Support two factor authentication in backend

author: Chocobozzz <me@florianbigard.com> 2022-10-05 15:37:15 +0200
committer: Chocobozzz <me@florianbigard.com> 2022-10-07 10:51:16 +0200
commit: 56f47830758ff8e92abcfcc5f35d474ab12fe215 (patch)
tree: 854e57ec1b800d6ad740c8e42bee00cbd21e1724 /server/lib/auth/oauth.ts
parent: 7dd7ff4cebc290b09fe00d82046bb58e4e8a800d (diff)
download: PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.gz
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.zst
PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.zip
1 files changed, 26 insertions, 1 deletions
diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts
index fa1887315..b541142a5 100644
--- a/server/lib/auth/oauth.ts
+++ b/server/lib/auth/oauth.ts
@@ -11,8 +11,20 @@ import OAuth2Server, {
 import { randomBytesPromise } from '@server/helpers/core-utils'
 import { MOAuthClient } from '@server/types/models'
 import { sha1 } from '@shared/extra-utils'
-import { OAUTH_LIFETIME } from '../../initializers/constants'
+import { HttpStatusCode } from '@shared/models'
+import { OAUTH_LIFETIME, OTP } from '../../initializers/constants'
 import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model'
+import { isOTPValid } from '@server/helpers/otp'
+class MissingTwoFactorError extends Error {
+  code = HttpStatusCode.UNAUTHORIZED_401
+  name = 'missing_two_factor'
+}
+class InvalidTwoFactorError extends Error {
+  code = HttpStatusCode.BAD_REQUEST_400
+  name = 'invalid_two_factor'
+}
 /**
 *
@@ -94,6 +106,9 @@ function handleOAuthAuthenticate (
 }
 export {
+  MissingTwoFactorError,
+  InvalidTwoFactorError,
  handleOAuthToken,
  handleOAuthAuthenticate
 }
@@ -118,6 +133,16 @@ async function handlePasswordGrant (options: {
  const user = await getUser(request.body.username, request.body.password, bypassLogin)
  if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid')
+  if (user.otpSecret) {
+    if (!request.headers[OTP.HEADER_NAME]) {
+      throw new MissingTwoFactorError('Missing two factor header')
+    }
+    if (isOTPValid({ secret: user.otpSecret, token: request.headers[OTP.HEADER_NAME] }) !== true) {
+      throw new InvalidTwoFactorError('Invalid two factor header')
+    }
+  }
  const token = await buildToken()
  return saveToken(token, client, user, { bypassLogin })
author	Chocobozzz <me@florianbigard.com>	2022-10-05 15:37:15 +0200
committer	Chocobozzz <me@florianbigard.com>	2022-10-07 10:51:16 +0200
commit	56f47830758ff8e92abcfcc5f35d474ab12fe215 (patch)
tree	854e57ec1b800d6ad740c8e42bee00cbd21e1724 /server/lib/auth/oauth.ts
parent	7dd7ff4cebc290b09fe00d82046bb58e4e8a800d (diff)
download	PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.gz PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.tar.zst PeerTube-56f47830758ff8e92abcfcc5f35d474ab12fe215.zip

diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts index fa1887315..b541142a5 100644 --- a/server/lib/auth/oauth.ts +++ b/server/lib/auth/oauth.ts
@@ -11,8 +11,20 @@ import OAuth2Server, {
11	import { randomBytesPromise } from '@server/helpers/core-utils'	11	import { randomBytesPromise } from '@server/helpers/core-utils'
12	import { MOAuthClient } from '@server/types/models'	12	import { MOAuthClient } from '@server/types/models'
13	import { sha1 } from '@shared/extra-utils'	13	import { sha1 } from '@shared/extra-utils'
14	import { OAUTH_LIFETIME } from '../../initializers/constants'	14	import { HttpStatusCode } from '@shared/models'
		15	import { OAUTH_LIFETIME, OTP } from '../../initializers/constants'
15	import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model'	16	import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model'
		17	import { isOTPValid } from '@server/helpers/otp'
		18
		19	class MissingTwoFactorError extends Error {
		20	code = HttpStatusCode.UNAUTHORIZED_401
		21	name = 'missing_two_factor'
		22	}
		23
		24	class InvalidTwoFactorError extends Error {
		25	code = HttpStatusCode.BAD_REQUEST_400
		26	name = 'invalid_two_factor'
		27	}
16		28
17	/**	29	/**
18	*	30	*
@@ -94,6 +106,9 @@ function handleOAuthAuthenticate (
94	}	106	}
95		107
96	export {	108	export {
		109	MissingTwoFactorError,
		110	InvalidTwoFactorError,
		111
97	handleOAuthToken,	112	handleOAuthToken,
98	handleOAuthAuthenticate	113	handleOAuthAuthenticate
99	}	114	}
@@ -118,6 +133,16 @@ async function handlePasswordGrant (options: {
118	const user = await getUser(request.body.username, request.body.password, bypassLogin)	133	const user = await getUser(request.body.username, request.body.password, bypassLogin)
119	if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid')	134	if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid')
120		135
		136	if (user.otpSecret) {
		137	if (!request.headers[OTP.HEADER_NAME]) {
		138	throw new MissingTwoFactorError('Missing two factor header')
		139	}
		140
		141	if (isOTPValid({ secret: user.otpSecret, token: request.headers[OTP.HEADER_NAME] }) !== true) {
		142	throw new InvalidTwoFactorError('Invalid two factor header')
		143	}
		144	}
		145
121	const token = await buildToken()	146	const token = await buildToken()
122		147
123	return saveToken(token, client, user, { bypassLogin })	148	return saveToken(token, client, user, { bypassLogin })