6 files changed, 111 insertions, 35 deletions
diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 0b27d5277..a8677a1d3 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -51,6 +51,7 @@ import { myVideosHistoryRouter } from './my-history'
 import { myNotificationsRouter } from './my-notifications'
 import { mySubscriptionsRouter } from './my-subscriptions'
 import { myVideoPlaylistsRouter } from './my-video-playlists'
+import { twoFactorRouter } from './two-factor'
 const auditLogger = auditLoggerFactory('users')
@@ -66,6 +67,7 @@ const askSendEmailLimiter = buildRateLimiter({
 })
 const usersRouter = express.Router()
+usersRouter.use('/', twoFactorRouter)
 usersRouter.use('/', tokensRouter)
 usersRouter.use('/', myNotificationsRouter)
 usersRouter.use('/', mySubscriptionsRouter)
@@ -343,7 +345,7 @@ async function askResetUserPassword (req: express.Request, res: express.Response
  const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
  const url = WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
-  await Emailer.Instance.addPasswordResetEmailJob(user.username, user.email, url)
+  Emailer.Instance.addPasswordResetEmailJob(user.username, user.email, url)
  return res.status(HttpStatusCode.NO_CONTENT_204).end()
 }
diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts
index 012a49791..c6afea67c 100644
--- a/server/controllers/api/users/token.ts
+++ b/server/controllers/api/users/token.ts
@@ -1,8 +1,9 @@
 import express from 'express'
 import { logger } from '@server/helpers/logger'
 import { CONFIG } from '@server/initializers/config'
+import { OTP } from '@server/initializers/constants'
 import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
-import { handleOAuthToken } from '@server/lib/auth/oauth'
+import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
 import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
 import { Hooks } from '@server/lib/plugins/hooks'
 import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
@@ -79,6 +80,10 @@ async function handleToken (req: express.Request, res: express.Response, next: e
  } catch (err) {
    logger.warn('Login error', { err })
+    if (err instanceof MissingTwoFactorError) {
+      res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
+    }
    return res.fail({
      status: err.code,
      message: err.message,
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts
new file mode 100644
index 000000000..e6ae9e4dd
--- /dev/null
+++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,95 @@
+import express from 'express'
+import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
+import { encrypt } from '@server/helpers/peertube-crypto'
+import { CONFIG } from '@server/initializers/config'
+import { Redis } from '@server/lib/redis'
+import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
+import {
+  confirmTwoFactorValidator,
+  disableTwoFactorValidator,
+  requestOrConfirmTwoFactorValidator
+} from '@server/middlewares/validators/two-factor'
+import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
+const twoFactorRouter = express.Router()
+twoFactorRouter.post('/:id/two-factor/request',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  asyncMiddleware(requestTwoFactor)
+)
+twoFactorRouter.post('/:id/two-factor/confirm-request',
+  authenticate,
+  asyncMiddleware(requestOrConfirmTwoFactorValidator),
+  confirmTwoFactorValidator,
+  asyncMiddleware(confirmRequestTwoFactor)
+)
+twoFactorRouter.post('/:id/two-factor/disable',
+  authenticate,
+  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
+  asyncMiddleware(disableTwoFactorValidator),
+  asyncMiddleware(disableTwoFactor)
+)
+// ---------------------------------------------------------------------------
+export {
+  twoFactorRouter
+}
+// ---------------------------------------------------------------------------
+async function requestTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+  const { secret, uri } = generateOTPSecret(user.email)
+  const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
+  const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
+  return res.json({
+    otpRequest: {
+      requestToken,
+      secret,
+      uri
+    }
+  } as TwoFactorEnableResult)
+}
+async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
+  const requestToken = req.body.requestToken
+  const otpToken = req.body.otpToken
+  const user = res.locals.user
+  const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
+  if (!encryptedSecret) {
+    return res.fail({
+      message: 'Invalid request token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+  if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
+    return res.fail({
+      message: 'Invalid OTP token',
+      status: HttpStatusCode.FORBIDDEN_403
+    })
+  }
+  user.otpSecret = encryptedSecret
+  await user.save()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}
+async function disableTwoFactor (req: express.Request, res: express.Response) {
+  const user = res.locals.user
+  user.otpSecret = null
+  await user.save()
+  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
+}
diff --git a/server/controllers/index.ts b/server/controllers/index.ts
index e8833d58c..8574a9e7b 100644
--- a/server/controllers/index.ts
+++ b/server/controllers/index.ts
@@ -6,7 +6,6 @@ export * from './feeds'
 export * from './services'
 export * from './static'
 export * from './lazy-static'
-export * from './live'
 export * from './misc'
 export * from './webfinger'
 export * from './tracker'
diff --git a/server/controllers/live.ts b/server/controllers/live.ts
deleted file mode 100644
index 81008f120..000000000
--- a/server/controllers/live.ts
+++ /dev/null
@@ -1,32 +0,0 @@
-import cors from 'cors'
-import express from 'express'
-import { mapToJSON } from '@server/helpers/core-utils'
-import { LiveSegmentShaStore } from '@server/lib/live'
-import { HttpStatusCode } from '@shared/models'
-const liveRouter = express.Router()
-liveRouter.use('/segments-sha256/:videoUUID',
-  cors(),
-  getSegmentsSha256
-)
-// ---------------------------------------------------------------------------
-export {
-  liveRouter
-}
-// ---------------------------------------------------------------------------
-function getSegmentsSha256 (req: express.Request, res: express.Response) {
-  const videoUUID = req.params.videoUUID
-  const result = LiveSegmentShaStore.Instance.getSegmentsSha256(videoUUID)
-  if (!result) {
-    return res.status(HttpStatusCode.NOT_FOUND_404).end()
-  }
-  return res.json(mapToJSON(result))
-}
diff --git a/server/controllers/well-known.ts b/server/controllers/well-known.ts
index f467bd629..ce5883571 100644
--- a/server/controllers/well-known.ts
+++ b/server/controllers/well-known.ts
@@ -5,6 +5,7 @@ import { root } from '@shared/core-utils'
 import { CONFIG } from '../initializers/config'
 import { ROUTE_CACHE_LIFETIME, WEBSERVER } from '../initializers/constants'
 import { cacheRoute } from '../middlewares/cache/cache'
+import { handleStaticError } from '@server/middlewares'
 const wellKnownRouter = express.Router()
@@ -69,6 +70,12 @@ wellKnownRouter.use('/.well-known/host-meta',
  }
 )
+wellKnownRouter.use('/.well-known/',
+  cacheRoute(ROUTE_CACHE_LIFETIME.WELL_KNOWN),
+  express.static(CONFIG.STORAGE.WELL_KNOWN_DIR, { fallthrough: false }),
+  handleStaticError
+)
 // ---------------------------------------------------------------------------
 export {

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts index 0b27d5277..a8677a1d3 100644 --- a/server/controllers/api/users/index.ts +++ b/server/controllers/api/users/index.ts
@@ -51,6 +51,7 @@ import { myVideosHistoryRouter } from './my-history'
51	import { myNotificationsRouter } from './my-notifications'	51	import { myNotificationsRouter } from './my-notifications'
52	import { mySubscriptionsRouter } from './my-subscriptions'	52	import { mySubscriptionsRouter } from './my-subscriptions'
53	import { myVideoPlaylistsRouter } from './my-video-playlists'	53	import { myVideoPlaylistsRouter } from './my-video-playlists'
		54	import { twoFactorRouter } from './two-factor'
54		55
55	const auditLogger = auditLoggerFactory('users')	56	const auditLogger = auditLoggerFactory('users')
56		57
@@ -66,6 +67,7 @@ const askSendEmailLimiter = buildRateLimiter({
66	})	67	})
67		68
68	const usersRouter = express.Router()	69	const usersRouter = express.Router()
		70	usersRouter.use('/', twoFactorRouter)
69	usersRouter.use('/', tokensRouter)	71	usersRouter.use('/', tokensRouter)
70	usersRouter.use('/', myNotificationsRouter)	72	usersRouter.use('/', myNotificationsRouter)
71	usersRouter.use('/', mySubscriptionsRouter)	73	usersRouter.use('/', mySubscriptionsRouter)
@@ -343,7 +345,7 @@ async function askResetUserPassword (req: express.Request, res: express.Response
343		345
344	const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)	346	const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
345	const url = WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString	347	const url = WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
346	await Emailer.Instance.addPasswordResetEmailJob(user.username, user.email, url)	348	Emailer.Instance.addPasswordResetEmailJob(user.username, user.email, url)
347		349
348	return res.status(HttpStatusCode.NO_CONTENT_204).end()	350	return res.status(HttpStatusCode.NO_CONTENT_204).end()
349	}	351	}


diff --git a/server/controllers/api/users/token.ts b/server/controllers/api/users/token.ts index 012a49791..c6afea67c 100644 --- a/server/controllers/api/users/token.ts +++ b/server/controllers/api/users/token.ts
@@ -1,8 +1,9 @@
1	import express from 'express'	1	import express from 'express'
2	import { logger } from '@server/helpers/logger'	2	import { logger } from '@server/helpers/logger'
3	import { CONFIG } from '@server/initializers/config'	3	import { CONFIG } from '@server/initializers/config'
		4	import { OTP } from '@server/initializers/constants'
4	import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'	5	import { getAuthNameFromRefreshGrant, getBypassFromExternalAuth, getBypassFromPasswordGrant } from '@server/lib/auth/external-auth'
5	import { handleOAuthToken } from '@server/lib/auth/oauth'	6	import { handleOAuthToken, MissingTwoFactorError } from '@server/lib/auth/oauth'
6	import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'	7	import { BypassLogin, revokeToken } from '@server/lib/auth/oauth-model'
7	import { Hooks } from '@server/lib/plugins/hooks'	8	import { Hooks } from '@server/lib/plugins/hooks'
8	import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'	9	import { asyncMiddleware, authenticate, buildRateLimiter, openapiOperationDoc } from '@server/middlewares'
@@ -79,6 +80,10 @@ async function handleToken (req: express.Request, res: express.Response, next: e
79	} catch (err) {	80	} catch (err) {
80	logger.warn('Login error', { err })	81	logger.warn('Login error', { err })
81		82
		83	if (err instanceof MissingTwoFactorError) {
		84	res.set(OTP.HEADER_NAME, OTP.HEADER_REQUIRED_VALUE)
		85	}
		86
82	return res.fail({	87	return res.fail({
83	status: err.code,	88	status: err.code,
84	message: err.message,	89	message: err.message,


diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts new file mode 100644 index 000000000..e6ae9e4dd --- /dev/null +++ b/server/controllers/api/users/two-factor.ts
@@ -0,0 +1,95 @@
		1	import express from 'express'
		2	import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
		3	import { encrypt } from '@server/helpers/peertube-crypto'
		4	import { CONFIG } from '@server/initializers/config'
		5	import { Redis } from '@server/lib/redis'
		6	import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
		7	import {
		8	confirmTwoFactorValidator,
		9	disableTwoFactorValidator,
		10	requestOrConfirmTwoFactorValidator
		11	} from '@server/middlewares/validators/two-factor'
		12	import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'
		13
		14	const twoFactorRouter = express.Router()
		15
		16	twoFactorRouter.post('/:id/two-factor/request',
		17	authenticate,
		18	asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
		19	asyncMiddleware(requestOrConfirmTwoFactorValidator),
		20	asyncMiddleware(requestTwoFactor)
		21	)
		22
		23	twoFactorRouter.post('/:id/two-factor/confirm-request',
		24	authenticate,
		25	asyncMiddleware(requestOrConfirmTwoFactorValidator),
		26	confirmTwoFactorValidator,
		27	asyncMiddleware(confirmRequestTwoFactor)
		28	)
		29
		30	twoFactorRouter.post('/:id/two-factor/disable',
		31	authenticate,
		32	asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
		33	asyncMiddleware(disableTwoFactorValidator),
		34	asyncMiddleware(disableTwoFactor)
		35	)
		36
		37	// ---------------------------------------------------------------------------
		38
		39	export {
		40	twoFactorRouter
		41	}
		42
		43	// ---------------------------------------------------------------------------
		44
		45	async function requestTwoFactor (req: express.Request, res: express.Response) {
		46	const user = res.locals.user
		47
		48	const { secret, uri } = generateOTPSecret(user.email)
		49
		50	const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
		51	const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)
		52
		53	return res.json({
		54	otpRequest: {
		55	requestToken,
		56	secret,
		57	uri
		58	}
		59	} as TwoFactorEnableResult)
		60	}
		61
		62	async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
		63	const requestToken = req.body.requestToken
		64	const otpToken = req.body.otpToken
		65	const user = res.locals.user
		66
		67	const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
		68	if (!encryptedSecret) {
		69	return res.fail({
		70	message: 'Invalid request token',
		71	status: HttpStatusCode.FORBIDDEN_403
		72	})
		73	}
		74
		75	if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
		76	return res.fail({
		77	message: 'Invalid OTP token',
		78	status: HttpStatusCode.FORBIDDEN_403
		79	})
		80	}
		81
		82	user.otpSecret = encryptedSecret
		83	await user.save()
		84
		85	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
		86	}
		87
		88	async function disableTwoFactor (req: express.Request, res: express.Response) {
		89	const user = res.locals.user
		90
		91	user.otpSecret = null
		92	await user.save()
		93
		94	return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
		95	}


diff --git a/server/controllers/index.ts b/server/controllers/index.ts index e8833d58c..8574a9e7b 100644 --- a/server/controllers/index.ts +++ b/server/controllers/index.ts
@@ -6,7 +6,6 @@ export * from './feeds'
6	export * from './services'	6	export * from './services'
7	export * from './static'	7	export * from './static'
8	export * from './lazy-static'	8	export * from './lazy-static'
9	export * from './live'
10	export * from './misc'	9	export * from './misc'
11	export * from './webfinger'	10	export * from './webfinger'
12	export * from './tracker'	11	export * from './tracker'


diff --git a/server/controllers/live.ts b/server/controllers/live.ts deleted file mode 100644 index 81008f120..000000000 --- a/server/controllers/live.ts +++ /dev/null
@@ -1,32 +0,0 @@
1	import cors from 'cors'
2	import express from 'express'
3	import { mapToJSON } from '@server/helpers/core-utils'
4	import { LiveSegmentShaStore } from '@server/lib/live'
5	import { HttpStatusCode } from '@shared/models'
6
7	const liveRouter = express.Router()
8
9	liveRouter.use('/segments-sha256/:videoUUID',
10	cors(),
11	getSegmentsSha256
12	)
13
14	// ---------------------------------------------------------------------------
15
16	export {
17	liveRouter
18	}
19
20	// ---------------------------------------------------------------------------
21
22	function getSegmentsSha256 (req: express.Request, res: express.Response) {
23	const videoUUID = req.params.videoUUID
24
25	const result = LiveSegmentShaStore.Instance.getSegmentsSha256(videoUUID)
26
27	if (!result) {
28	return res.status(HttpStatusCode.NOT_FOUND_404).end()
29	}
30
31	return res.json(mapToJSON(result))
32	}


diff --git a/server/controllers/well-known.ts b/server/controllers/well-known.ts index f467bd629..ce5883571 100644 --- a/server/controllers/well-known.ts +++ b/server/controllers/well-known.ts
@@ -5,6 +5,7 @@ import { root } from '@shared/core-utils'
5	import { CONFIG } from '../initializers/config'	5	import { CONFIG } from '../initializers/config'
6	import { ROUTE_CACHE_LIFETIME, WEBSERVER } from '../initializers/constants'	6	import { ROUTE_CACHE_LIFETIME, WEBSERVER } from '../initializers/constants'
7	import { cacheRoute } from '../middlewares/cache/cache'	7	import { cacheRoute } from '../middlewares/cache/cache'
		8	import { handleStaticError } from '@server/middlewares'
8		9
9	const wellKnownRouter = express.Router()	10	const wellKnownRouter = express.Router()
10		11
@@ -69,6 +70,12 @@ wellKnownRouter.use('/.well-known/host-meta',
69	}	70	}
70	)	71	)
71		72
		73	wellKnownRouter.use('/.well-known/',
		74	cacheRoute(ROUTE_CACHE_LIFETIME.WELL_KNOWN),
		75	express.static(CONFIG.STORAGE.WELL_KNOWN_DIR, { fallthrough: false }),
		76	handleStaticError
		77	)
		78
72	// ---------------------------------------------------------------------------	79	// ---------------------------------------------------------------------------
73		80
74	export {	81	export {