Encrypt OTP secret

author: Chocobozzz <me@florianbigard.com> 2022-10-10 11:12:23 +0200
committer: Chocobozzz <me@florianbigard.com> 2022-10-10 11:12:23 +0200
commit: a3e5f804ad821f6979e8735b0569b1209986fedc (patch)
tree: 5b34a6bd6b3cb1c5e3eed32a72d02922100d53dc /server/controllers
parent: a0da6f90d16027b385a67da6a5691b163626a363 (diff)
download: PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.gz
PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.zst
PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.zip
1 files changed, 9 insertions, 5 deletions
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts
index 79f63a62d..e6ae9e4dd 100644
--- a/server/controllers/api/users/two-factor.ts
+++ b/server/controllers/api/users/two-factor.ts
@@ -1,5 +1,7 @@
 import express from 'express'
 import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
+import { encrypt } from '@server/helpers/peertube-crypto'
+import { CONFIG } from '@server/initializers/config'
 import { Redis } from '@server/lib/redis'
 import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
 import {
@@ -44,7 +46,9 @@ async function requestTwoFactor (req: express.Request, res: express.Response) {
  const user = res.locals.user
  const { secret, uri } = generateOTPSecret(user.email)
-  const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret)
+  const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
+  const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
  return res.json({
    otpRequest: {
@@ -60,22 +64,22 @@ async function confirmRequestTwoFactor (req: express.Request, res: express.Respo
  const otpToken = req.body.otpToken
  const user = res.locals.user
-  const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
+  const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
-  if (!secret) {
+  if (!encryptedSecret) {
    return res.fail({
      message: 'Invalid request token',
      status: HttpStatusCode.FORBIDDEN_403
    })
  }
-  if (isOTPValid({ secret, token: otpToken }) !== true) {
+  if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
    return res.fail({
      message: 'Invalid OTP token',
      status: HttpStatusCode.FORBIDDEN_403
    })
  }
-  user.otpSecret = secret
+  user.otpSecret = encryptedSecret
  await user.save()
  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
author	Chocobozzz <me@florianbigard.com>	2022-10-10 11:12:23 +0200
committer	Chocobozzz <me@florianbigard.com>	2022-10-10 11:12:23 +0200
commit	a3e5f804ad821f6979e8735b0569b1209986fedc (patch)
tree	5b34a6bd6b3cb1c5e3eed32a72d02922100d53dc /server/controllers
parent	a0da6f90d16027b385a67da6a5691b163626a363 (diff)
download	PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.gz PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.tar.zst PeerTube-a3e5f804ad821f6979e8735b0569b1209986fedc.zip

diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts index 79f63a62d..e6ae9e4dd 100644 --- a/server/controllers/api/users/two-factor.ts +++ b/server/controllers/api/users/two-factor.ts
@@ -1,5 +1,7 @@
1	import express from 'express'	1	import express from 'express'
2	import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'	2	import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
		3	import { encrypt } from '@server/helpers/peertube-crypto'
		4	import { CONFIG } from '@server/initializers/config'
3	import { Redis } from '@server/lib/redis'	5	import { Redis } from '@server/lib/redis'
4	import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'	6	import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
5	import {	7	import {
@@ -44,7 +46,9 @@ async function requestTwoFactor (req: express.Request, res: express.Response) {
44	const user = res.locals.user	46	const user = res.locals.user
45		47
46	const { secret, uri } = generateOTPSecret(user.email)	48	const { secret, uri } = generateOTPSecret(user.email)
47	const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret)	49
		50	const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
		51	const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
48		52
49	return res.json({	53	return res.json({
50	otpRequest: {	54	otpRequest: {
@@ -60,22 +64,22 @@ async function confirmRequestTwoFactor (req: express.Request, res: express.Respo
60	const otpToken = req.body.otpToken	64	const otpToken = req.body.otpToken
61	const user = res.locals.user	65	const user = res.locals.user
62		66
63	const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)	67	const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
64	if (!secret) {	68	if (!encryptedSecret) {
65	return res.fail({	69	return res.fail({
66	message: 'Invalid request token',	70	message: 'Invalid request token',
67	status: HttpStatusCode.FORBIDDEN_403	71	status: HttpStatusCode.FORBIDDEN_403
68	})	72	})
69	}	73	}
70		74
71	if (isOTPValid({ secret, token: otpToken }) !== true) {	75	if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
72	return res.fail({	76	return res.fail({
73	message: 'Invalid OTP token',	77	message: 'Invalid OTP token',
74	status: HttpStatusCode.FORBIDDEN_403	78	status: HttpStatusCode.FORBIDDEN_403
75	})	79	})
76	}	80	}
77		81
78	user.otpSecret = secret	82	user.otpSecret = encryptedSecret
79	await user.save()	83	await user.save()
80		84
81	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)	85	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)