diff options
author | Chocobozzz <me@florianbigard.com> | 2022-10-05 15:37:15 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-10-07 10:51:16 +0200 |
commit | 56f47830758ff8e92abcfcc5f35d474ab12fe215 (patch) | |
tree | 854e57ec1b800d6ad740c8e42bee00cbd21e1724 /server/controllers | |
parent | 7dd7ff4cebc290b09fe00d82046bb58e4e8a800d (diff) | |
download | PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.gz PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.zst PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.zip |
Support two factor authentication in backend
Diffstat (limited to 'server/controllers')
-rw-r--r-- | server/controllers/api/users/index.ts | 2 | ||||
-rw-r--r-- | server/controllers/api/users/token.ts | 7 | ||||
-rw-r--r-- | server/controllers/api/users/two-factor.ts | 91 |
3 files changed, 99 insertions, 1 deletions
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index 07b9ae395..a8677a1d3 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts | |||
@@ -51,6 +51,7 @@ import { myVideosHistoryRouter } from './my-history' | |||
51 | import { myNotificationsRouter } from './my-notifications' | 51 | import { myNotificationsRouter } from './my-notifications' |
52 | import { mySubscriptionsRouter } from './my-subscriptions' | 52 | import { mySubscriptionsRouter } from './my-subscriptions' |
53 | import { myVideoPlaylistsRouter } from './my-video-playlists' | 53 | import { myVideoPlaylistsRouter } from './my-video-playlists' |
54 | import { twoFactorRouter } from './two-factor' | ||
54 | 55 | ||
55 | const auditLogger = auditLoggerFactory('users') | 56 | const auditLogger = auditLoggerFactory('users') |
56 | 57 | ||
@@ -66,6 +67,7 @@ const askSendEmailLimiter = buildRateLimiter({ | |||
66 | }) | 67 | }) |
67 | 68 | ||
68 | const usersRouter = express.Router() | 69 | const usersRouter = express.Router() |
70 | usersRouter.use('/', twoFactorRouter) | ||
69 | usersRouter.use('/', tokensRouter) | 71 | usersRouter.use('/', tokensRouter) |
70 | usersRouter.use('/', myNotificationsRouter) | 72 | usersRouter.use('/', myNotificationsRouter) |
71 | usersRouter.use('/', mySubscriptionsRouter) | 73 | usersRouter.use('/', mySubscriptionsRouter) |
diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts index 012a49791..c6afea67c 100644 --- a/server/controllers/api/users/token.ts +++ b/server/controllers/api/users/token.ts | |||
@@ -1,8 +1,9 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { logger } from '@server/helpers/logger' | 2 | import { logger } from '@server/helpers/logger' |
3 | import { CONFIG } from '@server/initializers/config' | 3 | import { CONFIG } from '@server/initializers/config' |
4 | import { OTP } from '@server/initializers/constants' | ||
4 | import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' | 5 | import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' |
5 | import { handleOAuthToken } from '@server/lib/auth/oauth' | 6 | import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth' |
6 | import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' | 7 | import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' |
7 | import { Hooks } from '@server/lib/plugins/hooks' | 8 | import { Hooks } from '@server/lib/plugins/hooks' |
8 | import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares' | 9 | import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares' |
@@ -79,6 +80,10 @@ async function handleToken (req: express.Request, res: express.Response, next: e | |||
79 | } catch (err) { | 80 | } catch (err) { |
80 | logger.warn('Login error', { err }) | 81 | logger.warn('Login error', { err }) |
81 | 82 | ||
83 | if (err instanceof MissingTwoFactorError) { | ||
84 | res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE) | ||
85 | } | ||
86 | |||
82 | return res.fail({ | 87 | return res.fail({ |
83 | status: err.code, | 88 | status: err.code, |
84 | message: err.message, | 89 | message: err.message, |
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts new file mode 100644 index 000000000..1725294e7 --- /dev/null +++ b/server/controllers/api/users/two-factor.ts | |||
@@ -0,0 +1,91 @@ | |||
1 | import express from 'express' | ||
2 | import { generateOTPSecret, isOTPValid } from '@server/helpers/otp' | ||
3 | import { Redis } from '@server/lib/redis' | ||
4 | import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares' | ||
5 | import { | ||
6 | confirmTwoFactorValidator, | ||
7 | disableTwoFactorValidator, | ||
8 | requestOrConfirmTwoFactorValidator | ||
9 | } from '@server/middlewares/validators/two-factor' | ||
10 | import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models' | ||
11 | |||
12 | const twoFactorRouter = express.Router() | ||
13 | |||
14 | twoFactorRouter.post('/:id/two-factor/request', | ||
15 | authenticate, | ||
16 | asyncMiddleware(usersCheckCurrentPassword), | ||
17 | asyncMiddleware(requestOrConfirmTwoFactorValidator), | ||
18 | asyncMiddleware(requestTwoFactor) | ||
19 | ) | ||
20 | |||
21 | twoFactorRouter.post('/:id/two-factor/confirm-request', | ||
22 | authenticate, | ||
23 | asyncMiddleware(requestOrConfirmTwoFactorValidator), | ||
24 | confirmTwoFactorValidator, | ||
25 | asyncMiddleware(confirmRequestTwoFactor) | ||
26 | ) | ||
27 | |||
28 | twoFactorRouter.post('/:id/two-factor/disable', | ||
29 | authenticate, | ||
30 | asyncMiddleware(usersCheckCurrentPassword), | ||
31 | asyncMiddleware(disableTwoFactorValidator), | ||
32 | asyncMiddleware(disableTwoFactor) | ||
33 | ) | ||
34 | |||
35 | // --------------------------------------------------------------------------- | ||
36 | |||
37 | export { | ||
38 | twoFactorRouter | ||
39 | } | ||
40 | |||
41 | // --------------------------------------------------------------------------- | ||
42 | |||
43 | async function requestTwoFactor (req: express.Request, res: express.Response) { | ||
44 | const user = res.locals.user | ||
45 | |||
46 | const { secret, uri } = generateOTPSecret(user.email) | ||
47 | const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret) | ||
48 | |||
49 | return res.json({ | ||
50 | otpRequest: { | ||
51 | requestToken, | ||
52 | secret, | ||
53 | uri | ||
54 | } | ||
55 | } as TwoFactorEnableResult) | ||
56 | } | ||
57 | |||
58 | async function confirmRequestTwoFactor (req: express.Request, res: express.Response) { | ||
59 | const requestToken = req.body.requestToken | ||
60 | const otpToken = req.body.otpToken | ||
61 | const user = res.locals.user | ||
62 | |||
63 | const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken) | ||
64 | if (!secret) { | ||
65 | return res.fail({ | ||
66 | message: 'Invalid request token', | ||
67 | status: HttpStatusCode.FORBIDDEN_403 | ||
68 | }) | ||
69 | } | ||
70 | |||
71 | if (isOTPValid({ secret, token: otpToken }) !== true) { | ||
72 | return res.fail({ | ||
73 | message: 'Invalid OTP token', | ||
74 | status: HttpStatusCode.FORBIDDEN_403 | ||
75 | }) | ||
76 | } | ||
77 | |||
78 | user.otpSecret = secret | ||
79 | await user.save() | ||
80 | |||
81 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) | ||
82 | } | ||
83 | |||
84 | async function disableTwoFactor (req: express.Request, res: express.Response) { | ||
85 | const user = res.locals.user | ||
86 | |||
87 | user.otpSecret = null | ||
88 | await user.save() | ||
89 | |||
90 | return res.sendStatus(HttpStatusCode.NO_CONTENT_204) | ||
91 | } | ||