</div>
-<div *ngIf="!isCreation() && user && user.pluginAuth === null" class="row mt-4"> <!-- danger zone grid -->
+<div *ngIf="displayDangerZone()" class="row mt-4"> <!-- danger zone grid -->
<div class="col-12 col-lg-4 col-xl-3">
<div class="anchor" id="danger"></div> <!-- danger zone anchor -->
<div i18n class="account-title account-title-danger">DANGER ZONE</div>
<div class="col-12 col-lg-8 col-xl-9">
<div class="danger-zone">
- <div class="form-group reset-password-email">
+ <div class="form-group">
<label i18n>Send a link to reset the password by email to the user</label>
<button (click)="resetPassword()" i18n>Ask for new password</button>
</div>
<label i18n>Manually set the user password</label>
<my-user-password [userId]="user.id"></my-user-password>
</div>
+
+ <div *ngIf="user.twoFactorEnabled" class="form-group">
+ <label i18n>This user has two factor authentication enabled</label>
+ <button (click)="disableTwoFactorAuth()" i18n>Disable two factor authentication</button>
+ </div>
</div>
</div>
}
.danger-zone {
- .reset-password-email {
- margin-bottom: 30px;
+ button {
+ @include peertube-button;
+ @include danger-button;
+ @include disable-outline;
- button {
- @include peertube-button;
- @include danger-button;
- @include disable-outline;
-
- display: block;
- margin-top: 0;
- }
+ display: block;
+ margin-top: 0;
}
}
]
}
+ displayDangerZone () {
+ if (this.isCreation()) return false
+ if (this.user?.pluginAuth) return false
+ if (this.auth.getUser().id === this.user.id) return false
+
+ return true
+ }
+
resetPassword () {
return
}
+ disableTwoFactorAuth () {
+ return
+ }
+
getUserVideoQuota () {
return this.form.value['videoQuota']
}
USER_VIDEO_QUOTA_VALIDATOR
} from '@app/shared/form-validators/user-validators'
import { FormValidatorService } from '@app/shared/shared-forms'
-import { UserAdminService } from '@app/shared/shared-users'
+import { TwoFactorService, UserAdminService } from '@app/shared/shared-users'
import { User as UserType, UserAdminFlag, UserRole, UserUpdate } from '@shared/models'
import { UserEdit } from './user-edit'
private router: Router,
private notifier: Notifier,
private userService: UserService,
+ private twoFactorService: TwoFactorService,
private userAdminService: UserAdminService
) {
super()
this.notifier.success($localize`An email asking for password reset has been sent to ${this.user.username}.`)
},
- error: err => {
- this.error = err.message
- }
+ error: err => this.notifier.error(err.message)
+ })
+ }
+
+ disableTwoFactorAuth () {
+ this.twoFactorService.disableTwoFactor({ userId: this.user.id })
+ .subscribe({
+ next: () => {
+ this.user.twoFactorEnabled = false
+
+ this.notifier.success($localize`Two factor authentication of ${this.user.username} disabled.`)
+ },
+
+ error: err => this.notifier.error(err.message)
})
+
}
private onUserFetched (userJson: UserType) {
export * from './my-account-two-factor-button.component'
export * from './my-account-two-factor.component'
-export * from './two-factor.service'
import { Subject } from 'rxjs'
import { Component, Input, OnInit } from '@angular/core'
import { AuthService, ConfirmService, Notifier, User } from '@app/core'
-import { TwoFactorService } from './two-factor.service'
+import { TwoFactorService } from '@app/shared/shared-users'
@Component({
selector: 'my-account-two-factor-button',
import { AuthService, Notifier, User } from '@app/core'
import { USER_EXISTING_PASSWORD_VALIDATOR, USER_OTP_TOKEN_VALIDATOR } from '@app/shared/form-validators/user-validators'
import { FormReactiveService } from '@app/shared/shared-forms'
-import { TwoFactorService } from './two-factor.service'
+import { TwoFactorService } from '@app/shared/shared-users'
@Component({
selector: 'my-account-two-factor',
import { SharedModerationModule } from '@app/shared/shared-moderation'
import { SharedShareModal } from '@app/shared/shared-share-modal'
import { SharedUserInterfaceSettingsModule } from '@app/shared/shared-user-settings'
+import { SharedUsersModule } from '@app/shared/shared-users'
import { SharedActorImageModule } from '../shared/shared-actor-image/shared-actor-image.module'
import { MyAccountAbusesListComponent } from './my-account-abuses/my-account-abuses-list.component'
import { MyAccountApplicationsComponent } from './my-account-applications/my-account-applications.component'
import { MyAccountNotificationPreferencesComponent } from './my-account-settings/my-account-notification-preferences'
import { MyAccountProfileComponent } from './my-account-settings/my-account-profile/my-account-profile.component'
import { MyAccountSettingsComponent } from './my-account-settings/my-account-settings.component'
-import {
- MyAccountTwoFactorButtonComponent,
- MyAccountTwoFactorComponent,
- TwoFactorService
-} from './my-account-settings/my-account-two-factor'
+import { MyAccountTwoFactorButtonComponent, MyAccountTwoFactorComponent } from './my-account-settings/my-account-two-factor'
import { MyAccountComponent } from './my-account.component'
@NgModule({
SharedFormModule,
SharedModerationModule,
SharedUserInterfaceSettingsModule,
+ SharedUsersModule,
SharedGlobalIconModule,
SharedAbuseListModule,
SharedShareModal,
MyAccountComponent
],
- providers: [
- TwoFactorService
- ]
+ providers: []
})
export class MyAccountModule {
}
export * from './user-admin.service'
export * from './user-signup.service'
+export * from './two-factor.service'
export * from './shared-users.module'
import { NgModule } from '@angular/core'
import { SharedMainModule } from '../shared-main/shared-main.module'
+import { TwoFactorService } from './two-factor.service'
import { UserAdminService } from './user-admin.service'
import { UserSignupService } from './user-signup.service'
providers: [
UserSignupService,
- UserAdminService
+ UserAdminService,
+ TwoFactorService
]
})
export class SharedUsersModule { }
disableTwoFactor (options: {
userId: number
- currentPassword: string
+ currentPassword?: string
}) {
const { userId, currentPassword } = options
import express from 'express'
import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
import { Redis } from '@server/lib/redis'
-import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares'
+import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
import {
confirmTwoFactorValidator,
disableTwoFactorValidator,
twoFactorRouter.post('/:id/two-factor/request',
authenticate,
- asyncMiddleware(usersCheckCurrentPassword),
+ asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
asyncMiddleware(requestOrConfirmTwoFactorValidator),
asyncMiddleware(requestTwoFactor)
)
twoFactorRouter.post('/:id/two-factor/disable',
authenticate,
- asyncMiddleware(usersCheckCurrentPassword),
+ asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
asyncMiddleware(disableTwoFactorValidator),
asyncMiddleware(disableTwoFactor)
)
// User password checks
function comparePassword (plainPassword: string, hashPassword: string) {
+ if (!plainPassword) return Promise.resolve(false)
+
return bcryptComparePromise(plainPassword, hashPassword)
}
}
]
-const usersCheckCurrentPassword = [
- body('currentPassword').custom(exists),
+const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Request) => number | string) => {
+ return [
+ body('currentPassword').optional().custom(exists),
- async (req: express.Request, res: express.Response, next: express.NextFunction) => {
- if (areValidationErrors(req, res)) return
+ async (req: express.Request, res: express.Response, next: express.NextFunction) => {
+ if (areValidationErrors(req, res)) return
- const user = res.locals.oauth.token.User
- if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
- return res.fail({
- status: HttpStatusCode.FORBIDDEN_403,
- message: 'currentPassword is invalid.'
- })
- }
+ const user = res.locals.oauth.token.User
+ const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR
+ const targetUserId = parseInt(targetUserIdGetter(req) + '')
- return next()
- }
-]
+ // Admin/moderator action on another user, skip the password check
+ if (isAdminOrModerator && targetUserId !== user.id) {
+ return next()
+ }
+
+ if (!req.body.currentPassword) {
+ return res.fail({
+ status: HttpStatusCode.BAD_REQUEST_400,
+ message: 'currentPassword is missing'
+ })
+ }
+
+ if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
+ return res.fail({
+ status: HttpStatusCode.FORBIDDEN_403,
+ message: 'currentPassword is invalid.'
+ })
+ }
+
+ return next()
+ }
+ ]
+}
const userAutocompleteValidator = [
param('search')
usersUpdateValidator,
usersUpdateMeValidator,
usersVideoRatingValidator,
- usersCheckCurrentPassword,
+ usersCheckCurrentPasswordFactory,
ensureUserRegistrationAllowed,
ensureUserRegistrationAllowedForIP,
usersGetValidator,
})
})
+ it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () {
+ await server.twoFactor.request({ userId })
+ })
+
+ it('Should fail to request two factor without a password when targeting myself with an admin account', async function () {
+ await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+ await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+ })
+
it('Should succeed to request my two factor auth', async function () {
{
const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
})
})
- it('Should fail to disabled two factor with an incorrect password', async function () {
+ it('Should fail to disable two factor with an incorrect password', async function () {
await server.twoFactor.disable({
userId,
token: userToken,
})
})
+ it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () {
+ await server.twoFactor.disable({ userId })
+ await server.twoFactor.requestAndConfirm({ userId })
+ })
+
+ it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () {
+ await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+ await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 })
+ })
+
it('Should succeed to disable another user two factor with the appropriate rights', async function () {
await server.twoFactor.disable({ userId, currentPassword: rootPassword })
- // Reinit
- const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword })
- await server.twoFactor.confirmRequest({
- userId,
- requestToken: otpRequest.requestToken,
- otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
- })
+ await server.twoFactor.requestAndConfirm({ userId })
})
it('Should succeed to update my two factor auth', async function () {
async function login (options: {
server: PeerTubeServer
- password?: string
+ username: string
+ password: string
otpToken?: string
expectedStatus?: HttpStatusCode
}) {
- const { server, password = server.store.user.password, otpToken, expectedStatus } = options
+ const { server, username, password, otpToken, expectedStatus } = options
- const user = { username: server.store.user.username, password }
+ const user = { username, password }
const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus })
return { res, token }
describe('Test users', function () {
let server: PeerTubeServer
- let rootId: number
let otpSecret: string
let requestToken: string
+ const userUsername = 'user1'
+ let userId: number
+ let userPassword: string
+ let userToken: string
+
before(async function () {
this.timeout(30000)
server = await createSingleServer(1)
await setAccessTokensToServers([ server ])
-
- const { id } = await server.users.getMyInfo()
- rootId = id
+ const res = await server.users.generate(userUsername)
+ userId = res.userId
+ userPassword = res.password
+ userToken = res.token
})
it('Should not add the header on login if two factor is not enabled', async function () {
- const { res, token } = await login({ server })
+ const { res, token } = await login({ server, username: userUsername, password: userPassword })
expect(res.header['x-peertube-otp']).to.not.exist
})
it('Should request two factor and get the secret and uri', async function () {
- const { otpRequest } = await server.twoFactor.request({
- userId: rootId,
- currentPassword: server.store.user.password
- })
+ const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword })
expect(otpRequest.requestToken).to.exist
})
it('Should not have two factor confirmed yet', async function () {
- const { twoFactorEnabled } = await server.users.getMyInfo()
+ const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
expect(twoFactorEnabled).to.be.false
})
it('Should confirm two factor', async function () {
await server.twoFactor.confirmRequest({
- userId: rootId,
+ userId,
+ token: userToken,
otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(),
requestToken
})
})
it('Should not add the header on login if two factor is enabled and password is incorrect', async function () {
- const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+ const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
expect(res.header['x-peertube-otp']).to.not.exist
expect(token).to.not.exist
})
it('Should add the header on login if two factor is enabled and password is correct', async function () {
- const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 })
+ const { res, token } = await login({
+ server,
+ username: userUsername,
+ password: userPassword,
+ expectedStatus: HttpStatusCode.UNAUTHORIZED_401
+ })
expect(res.header['x-peertube-otp']).to.exist
expect(token).to.not.exist
it('Should not login with correct password and incorrect otp secret', async function () {
const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) })
- const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+ const { res, token } = await login({
+ server,
+ username: userUsername,
+ password: userPassword,
+ otpToken: otp.generate(),
+ expectedStatus: HttpStatusCode.BAD_REQUEST_400
+ })
expect(res.header['x-peertube-otp']).to.not.exist
expect(token).to.not.exist
})
it('Should not login with correct password and incorrect otp code', async function () {
- const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+ const { res, token } = await login({
+ server,
+ username: userUsername,
+ password: userPassword,
+ otpToken: '123456',
+ expectedStatus: HttpStatusCode.BAD_REQUEST_400
+ })
expect(res.header['x-peertube-otp']).to.not.exist
expect(token).to.not.exist
it('Should not login with incorrect password and correct otp code', async function () {
const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
- const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 })
+ const { res, token } = await login({
+ server,
+ username: userUsername,
+ password: 'fake',
+ otpToken,
+ expectedStatus: HttpStatusCode.BAD_REQUEST_400
+ })
expect(res.header['x-peertube-otp']).to.not.exist
expect(token).to.not.exist
it('Should correctly login with correct password and otp code', async function () {
const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate()
- const { res, token } = await login({ server, otpToken })
+ const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken })
expect(res.header['x-peertube-otp']).to.not.exist
expect(token).to.exist
})
it('Should have two factor enabled when getting my info', async function () {
- const { twoFactorEnabled } = await server.users.getMyInfo()
+ const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
expect(twoFactorEnabled).to.be.true
})
it('Should disable two factor and be able to login without otp token', async function () {
- await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password })
+ await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword })
- const { res, token } = await login({ server })
+ const { res, token } = await login({ server, username: userUsername, password: userPassword })
expect(res.header['x-peertube-otp']).to.not.exist
await server.users.getMyInfo({ token })
})
it('Should have two factor disabled when getting my info', async function () {
- const { twoFactorEnabled } = await server.users.getMyInfo()
+ const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+ expect(twoFactorEnabled).to.be.false
+ })
+
+ it('Should enable two factor auth without password from an admin', async function () {
+ const { otpRequest } = await server.twoFactor.request({ userId })
+
+ await server.twoFactor.confirmRequest({
+ userId,
+ otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(),
+ requestToken: otpRequest.requestToken
+ })
+
+ const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
+ expect(twoFactorEnabled).to.be.true
+ })
+
+ it('Should disable two factor auth without password from an admin', async function () {
+ await server.twoFactor.disable({ userId })
+
+ const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken })
expect(twoFactorEnabled).to.be.false
})
request (options: OverrideCommandOptions & {
userId: number
- currentPassword: string
+ currentPassword?: string
}) {
const { currentPassword, userId } = options
disable (options: OverrideCommandOptions & {
userId: number
- currentPassword: string
+ currentPassword?: string
}) {
const { userId, currentPassword } = options
const path = '/api/v1/users/' + userId + '/two-factor/disable'
defaultExpectedStatus: HttpStatusCode.NO_CONTENT_204
})
}
+
+ async requestAndConfirm (options: OverrideCommandOptions & {
+ userId: number
+ currentPassword?: string
+ }) {
+ const { userId, currentPassword } = options
+
+ const { otpRequest } = await this.request({ userId, currentPassword })
+
+ await this.confirmRequest({
+ userId,
+ requestToken: otpRequest.requestToken,
+ otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate()
+ })
+
+ return otpRequest
+ }
}