diff options
author | Chocobozzz <me@florianbigard.com> | 2022-10-10 11:12:23 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-10-10 11:12:23 +0200 |
commit | a3e5f804ad821f6979e8735b0569b1209986fedc (patch) | |
tree | 5b34a6bd6b3cb1c5e3eed32a72d02922100d53dc /server/controllers/api | |
parent | a0da6f90d16027b385a67da6a5691b163626a363 (diff) | |
download | PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.gz PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.zst PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.zip |
Encrypt OTP secret
Diffstat (limited to 'server/controllers/api')
-rw-r--r-- | server/controllers/api/users/two-factor.ts | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts index 79f63a62d..e6ae9e4dd 100644 --- a/server/controllers/api/users/two-factor.ts +++ b/server/controllers/api/users/two-factor.ts | |||
@@ -1,5 +1,7 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { generateOTPSecret, isOTPValid } from '@server/helpers/otp' | 2 | import { generateOTPSecret, isOTPValid } from '@server/helpers/otp' |
3 | import { encrypt } from '@server/helpers/peertube-crypto' | ||
4 | import { CONFIG } from '@server/initializers/config' | ||
3 | import { Redis } from '@server/lib/redis' | 5 | import { Redis } from '@server/lib/redis' |
4 | import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares' | 6 | import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares' |
5 | import { | 7 | import { |
@@ -44,7 +46,9 @@ async function requestTwoFactor (req: express.Request, res: express.Response) { | |||
44 | const user = res.locals.user | 46 | const user = res.locals.user |
45 | 47 | ||
46 | const { secret, uri } = generateOTPSecret(user.email) | 48 | const { secret, uri } = generateOTPSecret(user.email) |
47 | const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret) | 49 | |
50 | const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE) | ||
51 | const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret) | ||
48 | 52 | ||
49 | return res.json({ | 53 | return res.json({ |
50 | otpRequest: { | 54 | otpRequest: { |
@@ -60,22 +64,22 @@ async function confirmRequestTwoFactor (req: express.Request, res: express.Respo | |||
60 | const otpToken = req.body.otpToken | 64 | const otpToken = req.body.otpToken |
61 | const user = res.locals.user | 65 | const user = res.locals.user |
62 | 66 | ||
63 | const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken) | 67 | const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken) |
64 | if (!secret) { | 68 | if (!encryptedSecret) { |
65 | return res.fail({ | 69 | return res.fail({ |
66 | message: 'Invalid request token', | 70 | message: 'Invalid request token', |
67 | status: HttpStatusCode.FORBIDDEN_403 | 71 | status: HttpStatusCode.FORBIDDEN_403 |
68 | }) | 72 | }) |
69 | } | 73 | } |
70 | 74 | ||
71 | if (isOTPValid({ secret, token: otpToken }) !== true) { | 75 | if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) { |
72 | return res.fail({ | 76 | return res.fail({ |
73 | message: 'Invalid OTP token', | 77 | message: 'Invalid OTP token', |
74 | status: HttpStatusCode.FORBIDDEN_403 | 78 | status: HttpStatusCode.FORBIDDEN_403 |
75 | }) | 79 | }) |
76 | } | 80 | } |
77 | 81 | ||
78 | user.otpSecret = secret | 82 | user.otpSecret = encryptedSecret |
79 | await user.save() | 83 | await user.save() |
80 | 84 | ||
81 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) | 85 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) |