()
  34   }
  35 ]
  36
  37 const disableTwoFactorValidator = [
  38   param('id').custom(isIdValid),
  39
  40   async (req: express.Request, res: express.Response, next: express.NextFunction) => {
  41     if (areValidationErrors(req, res)) return
  42
  43     if (!await checkCanEnableOrDisableTwoFactor(req.params.id, res)) return
  44
  45     if (!res.locals.user.otpSecret) {
  46       return res.fail({
  47         status: HttpStatusCode.BAD_REQUEST_400,
  48         message: `Two factor is already disabled.`
  49       })
  50     }
  51
  52     return next()
  53   }
  54 ]
  55
  56 // ---------------------------------------------------------------------------
  57
  58 export {
  59   requestOrConfirmTwoFactorValidator,
  60   confirmTwoFactorValidator,
  61   disableTwoFactorValidator
  62 }
  63
  64 // ---------------------------------------------------------------------------
  65
  66 async function checkCanEnableOrDisableTwoFactor (userId: number | string, res: express.Response) {
  67   const authUser = res.locals.oauth.token.user
  68
  69   if (!await checkUserIdExist(userId, res)) return
  70
  71   if (res.locals.user.id !== authUser.id && authUser.hasRight(UserRight.MANAGE_USERS) !== true) {
  72     res.fail({
  73       status: HttpStatusCode.FORBIDDEN_403,
  74       message: `User ${authUser.username} does not have right to change two factor setting of this user.`
  75     })
  76
  77     return false
  78   }
  79
  80   return true
  81 }