diff options
Diffstat (limited to 'server/lib/auth/oauth.ts')
-rw-r--r-- | server/lib/auth/oauth.ts | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts index fa1887315..b541142a5 100644 --- a/server/lib/auth/oauth.ts +++ b/server/lib/auth/oauth.ts | |||
@@ -11,8 +11,20 @@ import OAuth2Server, { | |||
11 | import { randomBytesPromise } from '@server/helpers/core-utils' | 11 | import { randomBytesPromise } from '@server/helpers/core-utils' |
12 | import { MOAuthClient } from '@server/types/models' | 12 | import { MOAuthClient } from '@server/types/models' |
13 | import { sha1 } from '@shared/extra-utils' | 13 | import { sha1 } from '@shared/extra-utils' |
14 | import { OAUTH_LIFETIME } from '../../initializers/constants' | 14 | import { HttpStatusCode } from '@shared/models' |
15 | import { OAUTH_LIFETIME, OTP } from '../../initializers/constants' | ||
15 | import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model' | 16 | import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model' |
17 | import { isOTPValid } from '@server/helpers/otp' | ||
18 | |||
19 | class MissingTwoFactorError extends Error { | ||
20 | code = HttpStatusCode.UNAUTHORIZED_401 | ||
21 | name = 'missing_two_factor' | ||
22 | } | ||
23 | |||
24 | class InvalidTwoFactorError extends Error { | ||
25 | code = HttpStatusCode.BAD_REQUEST_400 | ||
26 | name = 'invalid_two_factor' | ||
27 | } | ||
16 | 28 | ||
17 | /** | 29 | /** |
18 | * | 30 | * |
@@ -94,6 +106,9 @@ function handleOAuthAuthenticate ( | |||
94 | } | 106 | } |
95 | 107 | ||
96 | export { | 108 | export { |
109 | MissingTwoFactorError, | ||
110 | InvalidTwoFactorError, | ||
111 | |||
97 | handleOAuthToken, | 112 | handleOAuthToken, |
98 | handleOAuthAuthenticate | 113 | handleOAuthAuthenticate |
99 | } | 114 | } |
@@ -118,6 +133,16 @@ async function handlePasswordGrant (options: { | |||
118 | const user = await getUser(request.body.username, request.body.password, bypassLogin) | 133 | const user = await getUser(request.body.username, request.body.password, bypassLogin) |
119 | if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid') | 134 | if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid') |
120 | 135 | ||
136 | if (user.otpSecret) { | ||
137 | if (!request.headers[OTP.HEADER_NAME]) { | ||
138 | throw new MissingTwoFactorError('Missing two factor header') | ||
139 | } | ||
140 | |||
141 | if (isOTPValid({ secret: user.otpSecret, token: request.headers[OTP.HEADER_NAME] }) !== true) { | ||
142 | throw new InvalidTwoFactorError('Invalid two factor header') | ||
143 | } | ||
144 | } | ||
145 | |||
121 | const token = await buildToken() | 146 | const token = await buildToken() |
122 | 147 | ||
123 | return saveToken(token, client, user, { bypassLogin }) | 148 | return saveToken(token, client, user, { bypassLogin }) |