import express from 'express'
import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
+import { encrypt } from '@server/helpers/peertube-crypto'
+import { CONFIG } from '@server/initializers/config'
import { Redis } from '@server/lib/redis'
-import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares'
+import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
import {
confirmTwoFactorValidator,
disableTwoFactorValidator,
twoFactorRouter.post('/:id/two-factor/request',
authenticate,
- asyncMiddleware(usersCheckCurrentPassword),
+ asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
asyncMiddleware(requestOrConfirmTwoFactorValidator),
asyncMiddleware(requestTwoFactor)
)
twoFactorRouter.post('/:id/two-factor/disable',
authenticate,
- asyncMiddleware(usersCheckCurrentPassword),
+ asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
asyncMiddleware(disableTwoFactorValidator),
asyncMiddleware(disableTwoFactor)
)
const user = res.locals.user
const { secret, uri } = generateOTPSecret(user.email)
- const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret)
+
+ const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
+ const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
return res.json({
otpRequest: {
const otpToken = req.body.otpToken
const user = res.locals.user
- const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
- if (!secret) {
+ const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
+ if (!encryptedSecret) {
return res.fail({
message: 'Invalid request token',
status: HttpStatusCode.FORBIDDEN_403
})
}
- if (isOTPValid({ secret, token: otpToken }) !== true) {
+ if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
return res.fail({
message: 'Invalid OTP token',
status: HttpStatusCode.FORBIDDEN_403
})
}
- user.otpSecret = secret
+ user.otpSecret = encryptedSecret
await user.save()
return res.sendStatus(HttpStatusCode.NO_CONTENT_204)