3 files changed, 103 insertions, 1 deletions
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 07b9ae395..a8677a1d3 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -51,6 +51,7 @@ import { myVideosHistoryRouter } from './my-history'
 import { myNotificationsRouter } from './my-notifications'
 import { mySubscriptionsRouter } from './my-subscriptions'
 import { myVideoPlaylistsRouter } from './my-video-playlists'
+import { twoFactorRouter } from './two-factor'
 const auditLogger = auditLoggerFactory('users')
@@ -66,6 +67,7 @@ const askSendEmailLimiter = buildRateLimiter({
 })
 const usersRouter = express.Router()
+usersRouter.use('/', twoFactorRouter)
 usersRouter.use('/', tokensRouter)
 usersRouter.use('/', myNotificationsRouter)
 usersRouter.use('/', mySubscriptionsRouter)
diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts
index 012a49791..c6afea67c 100644
--- a/server/controllers/api/users/token.ts
+++ b/server/controllers/api/users/token.ts
@@ -1,8 +1,9 @@
 import express from 'express'
 import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
+import { OTP } from '@server/initializers/constants'
 import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
-import { handleOAuthToken } from '@server/lib/auth/oauth'
+import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
 import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
@@ -79,6 +80,10 @@ async function handleToken (req: express.Request, res: express.Response, next: e
  } catch (err) {
    logger.warn('Login error', { err })
+    if (err instanceof MissingTwoFactorError) {
+      res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
+    }
    return res.fail({
      status: err.code,
      message: err.message,
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts
new file mode 100644
index 000000000..e6ae9e4dd
--- /dev/null
+++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,95 @@
+import express from 'express'
+import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
+import { encrypt } from '@server/helpers/peertube-crypto'
+import { CONFIG } from '@server/initializers/config'
+import { Redis } from '@server/lib/redis'
+import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
+import {
+  confirmTwoFactorValidator,
+  disableTwoFactorValidator,
+  requestOrConfirmTwoFactorValidator
+} from '@server/middlewares/validators/two-factor'
+import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
+const twoFactorRouter = express.Router()
+twoFactorRouter.post('/:id/two-factor/request',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  asyncMiddleware(requestTwoFactor)
+)
+twoFactorRouter.post('/:id/two-factor/confirm-request',
+  authenticate,
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  confirmTwoFactorValidator,
+  asyncMiddleware(confirmRequestTwoFactor)
+)
+twoFactorRouter.post('/:id/two-factor/disable',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
+  asyncMiddleware(disableTwoFactorValidator),
+  asyncMiddleware(disableTwoFactor)
+)
+// ---------------------------------------------------------------------------
+export {
+  twoFactorRouter
+}
+// ---------------------------------------------------------------------------
+async function requestTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+  const { secret, uri } = generateOTPSecret(user.email)
+  const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
+  const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
+  return res.json({
+    otpRequest: {
+      requestToken,
+      secret,
+      uri
+    }
+  } as TwoFactorEnableResult)
+}
+async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
+  const requestToken = req.body.requestToken
+  const otpToken = req.body.otpToken
+  const user = res.locals.user
+  const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
+  if (!encryptedSecret) {
+    return res.fail({
+      message: 'Invalid request token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+  if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
+    return res.fail({
+      message: 'Invalid OTP token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+  user.otpSecret = encryptedSecret
+  await user.save()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}
+async function disableTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+  user.otpSecret = null
+  await user.save()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index 07b9ae395..a8677a1d3 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts
@@ -51,6 +51,7 @@ import { myVideosHistoryRouter } from './my-history'
51	import { myNotificationsRouter } from './my-notifications'	51	import { myNotificationsRouter } from './my-notifications'
52	import { mySubscriptionsRouter } from './my-subscriptions'	52	import { mySubscriptionsRouter } from './my-subscriptions'
53	import { myVideoPlaylistsRouter } from './my-video-playlists'	53	import { myVideoPlaylistsRouter } from './my-video-playlists'
		54	import { twoFactorRouter } from './two-factor'
54		55
55	const auditLogger = auditLoggerFactory('users')	56	const auditLogger = auditLoggerFactory('users')
56		57
@@ -66,6 +67,7 @@ const askSendEmailLimiter = buildRateLimiter({
66	})	67	})
67		68
68	const usersRouter = express.Router()	69	const usersRouter = express.Router()
		70	usersRouter.use('/', twoFactorRouter)
69	usersRouter.use('/', tokensRouter)	71	usersRouter.use('/', tokensRouter)
70	usersRouter.use('/', myNotificationsRouter)	72	usersRouter.use('/', myNotificationsRouter)
71	usersRouter.use('/', mySubscriptionsRouter)	73	usersRouter.use('/', mySubscriptionsRouter)


diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts index 012a49791..c6afea67c 100644 --- a/server/controllers/api/users/token.ts +++ b/server/controllers/api/users/token.ts
@@ -1,8 +1,9 @@
1	import express from 'express'	1	import express from 'express'
2	import { logger } from '@server/helpers/logger'	2	import { logger } from '@server/helpers/logger'
3	import { CONFIG } from '@server/initializers/config'	3	import { CONFIG } from '@server/initializers/config'
		4	import { OTP } from '@server/initializers/constants'
4	import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'	5	import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
5	import { handleOAuthToken } from '@server/lib/auth/oauth'	6	import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
6	import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'	7	import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
7	import { Hooks } from '@server/lib/plugins/hooks'	8	import { Hooks } from '@server/lib/plugins/hooks'
8	import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'	9	import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
@@ -79,6 +80,10 @@ async function handleToken (req: express.Request, res: express.Response, next: e
79	} catch (err) {	80	} catch (err) {
80	logger.warn('Login error', { err })	81	logger.warn('Login error', { err })
81		82
		83	if (err instanceof MissingTwoFactorError) {
		84	res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
		85	}
		86
82	return res.fail({	87	return res.fail({
83	status: err.code,	88	status: err.code,
84	message: err.message,	89	message: err.message,


diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts new file mode 100644 index 000000000..e6ae9e4dd --- /dev/null +++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,95 @@
		1	import express from 'express'
		2	import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
		3	import { encrypt } from '@server/helpers/peertube-crypto'
		4	import { CONFIG } from '@server/initializers/config'
		5	import { Redis } from '@server/lib/redis'
		6	import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
		7	import {
		8	confirmTwoFactorValidator,
		9	disableTwoFactorValidator,
		10	requestOrConfirmTwoFactorValidator
		11	} from '@server/middlewares/validators/two-factor'
		12	import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
		13
		14	const twoFactorRouter = express.Router()
		15
		16	twoFactorRouter.post('/:id/two-factor/request',
		17	authenticate,
		18	asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
		19	asyncMiddleware(requestOrConfirmTwoFactorValidator),
		20	asyncMiddleware(requestTwoFactor)
		21	)
		22
		23	twoFactorRouter.post('/:id/two-factor/confirm-request',
		24	authenticate,
		25	asyncMiddleware(requestOrConfirmTwoFactorValidator),
		26	confirmTwoFactorValidator,
		27	asyncMiddleware(confirmRequestTwoFactor)
		28	)
		29
		30	twoFactorRouter.post('/:id/two-factor/disable',
		31	authenticate,
		32	asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
		33	asyncMiddleware(disableTwoFactorValidator),
		34	asyncMiddleware(disableTwoFactor)
		35	)
		36
		37	// ---------------------------------------------------------------------------
		38
		39	export {
		40	twoFactorRouter
		41	}
		42
		43	// ---------------------------------------------------------------------------
		44
		45	async function requestTwoFactor (req: express.Request, res: express.Response) {
		46	const user = res.locals.user
		47
		48	const { secret, uri } = generateOTPSecret(user.email)
		49
		50	const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
		51	const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
		52
		53	return res.json({
		54	otpRequest: {
		55	requestToken,
		56	secret,
		57	uri
		58	}
		59	} as TwoFactorEnableResult)
		60	}
		61
		62	async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
		63	const requestToken = req.body.requestToken
		64	const otpToken = req.body.otpToken
		65	const user = res.locals.user
		66
		67	const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
		68	if (!encryptedSecret) {
		69	return res.fail({
		70	message: 'Invalid request token',
		71	status: HttpStatusCode.FORBIDDEN_403
		72	})
		73	}
		74
		75	if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
		76	return res.fail({
		77	message: 'Invalid OTP token',
		78	status: HttpStatusCode.FORBIDDEN_403
		79	})
		80	}
		81
		82	user.otpSecret = encryptedSecret
		83	await user.save()
		84
		85	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
		86	}
		87
		88	async function disableTwoFactor (req: express.Request, res: express.Response) {
		89	const user = res.locals.user
		90
		91	user.otpSecret = null
		92	await user.save()
		93
		94	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
		95	}