2 files changed, 48 insertions, 4 deletions
diff --git a/server/lib/auth/oauth.ts b/server/lib/auth/oauth.ts
index fa1887315..35b05ec5a 100644
--- a/server/lib/auth/oauth.ts
+++ b/server/lib/auth/oauth.ts
@@ -9,11 +9,23 @@ import OAuth2Server, {
  UnsupportedGrantTypeError
 } from '@node-oauth/oauth2-server'
 import { randomBytesPromise } from '@server/helpers/core-utils'
+import { isOTPValid } from '@server/helpers/otp'
 import { MOAuthClient } from '@server/types/models'
 import { sha1 } from '@shared/extra-utils'
-import { OAUTH_LIFETIME } from '../../initializers/constants'
+import { HttpStatusCode } from '@shared/models'
+import { OAUTH_LIFETIME, OTP } from '../../initializers/constants'
 import { BypassLogin, getClient, getRefreshToken, getUser, revokeToken, saveToken } from './oauth-model'
+class MissingTwoFactorError extends Error {
+  code = HttpStatusCode.UNAUTHORIZED_401
+  name = 'missing_two_factor'
+}
+class InvalidTwoFactorError extends Error {
+  code = HttpStatusCode.BAD_REQUEST_400
+  name = 'invalid_two_factor'
+}
 /**
 *
 * Reimplement some functions of OAuth2Server to inject external auth methods
@@ -94,6 +106,9 @@ function handleOAuthAuthenticate (
 }
 export {
+  MissingTwoFactorError,
+  InvalidTwoFactorError,
  handleOAuthToken,
  handleOAuthAuthenticate
 }
@@ -118,6 +133,16 @@ async function handlePasswordGrant (options: {
  const user = await getUser(request.body.username, request.body.password, bypassLogin)
  if (!user) throw new InvalidGrantError('Invalid grant: user credentials are invalid')
+  if (user.otpSecret) {
+    if (!request.headers[OTP.HEADER_NAME]) {
+      throw new MissingTwoFactorError('Missing two factor header')
+    }
+    if (await isOTPValid({ encryptedSecret: user.otpSecret, token: request.headers[OTP.HEADER_NAME] }) !== true) {
+      throw new InvalidTwoFactorError('Invalid two factor header')
+    }
+  }
  const token = await buildToken()
  return saveToken(token, client, user, { bypassLogin })
diff --git a/server/lib/redis.ts b/server/lib/redis.ts
index 9b3c72300..b7523492a 100644
--- a/server/lib/redis.ts
+++ b/server/lib/redis.ts
@@ -9,6 +9,7 @@ import {
  CONTACT_FORM_LIFETIME,
  RESUMABLE_UPLOAD_SESSION_LIFETIME,
  TRACKER_RATE_LIMITS,
+  TWO_FACTOR_AUTH_REQUEST_TOKEN_LIFETIME,
  USER_EMAIL_VERIFY_LIFETIME,
  USER_PASSWORD_CREATE_LIFETIME,
  USER_PASSWORD_RESET_LIFETIME,
@@ -108,10 +109,24 @@ class Redis {
    return this.removeValue(this.generateResetPasswordKey(userId))
  }
-  async getResetPasswordLink (userId: number) {
+  async getResetPasswordVerificationString (userId: number) {
    return this.getValue(this.generateResetPasswordKey(userId))
  }
+  /* ************ Two factor auth request ************ */
+  async setTwoFactorRequest (userId: number, otpSecret: string) {
+    const requestToken = await generateRandomString(32)
+    await this.setValue(this.generateTwoFactorRequestKey(userId, requestToken), otpSecret, TWO_FACTOR_AUTH_REQUEST_TOKEN_LIFETIME)
+    return requestToken
+  }
+  async getTwoFactorRequestToken (userId: number, requestToken: string) {
+    return this.getValue(this.generateTwoFactorRequestKey(userId, requestToken))
+  }
  /* ************ Email verification ************ */
  async setVerifyEmailVerificationString (userId: number) {
@@ -342,6 +357,10 @@ class Redis {
    return 'reset-password-' + userId
  }
+  private generateTwoFactorRequestKey (userId: number, token: string) {
+    return 'two-factor-request-' + userId + '-' + token
+  }
  private generateVerifyEmailKey (userId: number) {
    return 'verify-email-' + userId
  }
@@ -391,8 +410,8 @@ class Redis {
    return JSON.parse(value)
  }
-  private setObject (key: string, value: { [ id: string ]: number | string }) {
+  private setObject (key: string, value: { [ id: string ]: number | string }, expirationMilliseconds?: number) {
-    return this.setValue(key, JSON.stringify(value))
+    return this.setValue(key, JSON.stringify(value), expirationMilliseconds)
  }
  private async setValue (key: string, value: string, expirationMilliseconds?: number) {