Support two factor authentication in backend

author: Chocobozzz <me@florianbigard.com> 2022-10-05 15:37:15 +0200
committer: Chocobozzz <me@florianbigard.com> 2022-10-07 10:51:16 +0200
commit: 56f47830758ff8e92abcfcc5f35d474ab12fe215 (patch)
tree: 854e57ec1b800d6ad740c8e42bee00cbd21e1724 /server/controllers
parent: 7dd7ff4cebc290b09fe00d82046bb58e4e8a800d (diff)
download: PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.gz
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.zst
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.zip
3 files changed, 99 insertions, 1 deletions
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 07b9ae395..a8677a1d3 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -51,6 +51,7 @@ import { myVideosHistoryRouter } from './my-history'
 import { myNotificationsRouter } from './my-notifications'
 import { mySubscriptionsRouter } from './my-subscriptions'
 import { myVideoPlaylistsRouter } from './my-video-playlists'
+import { twoFactorRouter } from './two-factor'
 const auditLogger = auditLoggerFactory('users')
@@ -66,6 +67,7 @@ const askSendEmailLimiter = buildRateLimiter({
 })
 const usersRouter = express.Router()
+usersRouter.use('/', twoFactorRouter)
 usersRouter.use('/', tokensRouter)
 usersRouter.use('/', myNotificationsRouter)
 usersRouter.use('/', mySubscriptionsRouter)
diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts
index 012a49791..c6afea67c 100644
--- a/server/controllers/api/users/token.ts
+++ b/server/controllers/api/users/token.ts
@@ -1,8 +1,9 @@
 import express from 'express'
 import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
+import { OTP } from '@server/initializers/constants'
 import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
-import { handleOAuthToken } from '@server/lib/auth/oauth'
+import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
 import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
@@ -79,6 +80,10 @@ async function handleToken (req: express.Request, res: express.Response, next: e
  } catch (err) {
    logger.warn('Login error', { err })
+    if (err instanceof MissingTwoFactorError) {
+      res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
+    }
    return res.fail({
      status: err.code,
      message: err.message,
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts
new file mode 100644
index 000000000..1725294e7
--- /dev/null
+++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,91 @@
+import express from 'express'
+import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
+import { Redis } from '@server/lib/redis'
+import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares'
+import {
+  confirmTwoFactorValidator,
+  disableTwoFactorValidator,
+  requestOrConfirmTwoFactorValidator
+} from '@server/middlewares/validators/two-factor'
+import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
+const twoFactorRouter = express.Router()
+twoFactorRouter.post('/:id/two-factor/request',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPassword),
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  asyncMiddleware(requestTwoFactor)
+)
+twoFactorRouter.post('/:id/two-factor/confirm-request',
+  authenticate,
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  confirmTwoFactorValidator,
+  asyncMiddleware(confirmRequestTwoFactor)
+)
+twoFactorRouter.post('/:id/two-factor/disable',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPassword),
+  asyncMiddleware(disableTwoFactorValidator),
+  asyncMiddleware(disableTwoFactor)
+)
+// ---------------------------------------------------------------------------
+export {
+  twoFactorRouter
+}
+// ---------------------------------------------------------------------------
+async function requestTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+  const { secret, uri } = generateOTPSecret(user.email)
+  const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret)
+  return res.json({
+    otpRequest: {
+      requestToken,
+      secret,
+      uri
+    }
+  } as TwoFactorEnableResult)
+}
+async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
+  const requestToken = req.body.requestToken
+  const otpToken = req.body.otpToken
+  const user = res.locals.user
+  const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
+  if (!secret) {
+    return res.fail({
+      message: 'Invalid request token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+  if (isOTPValid({ secret, token: otpToken }) !== true) {
+    return res.fail({
+      message: 'Invalid OTP token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+  user.otpSecret = secret
+  await user.save()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}
+async function disableTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+  user.otpSecret = null
+  await user.save()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}
author	Chocobozzz <me@florianbigard.com>	2022-10-05 15:37:15 +0200
committer	Chocobozzz <me@florianbigard.com>	2022-10-07 10:51:16 +0200
commit	56f47830758ff8e92abcfcc5f35d474ab12fe215 (patch)
tree	854e57ec1b800d6ad740c8e42bee00cbd21e1724 /server/controllers
parent	7dd7ff4cebc290b09fe00d82046bb58e4e8a800d (diff)
download	PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.gz PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.zst PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.zip

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index 07b9ae395..a8677a1d3 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts
@@ -51,6 +51,7 @@ import { myVideosHistoryRouter } from './my-history'
51	import { myNotificationsRouter } from './my-notifications'	51	import { myNotificationsRouter } from './my-notifications'
52	import { mySubscriptionsRouter } from './my-subscriptions'	52	import { mySubscriptionsRouter } from './my-subscriptions'
53	import { myVideoPlaylistsRouter } from './my-video-playlists'	53	import { myVideoPlaylistsRouter } from './my-video-playlists'
		54	import { twoFactorRouter } from './two-factor'
54		55
55	const auditLogger = auditLoggerFactory('users')	56	const auditLogger = auditLoggerFactory('users')
56		57
@@ -66,6 +67,7 @@ const askSendEmailLimiter = buildRateLimiter({
66	})	67	})
67		68
68	const usersRouter = express.Router()	69	const usersRouter = express.Router()
		70	usersRouter.use('/', twoFactorRouter)
69	usersRouter.use('/', tokensRouter)	71	usersRouter.use('/', tokensRouter)
70	usersRouter.use('/', myNotificationsRouter)	72	usersRouter.use('/', myNotificationsRouter)
71	usersRouter.use('/', mySubscriptionsRouter)	73	usersRouter.use('/', mySubscriptionsRouter)


diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts index 012a49791..c6afea67c 100644 --- a/server/controllers/api/users/token.ts +++ b/server/controllers/api/users/token.ts
@@ -1,8 +1,9 @@
1	import express from 'express'	1	import express from 'express'
2	import { logger } from '@server/helpers/logger'	2	import { logger } from '@server/helpers/logger'
3	import { CONFIG } from '@server/initializers/config'	3	import { CONFIG } from '@server/initializers/config'
		4	import { OTP } from '@server/initializers/constants'
4	import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'	5	import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
5	import { handleOAuthToken } from '@server/lib/auth/oauth'	6	import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
6	import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'	7	import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
7	import { Hooks } from '@server/lib/plugins/hooks'	8	import { Hooks } from '@server/lib/plugins/hooks'
8	import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'	9	import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
@@ -79,6 +80,10 @@ async function handleToken (req: express.Request, res: express.Response, next: e
79	} catch (err) {	80	} catch (err) {
80	logger.warn('Login error', { err })	81	logger.warn('Login error', { err })
81		82
		83	if (err instanceof MissingTwoFactorError) {
		84	res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
		85	}
		86
82	return res.fail({	87	return res.fail({
83	status: err.code,	88	status: err.code,
84	message: err.message,	89	message: err.message,


diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts new file mode 100644 index 000000000..1725294e7 --- /dev/null +++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,91 @@
		1	import express from 'express'
		2	import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
		3	import { Redis } from '@server/lib/redis'
		4	import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares'
		5	import {
		6	confirmTwoFactorValidator,
		7	disableTwoFactorValidator,
		8	requestOrConfirmTwoFactorValidator
		9	} from '@server/middlewares/validators/two-factor'
		10	import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
		11
		12	const twoFactorRouter = express.Router()
		13
		14	twoFactorRouter.post('/:id/two-factor/request',
		15	authenticate,
		16	asyncMiddleware(usersCheckCurrentPassword),
		17	asyncMiddleware(requestOrConfirmTwoFactorValidator),
		18	asyncMiddleware(requestTwoFactor)
		19	)
		20
		21	twoFactorRouter.post('/:id/two-factor/confirm-request',
		22	authenticate,
		23	asyncMiddleware(requestOrConfirmTwoFactorValidator),
		24	confirmTwoFactorValidator,
		25	asyncMiddleware(confirmRequestTwoFactor)
		26	)
		27
		28	twoFactorRouter.post('/:id/two-factor/disable',
		29	authenticate,
		30	asyncMiddleware(usersCheckCurrentPassword),
		31	asyncMiddleware(disableTwoFactorValidator),
		32	asyncMiddleware(disableTwoFactor)
		33	)
		34
		35	// ---------------------------------------------------------------------------
		36
		37	export {
		38	twoFactorRouter
		39	}
		40
		41	// ---------------------------------------------------------------------------
		42
		43	async function requestTwoFactor (req: express.Request, res: express.Response) {
		44	const user = res.locals.user
		45
		46	const { secret, uri } = generateOTPSecret(user.email)
		47	const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret)
		48
		49	return res.json({
		50	otpRequest: {
		51	requestToken,
		52	secret,
		53	uri
		54	}
		55	} as TwoFactorEnableResult)
		56	}
		57
		58	async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
		59	const requestToken = req.body.requestToken
		60	const otpToken = req.body.otpToken
		61	const user = res.locals.user
		62
		63	const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
		64	if (!secret) {
		65	return res.fail({
		66	message: 'Invalid request token',
		67	status: HttpStatusCode.FORBIDDEN_403
		68	})
		69	}
		70
		71	if (isOTPValid({ secret, token: otpToken }) !== true) {
		72	return res.fail({
		73	message: 'Invalid OTP token',
		74	status: HttpStatusCode.FORBIDDEN_403
		75	})
		76	}
		77
		78	user.otpSecret = secret
		79	await user.save()
		80
		81	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
		82	}
		83
		84	async function disableTwoFactor (req: express.Request, res: express.Response) {
		85	const user = res.locals.user
		86
		87	user.otpSecret = null
		88	await user.save()
		89
		90	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
		91	}