3 files changed, 116 insertions, 5 deletions
diff --git a/server/helpers/core-utils.ts b/server/helpers/core-utils.ts
index c762f6a29..73bd994c1 100644
--- a/server/helpers/core-utils.ts
+++ b/server/helpers/core-utils.ts
@@ -6,7 +6,7 @@
 */
 import { exec, ExecOptions } from 'child_process'
-import { ED25519KeyPairOptions, generateKeyPair, randomBytes, RSAKeyPairOptions } from 'crypto'
+import { ED25519KeyPairOptions, generateKeyPair, randomBytes, RSAKeyPairOptions, scrypt } from 'crypto'
 import { truncate } from 'lodash'
 import { pipeline } from 'stream'
 import { URL } from 'url'
@@ -311,7 +311,17 @@ function promisify2<T, U, A> (func: (arg1: T, arg2: U, cb: (err: any, result: A)
  }
 }
+// eslint-disable-next-line max-len
+function promisify3<T, U, V, A> (func: (arg1: T, arg2: U, arg3: V, cb: (err: any, result: A) => void) => void): (arg1: T, arg2: U, arg3: V) => Promise<A> {
+  return function promisified (arg1: T, arg2: U, arg3: V): Promise<A> {
+    return new Promise<A>((resolve: (arg: A) => void, reject: (err: any) => void) => {
+      func.apply(null, [ arg1, arg2, arg3, (err: any, res: A) => err ? reject(err) : resolve(res) ])
+    })
+  }
+}
 const randomBytesPromise = promisify1<number, Buffer>(randomBytes)
+const scryptPromise = promisify3<string, string, number, Buffer>(scrypt)
 const execPromise2 = promisify2<string, any, string>(exec)
 const execPromise = promisify1<string, string>(exec)
 const pipelinePromise = promisify(pipeline)
@@ -339,6 +349,8 @@ export {
  promisify1,
  promisify2,
+  scryptPromise,
  randomBytesPromise,
  generateRSAKeyPairPromise,
diff --git a/server/helpers/otp.ts b/server/helpers/otp.ts
new file mode 100644
index 000000000..a32cc9621
--- /dev/null
+++ b/server/helpers/otp.ts
@@ -0,0 +1,58 @@
+import { Secret, TOTP } from 'otpauth'
+import { CONFIG } from '@server/initializers/config'
+import { WEBSERVER } from '@server/initializers/constants'
+import { decrypt } from './peertube-crypto'
+async function isOTPValid (options: {
+  encryptedSecret: string
+  token: string
+}) {
+  const { token, encryptedSecret } = options
+  const secret = await decrypt(encryptedSecret, CONFIG.SECRETS.PEERTUBE)
+  const totp = new TOTP({
+    ...baseOTPOptions(),
+    secret
+  })
+  const delta = totp.validate({
+    token,
+    window: 1
+  })
+  if (delta === null) return false
+  return true
+}
+function generateOTPSecret (email: string) {
+  const totp = new TOTP({
+    ...baseOTPOptions(),
+    label: email,
+    secret: new Secret()
+  })
+  return {
+    secret: totp.secret.base32,
+    uri: totp.toString()
+  }
+}
+export {
+  isOTPValid,
+  generateOTPSecret
+}
+// ---------------------------------------------------------------------------
+function baseOTPOptions () {
+  return {
+    issuer: WEBSERVER.HOST,
+    algorithm: 'SHA1',
+    digits: 6,
+    period: 30
+  }
+}
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts
index 8aca50900..ae7d11800 100644
--- a/server/helpers/peertube-crypto.ts
+++ b/server/helpers/peertube-crypto.ts
@@ -1,11 +1,11 @@
 import { compare, genSalt, hash } from 'bcrypt'
-import { createSign, createVerify } from 'crypto'
+import { createCipheriv, createDecipheriv, createSign, createVerify } from 'crypto'
 import { Request } from 'express'
 import { cloneDeep } from 'lodash'
 import { sha256 } from '@shared/extra-utils'
-import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
+import { BCRYPT_SALT_SIZE, ENCRYPTION, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
 import { MActor } from '../types/models'
-import { generateRSAKeyPairPromise, promisify1, promisify2 } from './core-utils'
+import { generateRSAKeyPairPromise, promisify1, promisify2, randomBytesPromise, scryptPromise } from './core-utils'
 import { jsonld } from './custom-jsonld-signature'
 import { logger } from './logger'
@@ -21,9 +21,13 @@ function createPrivateAndPublicKeys () {
  return generateRSAKeyPairPromise(PRIVATE_RSA_KEY_SIZE)
 }
+// ---------------------------------------------------------------------------
 // User password checks
+// ---------------------------------------------------------------------------
 function comparePassword (plainPassword: string, hashPassword: string) {
+  if (!plainPassword) return Promise.resolve(false)
  return bcryptComparePromise(plainPassword, hashPassword)
 }
@@ -33,7 +37,9 @@ async function cryptPassword (password: string) {
  return bcryptHashPromise(password, salt)
 }
+// ---------------------------------------------------------------------------
 // HTTP Signature
+// ---------------------------------------------------------------------------
 function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean {
  if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) {
@@ -62,7 +68,9 @@ function parseHTTPSignature (req: Request, clockSkew?: number) {
  return parsed
 }
+// ---------------------------------------------------------------------------
 // JSONLD
+// ---------------------------------------------------------------------------
 function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> {
  if (signedDocument.signature.type === 'RsaSignature2017') {
@@ -112,6 +120,8 @@ async function signJsonLDObject <T> (byActor: MActor, data: T) {
  return Object.assign(data, { signature })
 }
+// ---------------------------------------------------------------------------
 function buildDigest (body: any) {
  const rawBody = typeof body === 'string' ? body : JSON.stringify(body)
@@ -119,6 +129,34 @@ function buildDigest (body: any) {
 }
 // ---------------------------------------------------------------------------
+// Encryption
+// ---------------------------------------------------------------------------
+async function encrypt (str: string, secret: string) {
+  const iv = await randomBytesPromise(ENCRYPTION.IV)
+  const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
+  const cipher = createCipheriv(ENCRYPTION.ALGORITHM, key, iv)
+  let encrypted = iv.toString(ENCRYPTION.ENCODING) + ':'
+  encrypted += cipher.update(str, 'utf8', ENCRYPTION.ENCODING)
+  encrypted += cipher.final(ENCRYPTION.ENCODING)
+  return encrypted
+}
+async function decrypt (encryptedArg: string, secret: string) {
+  const [ ivStr, encryptedStr ] = encryptedArg.split(':')
+  const iv = Buffer.from(ivStr, 'hex')
+  const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
+  const decipher = createDecipheriv(ENCRYPTION.ALGORITHM, key, iv)
+  return decipher.update(encryptedStr, ENCRYPTION.ENCODING, 'utf8') + decipher.final('utf8')
+}
+// ---------------------------------------------------------------------------
 export {
  isHTTPSignatureDigestValid,
@@ -129,7 +167,10 @@ export {
  comparePassword,
  createPrivateAndPublicKeys,
  cryptPassword,
-  signJsonLDObject
+  signJsonLDObject,
+  encrypt,
+  decrypt
 }
 // ---------------------------------------------------------------------------

diff --git a/server/helpers/core-utils.ts b/server/helpers/core-utils.ts index c762f6a29..73bd994c1 100644 --- a/server/helpers/core-utils.ts +++ b/server/helpers/core-utils.ts
@@ -6,7 +6,7 @@
6	*/	6	*/
7		7
8	import { exec, ExecOptions } from 'child_process'	8	import { exec, ExecOptions } from 'child_process'
9	import { ED25519KeyPairOptions, generateKeyPair, randomBytes, RSAKeyPairOptions } from 'crypto'	9	import { ED25519KeyPairOptions, generateKeyPair, randomBytes, RSAKeyPairOptions, scrypt } from 'crypto'
10	import { truncate } from 'lodash'	10	import { truncate } from 'lodash'
11	import { pipeline } from 'stream'	11	import { pipeline } from 'stream'
12	import { URL } from 'url'	12	import { URL } from 'url'
@@ -311,7 +311,17 @@ function promisify2<T, U, A> (func: (arg1: T, arg2: U, cb: (err: any, result: A)
311	}	311	}
312	}	312	}
313		313
		314	// eslint-disable-next-line max-len
		315	function promisify3<T, U, V, A> (func: (arg1: T, arg2: U, arg3: V, cb: (err: any, result: A) => void) => void): (arg1: T, arg2: U, arg3: V) => Promise<A> {
		316	return function promisified (arg1: T, arg2: U, arg3: V): Promise<A> {
		317	return new Promise<A>((resolve: (arg: A) => void, reject: (err: any) => void) => {
		318	func.apply(null, [ arg1, arg2, arg3, (err: any, res: A) => err ? reject(err) : resolve(res) ])
		319	})
		320	}
		321	}
		322
314	const randomBytesPromise = promisify1<number, Buffer>(randomBytes)	323	const randomBytesPromise = promisify1<number, Buffer>(randomBytes)
		324	const scryptPromise = promisify3<string, string, number, Buffer>(scrypt)
315	const execPromise2 = promisify2<string, any, string>(exec)	325	const execPromise2 = promisify2<string, any, string>(exec)
316	const execPromise = promisify1<string, string>(exec)	326	const execPromise = promisify1<string, string>(exec)
317	const pipelinePromise = promisify(pipeline)	327	const pipelinePromise = promisify(pipeline)
@@ -339,6 +349,8 @@ export {
339	promisify1,	349	promisify1,
340	promisify2,	350	promisify2,
341		351
		352	scryptPromise,
		353
342	randomBytesPromise,	354	randomBytesPromise,
343		355
344	generateRSAKeyPairPromise,	356	generateRSAKeyPairPromise,


diff --git a/server/helpers/otp.ts b/server/helpers/otp.ts new file mode 100644 index 000000000..a32cc9621 --- /dev/null +++ b/server/helpers/otp.ts
@@ -0,0 +1,58 @@
		1	import { Secret, TOTP } from 'otpauth'
		2	import { CONFIG } from '@server/initializers/config'
		3	import { WEBSERVER } from '@server/initializers/constants'
		4	import { decrypt } from './peertube-crypto'
		5
		6	async function isOTPValid (options: {
		7	encryptedSecret: string
		8	token: string
		9	}) {
		10	const { token, encryptedSecret } = options
		11
		12	const secret = await decrypt(encryptedSecret, CONFIG.SECRETS.PEERTUBE)
		13
		14	const totp = new TOTP({
		15	...baseOTPOptions(),
		16
		17	secret
		18	})
		19
		20	const delta = totp.validate({
		21	token,
		22	window: 1
		23	})
		24
		25	if (delta === null) return false
		26
		27	return true
		28	}
		29
		30	function generateOTPSecret (email: string) {
		31	const totp = new TOTP({
		32	...baseOTPOptions(),
		33
		34	label: email,
		35	secret: new Secret()
		36	})
		37
		38	return {
		39	secret: totp.secret.base32,
		40	uri: totp.toString()
		41	}
		42	}
		43
		44	export {
		45	isOTPValid,
		46	generateOTPSecret
		47	}
		48
		49	// ---------------------------------------------------------------------------
		50
		51	function baseOTPOptions () {
		52	return {
		53	issuer: WEBSERVER.HOST,
		54	algorithm: 'SHA1',
		55	digits: 6,
		56	period: 30
		57	}
		58	}


diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts index 8aca50900..ae7d11800 100644 --- a/server/helpers/peertube-crypto.ts +++ b/server/helpers/peertube-crypto.ts
@@ -1,11 +1,11 @@
1	import { compare, genSalt, hash } from 'bcrypt'	1	import { compare, genSalt, hash } from 'bcrypt'
2	import { createSign, createVerify } from 'crypto'	2	import { createCipheriv, createDecipheriv, createSign, createVerify } from 'crypto'
3	import { Request } from 'express'	3	import { Request } from 'express'
4	import { cloneDeep } from 'lodash'	4	import { cloneDeep } from 'lodash'
5	import { sha256 } from '@shared/extra-utils'	5	import { sha256 } from '@shared/extra-utils'
6	import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'	6	import { BCRYPT_SALT_SIZE, ENCRYPTION, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
7	import { MActor } from '../types/models'	7	import { MActor } from '../types/models'
8	import { generateRSAKeyPairPromise, promisify1, promisify2 } from './core-utils'	8	import { generateRSAKeyPairPromise, promisify1, promisify2, randomBytesPromise, scryptPromise } from './core-utils'
9	import { jsonld } from './custom-jsonld-signature'	9	import { jsonld } from './custom-jsonld-signature'
10	import { logger } from './logger'	10	import { logger } from './logger'
11		11
@@ -21,9 +21,13 @@ function createPrivateAndPublicKeys () {
21	return generateRSAKeyPairPromise(PRIVATE_RSA_KEY_SIZE)	21	return generateRSAKeyPairPromise(PRIVATE_RSA_KEY_SIZE)
22	}	22	}
23		23
		24	// ---------------------------------------------------------------------------
24	// User password checks	25	// User password checks
		26	// ---------------------------------------------------------------------------
25		27
26	function comparePassword (plainPassword: string, hashPassword: string) {	28	function comparePassword (plainPassword: string, hashPassword: string) {
		29	if (!plainPassword) return Promise.resolve(false)
		30
27	return bcryptComparePromise(plainPassword, hashPassword)	31	return bcryptComparePromise(plainPassword, hashPassword)
28	}	32	}
29		33
@@ -33,7 +37,9 @@ async function cryptPassword (password: string) {
33	return bcryptHashPromise(password, salt)	37	return bcryptHashPromise(password, salt)
34	}	38	}
35		39
		40	// ---------------------------------------------------------------------------
36	// HTTP Signature	41	// HTTP Signature
		42	// ---------------------------------------------------------------------------
37		43
38	function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean {	44	function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean {
39	if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) {	45	if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) {
@@ -62,7 +68,9 @@ function parseHTTPSignature (req: Request, clockSkew?: number) {
62	return parsed	68	return parsed
63	}	69	}
64		70
		71	// ---------------------------------------------------------------------------
65	// JSONLD	72	// JSONLD
		73	// ---------------------------------------------------------------------------
66		74
67	function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> {	75	function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> {
68	if (signedDocument.signature.type === 'RsaSignature2017') {	76	if (signedDocument.signature.type === 'RsaSignature2017') {
@@ -112,6 +120,8 @@ async function signJsonLDObject <T> (byActor: MActor, data: T) {
112	return Object.assign(data, { signature })	120	return Object.assign(data, { signature })
113	}	121	}
114		122
		123	// ---------------------------------------------------------------------------
		124
115	function buildDigest (body: any) {	125	function buildDigest (body: any) {
116	const rawBody = typeof body === 'string' ? body : JSON.stringify(body)	126	const rawBody = typeof body === 'string' ? body : JSON.stringify(body)
117		127
@@ -119,6 +129,34 @@ function buildDigest (body: any) {
119	}	129	}
120		130
121	// ---------------------------------------------------------------------------	131	// ---------------------------------------------------------------------------
		132	// Encryption
		133	// ---------------------------------------------------------------------------
		134
		135	async function encrypt (str: string, secret: string) {
		136	const iv = await randomBytesPromise(ENCRYPTION.IV)
		137
		138	const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
		139	const cipher = createCipheriv(ENCRYPTION.ALGORITHM, key, iv)
		140
		141	let encrypted = iv.toString(ENCRYPTION.ENCODING) + ':'
		142	encrypted += cipher.update(str, 'utf8', ENCRYPTION.ENCODING)
		143	encrypted += cipher.final(ENCRYPTION.ENCODING)
		144
		145	return encrypted
		146	}
		147
		148	async function decrypt (encryptedArg: string, secret: string) {
		149	const [ ivStr, encryptedStr ] = encryptedArg.split(':')
		150
		151	const iv = Buffer.from(ivStr, 'hex')
		152	const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
		153
		154	const decipher = createDecipheriv(ENCRYPTION.ALGORITHM, key, iv)
		155
		156	return decipher.update(encryptedStr, ENCRYPTION.ENCODING, 'utf8') + decipher.final('utf8')
		157	}
		158
		159	// ---------------------------------------------------------------------------
122		160
123	export {	161	export {
124	isHTTPSignatureDigestValid,	162	isHTTPSignatureDigestValid,
@@ -129,7 +167,10 @@ export {
129	comparePassword,	167	comparePassword,
130	createPrivateAndPublicKeys,	168	createPrivateAndPublicKeys,
131	cryptPassword,	169	cryptPassword,
132	signJsonLDObject	170	signJsonLDObject,
		171
		172	encrypt,
		173	decrypt
133	}	174	}
134		175
135	// ---------------------------------------------------------------------------	176	// ---------------------------------------------------------------------------