aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/controllers
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2022-10-05 15:37:15 +0200
committerChocobozzz <me@florianbigard.com>2022-10-07 10:51:16 +0200
commit56f47830758ff8e92abcfcc5f35d474ab12fe215 (patch)
tree854e57ec1b800d6ad740c8e42bee00cbd21e1724 /server/controllers
parent7dd7ff4cebc290b09fe00d82046bb58e4e8a800d (diff)
downloadPeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.gz
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.zst
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.zip
Support two factor authentication in backend
Diffstat (limited to 'server/controllers')
-rw-r--r--server/controllers/api/users/index.ts2
-rw-r--r--server/controllers/api/users/token.ts7
-rw-r--r--server/controllers/api/users/two-factor.ts91
3 files changed, 99 insertions, 1 deletions
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 07b9ae395..a8677a1d3 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -51,6 +51,7 @@ import { myVideosHistoryRouter } from './my-history'
51import { myNotificationsRouter } from './my-notifications' 51import { myNotificationsRouter } from './my-notifications'
52import { mySubscriptionsRouter } from './my-subscriptions' 52import { mySubscriptionsRouter } from './my-subscriptions'
53import { myVideoPlaylistsRouter } from './my-video-playlists' 53import { myVideoPlaylistsRouter } from './my-video-playlists'
54import { twoFactorRouter } from './two-factor'
54 55
55const auditLogger = auditLoggerFactory('users') 56const auditLogger = auditLoggerFactory('users')
56 57
@@ -66,6 +67,7 @@ const askSendEmailLimiter = buildRateLimiter({
66}) 67})
67 68
68const usersRouter = express.Router() 69const usersRouter = express.Router()
70usersRouter.use('/', twoFactorRouter)
69usersRouter.use('/', tokensRouter) 71usersRouter.use('/', tokensRouter)
70usersRouter.use('/', myNotificationsRouter) 72usersRouter.use('/', myNotificationsRouter)
71usersRouter.use('/', mySubscriptionsRouter) 73usersRouter.use('/', mySubscriptionsRouter)
diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts
index 012a49791..c6afea67c 100644
--- a/server/controllers/api/users/token.ts
+++ b/server/controllers/api/users/token.ts
@@ -1,8 +1,9 @@
1import express from 'express' 1import express from 'express'
2import { logger } from '@server/helpers/logger' 2import { logger } from '@server/helpers/logger'
3import { CONFIG } from '@server/initializers/config' 3import { CONFIG } from '@server/initializers/config'
4import { OTP } from '@server/initializers/constants'
4import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth' 5import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
5import { handleOAuthToken } from '@server/lib/auth/oauth' 6import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
6import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model' 7import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
7import { Hooks } from '@server/lib/plugins/hooks' 8import { Hooks } from '@server/lib/plugins/hooks'
8import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares' 9import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
@@ -79,6 +80,10 @@ async function handleToken (req: express.Request, res: express.Response, next: e
79 } catch (err) { 80 } catch (err) {
80 logger.warn('Login error', { err }) 81 logger.warn('Login error', { err })
81 82
83 if (err instanceof MissingTwoFactorError) {
84 res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
85 }
86
82 return res.fail({ 87 return res.fail({
83 status: err.code, 88 status: err.code,
84 message: err.message, 89 message: err.message,
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts
new file mode 100644
index 000000000..1725294e7
--- /dev/null
+++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,91 @@
1import express from 'express'
2import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
3import { Redis } from '@server/lib/redis'
4import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares'
5import {
6 confirmTwoFactorValidator,
7 disableTwoFactorValidator,
8 requestOrConfirmTwoFactorValidator
9} from '@server/middlewares/validators/two-factor'
10import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
11
12const twoFactorRouter = express.Router()
13
14twoFactorRouter.post('/:id/two-factor/request',
15 authenticate,
16 asyncMiddleware(usersCheckCurrentPassword),
17 asyncMiddleware(requestOrConfirmTwoFactorValidator),
18 asyncMiddleware(requestTwoFactor)
19)
20
21twoFactorRouter.post('/:id/two-factor/confirm-request',
22 authenticate,
23 asyncMiddleware(requestOrConfirmTwoFactorValidator),
24 confirmTwoFactorValidator,
25 asyncMiddleware(confirmRequestTwoFactor)
26)
27
28twoFactorRouter.post('/:id/two-factor/disable',
29 authenticate,
30 asyncMiddleware(usersCheckCurrentPassword),
31 asyncMiddleware(disableTwoFactorValidator),
32 asyncMiddleware(disableTwoFactor)
33)
34
35// ---------------------------------------------------------------------------
36
37export {
38 twoFactorRouter
39}
40
41// ---------------------------------------------------------------------------
42
43async function requestTwoFactor (req: express.Request, res: express.Response) {
44 const user = res.locals.user
45
46 const { secret, uri } = generateOTPSecret(user.email)
47 const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret)
48
49 return res.json({
50 otpRequest: {
51 requestToken,
52 secret,
53 uri
54 }
55 } as TwoFactorEnableResult)
56}
57
58async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
59 const requestToken = req.body.requestToken
60 const otpToken = req.body.otpToken
61 const user = res.locals.user
62
63 const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
64 if (!secret) {
65 return res.fail({
66 message: 'Invalid request token',
67 status: HttpStatusCode.FORBIDDEN_403
68 })
69 }
70
71 if (isOTPValid({ secret, token: otpToken }) !== true) {
72 return res.fail({
73 message: 'Invalid OTP token',
74 status: HttpStatusCode.FORBIDDEN_403
75 })
76 }
77
78 user.otpSecret = secret
79 await user.save()
80
81 return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
82}
83
84async function disableTwoFactor (req: express.Request, res: express.Response) {
85 const user = res.locals.user
86
87 user.otpSecret = null
88 await user.save()
89
90 return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
91}