aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/controllers/api/users
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-10-10 11:12:23 +0200
committerChocobozzz <me@florianbigard.com>2022-10-10 11:12:23 +0200
commita3e5f804ad821f6979e8735b0569b1209986fedc (patch)
tree5b34a6bd6b3cb1c5e3eed32a72d02922100d53dc /server/controllers/api/users
parenta0da6f90d16027b385a67da6a5691b163626a363 (diff)
downloadPeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.gz
PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.zst
PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.zip
Encrypt OTP secret
Diffstat (limited to 'server/controllers/api/users')
-rw-r--r--server/controllers/api/users/two-factor.ts14
1 files changed, 9 insertions, 5 deletions
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts
index 79f63a62d..e6ae9e4dd 100644
--- a/server/controllers/api/users/two-factor.ts
+++ b/server/controllers/api/users/two-factor.ts
@@ -1,5 +1,7 @@
1import express from 'express' 1import express from 'express'
2import { generateOTPSecret, isOTPValid } from '@server/helpers/otp' 2import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
3import { encrypt } from '@server/helpers/peertube-crypto'
4import { CONFIG } from '@server/initializers/config'
3import { Redis } from '@server/lib/redis' 5import { Redis } from '@server/lib/redis'
4import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares' 6import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
5import { 7import {
@@ -44,7 +46,9 @@ async function requestTwoFactor (req: express.Request, res: express.Response) {
44 const user = res.locals.user 46 const user = res.locals.user
45 47
46 const { secret, uri } = generateOTPSecret(user.email) 48 const { secret, uri } = generateOTPSecret(user.email)
47 const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret) 49
50 const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
51 const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
48 52
49 return res.json({ 53 return res.json({
50 otpRequest: { 54 otpRequest: {
@@ -60,22 +64,22 @@ async function confirmRequestTwoFactor (req: express.Request, res: express.Respo
60 const otpToken = req.body.otpToken 64 const otpToken = req.body.otpToken
61 const user = res.locals.user 65 const user = res.locals.user
62 66
63 const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken) 67 const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
64 if (!secret) { 68 if (!encryptedSecret) {
65 return res.fail({ 69 return res.fail({
66 message: 'Invalid request token', 70 message: 'Invalid request token',
67 status: HttpStatusCode.FORBIDDEN_403 71 status: HttpStatusCode.FORBIDDEN_403
68 }) 72 })
69 } 73 }
70 74
71 if (isOTPValid({ secret, token: otpToken }) !== true) { 75 if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
72 return res.fail({ 76 return res.fail({
73 message: 'Invalid OTP token', 77 message: 'Invalid OTP token',
74 status: HttpStatusCode.FORBIDDEN_403 78 status: HttpStatusCode.FORBIDDEN_403
75 }) 79 })
76 } 80 }
77 81
78 user.otpSecret = secret 82 user.otpSecret = encryptedSecret
79 await user.save() 83 await user.save()
80 84
81 return res.sendStatus(HttpStatusCode.NO_CONTENT_204) 85 return res.sendStatus(HttpStatusCode.NO_CONTENT_204)