1 files changed, 91 insertions, 0 deletions
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts
new file mode 100644
index 000000000..1725294e7
--- /dev/null
+++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,91 @@
+import express from 'express'
+import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
+import { Redis } from '@server/lib/redis'
+import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares'
+import {
+  confirmTwoFactorValidator,
+  disableTwoFactorValidator,
+  requestOrConfirmTwoFactorValidator
+} from '@server/middlewares/validators/two-factor'
+import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
+const twoFactorRouter = express.Router()
+twoFactorRouter.post('/:id/two-factor/request',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPassword),
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  asyncMiddleware(requestTwoFactor)
+)
+twoFactorRouter.post('/:id/two-factor/confirm-request',
+  authenticate,
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  confirmTwoFactorValidator,
+  asyncMiddleware(confirmRequestTwoFactor)
+)
+twoFactorRouter.post('/:id/two-factor/disable',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPassword),
+  asyncMiddleware(disableTwoFactorValidator),
+  asyncMiddleware(disableTwoFactor)
+)
+// ---------------------------------------------------------------------------
+export {
+  twoFactorRouter
+}
+// ---------------------------------------------------------------------------
+async function requestTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+  const { secret, uri } = generateOTPSecret(user.email)
+  const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret)
+  return res.json({
+    otpRequest: {
+      requestToken,
+      secret,
+      uri
+    }
+  } as TwoFactorEnableResult)
+}
+async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
+  const requestToken = req.body.requestToken
+  const otpToken = req.body.otpToken
+  const user = res.locals.user
+  const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
+  if (!secret) {
+    return res.fail({
+      message: 'Invalid request token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+  if (isOTPValid({ secret, token: otpToken }) !== true) {
+    return res.fail({
+      message: 'Invalid OTP token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+  user.otpSecret = secret
+  await user.save()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}
+async function disableTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+  user.otpSecret = null
+  await user.save()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}

diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts new file mode 100644 index 000000000..1725294e7 --- /dev/null +++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,91 @@
	1	import express from 'express'
	2	import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
	3	import { Redis } from '@server/lib/redis'
	4	import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares'
	5	import {
	6	confirmTwoFactorValidator,
	7	disableTwoFactorValidator,
	8	requestOrConfirmTwoFactorValidator
	9	} from '@server/middlewares/validators/two-factor'
	10	import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
	11
	12	const twoFactorRouter = express.Router()
	13
	14	twoFactorRouter.post('/:id/two-factor/request',
	15	authenticate,
	16	asyncMiddleware(usersCheckCurrentPassword),
	17	asyncMiddleware(requestOrConfirmTwoFactorValidator),
	18	asyncMiddleware(requestTwoFactor)
	19	)
	20
	21	twoFactorRouter.post('/:id/two-factor/confirm-request',
	22	authenticate,
	23	asyncMiddleware(requestOrConfirmTwoFactorValidator),
	24	confirmTwoFactorValidator,
	25	asyncMiddleware(confirmRequestTwoFactor)
	26	)
	27
	28	twoFactorRouter.post('/:id/two-factor/disable',
	29	authenticate,
	30	asyncMiddleware(usersCheckCurrentPassword),
	31	asyncMiddleware(disableTwoFactorValidator),
	32	asyncMiddleware(disableTwoFactor)
	33	)
	34
	35	// ---------------------------------------------------------------------------
	36
	37	export {
	38	twoFactorRouter
	39	}
	40
	41	// ---------------------------------------------------------------------------
	42
	43	async function requestTwoFactor (req: express.Request, res: express.Response) {
	44	const user = res.locals.user
	45
	46	const { secret, uri } = generateOTPSecret(user.email)
	47	const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret)
	48
	49	return res.json({
	50	otpRequest: {
	51	requestToken,
	52	secret,
	53	uri
	54	}
	55	} as TwoFactorEnableResult)
	56	}
	57
	58	async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
	59	const requestToken = req.body.requestToken
	60	const otpToken = req.body.otpToken
	61	const user = res.locals.user
	62
	63	const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
	64	if (!secret) {
	65	return res.fail({
	66	message: 'Invalid request token',
	67	status: HttpStatusCode.FORBIDDEN_403
	68	})
	69	}
	70
	71	if (isOTPValid({ secret, token: otpToken }) !== true) {
	72	return res.fail({
	73	message: 'Invalid OTP token',
	74	status: HttpStatusCode.FORBIDDEN_403
	75	})
	76	}
	77
	78	user.otpSecret = secret
	79	await user.save()
	80
	81	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
	82	}
	83
	84	async function disableTwoFactor (req: express.Request, res: express.Response) {
	85	const user = res.locals.user
	86
	87	user.otpSecret = null
	88	await user.save()
	89
	90	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
	91	}