diff options
author | Chocobozzz <me@florianbigard.com> | 2022-10-10 11:19:58 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2022-10-10 11:19:58 +0200 |
commit | 63fa260a81a8930c157b73c897fe8696a8cc90d4 (patch) | |
tree | 705ebfae42f9c59b2a1ac97779e4037102dfed1c /server/lib/auth/oauth.ts | |
parent | 9b99d32804e99462c6f22df3ec3db9ec5bf8a18c (diff) | |
parent | 1ea868a9456439108fbd87255537093ed8bd456f (diff) | |
download | PeerTube-63fa260a81a8930c157b73c897fe8696a8cc90d4.tar.gz PeerTube-63fa260a81a8930c157b73c897fe8696a8cc90d4.tar.zst PeerTube-63fa260a81a8930c157b73c897fe8696a8cc90d4.zip |
Merge branch 'feature/otp' into develop
Diffstat (limited to 'server/lib/auth/oauth.ts')
-rw-r--r-- | server/lib/auth/oauth.ts | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts index fa1887315..35b05ec5a 100644 --- a/server/lib/auth/oauth.ts +++ b/server/lib/auth/oauth.ts | |||
@@ -9,11 +9,23 @@ import OAuth2Server, { | |||
9 | UnsupportedGrantTypeError | 9 | UnsupportedGrantTypeError |
10 | } from '@node-oauth/oauth2-server' | 10 | } from '@node-oauth/oauth2-server' |
11 | import { randomBytesPromise } from '@server/helpers/core-utils' | 11 | import { randomBytesPromise } from '@server/helpers/core-utils' |
12 | import { isOTPValid } from '@server/helpers/otp' | ||
12 | import { MOAuthClient } from '@server/types/models' | 13 | import { MOAuthClient } from '@server/types/models' |
13 | import { sha1 } from '@shared/extra-utils' | 14 | import { sha1 } from '@shared/extra-utils' |
14 | import { OAUTH_LIFETIME } from '../../initializers/constants' | 15 | import { HttpStatusCode } from '@shared/models' |
16 | import { OAUTH_LIFETIME, OTP } from '../../initializers/constants' | ||
15 | import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model' | 17 | import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model' |
16 | 18 | ||
19 | class MissingTwoFactorError extends Error { | ||
20 | code = HttpStatusCode.UNAUTHORIZED_401 | ||
21 | name = 'missing_two_factor' | ||
22 | } | ||
23 | |||
24 | class InvalidTwoFactorError extends Error { | ||
25 | code = HttpStatusCode.BAD_REQUEST_400 | ||
26 | name = 'invalid_two_factor' | ||
27 | } | ||
28 | |||
17 | /** | 29 | /** |
18 | * | 30 | * |
19 | * Reimplement some functions of OAuth2Server to inject external auth methods | 31 | * Reimplement some functions of OAuth2Server to inject external auth methods |
@@ -94,6 +106,9 @@ function handleOAuthAuthenticate ( | |||
94 | } | 106 | } |
95 | 107 | ||
96 | export { | 108 | export { |
109 | MissingTwoFactorError, | ||
110 | InvalidTwoFactorError, | ||
111 | |||
97 | handleOAuthToken, | 112 | handleOAuthToken, |
98 | handleOAuthAuthenticate | 113 | handleOAuthAuthenticate |
99 | } | 114 | } |
@@ -118,6 +133,16 @@ async function handlePasswordGrant (options: { | |||
118 | const user = await getUser(request.body.username, request.body.password, bypassLogin) | 133 | const user = await getUser(request.body.username, request.body.password, bypassLogin) |
119 | if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid') | 134 | if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid') |
120 | 135 | ||
136 | if (user.otpSecret) { | ||
137 | if (!request.headers[OTP.HEADER_NAME]) { | ||
138 | throw new MissingTwoFactorError('Missing two factor header') | ||
139 | } | ||
140 | |||
141 | if (await isOTPValid({ encryptedSecret: user.otpSecret, token: request.headers[OTP.HEADER_NAME] }) !== true) { | ||
142 | throw new InvalidTwoFactorError('Invalid two factor header') | ||
143 | } | ||
144 | } | ||
145 | |||
121 | const token = await buildToken() | 146 | const token = await buildToken() |
122 | 147 | ||
123 | return saveToken(token, client, user, { bypassLogin }) | 148 | return saveToken(token, client, user, { bypassLogin }) |