diff options
Diffstat (limited to 'server')
-rw-r--r-- | server/controllers/api/users/two-factor.ts | 6 | ||||
-rw-r--r-- | server/helpers/peertube-crypto.ts | 2 | ||||
-rw-r--r-- | server/middlewares/validators/users.ts | 47 | ||||
-rw-r--r-- | server/tests/api/check-params/two-factor.ts | 29 | ||||
-rw-r--r-- | server/tests/api/users/two-factor.ts | 95 |
5 files changed, 129 insertions, 50 deletions
diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts index 1725294e7..79f63a62d 100644 --- a/server/controllers/api/users/two-factor.ts +++ b/server/controllers/api/users/two-factor.ts | |||
@@ -1,7 +1,7 @@ | |||
1 | import express from 'express' | 1 | import express from 'express' |
2 | import { generateOTPSecret, isOTPValid } from '@server/helpers/otp' | 2 | import { generateOTPSecret, isOTPValid } from '@server/helpers/otp' |
3 | import { Redis } from '@server/lib/redis' | 3 | import { Redis } from '@server/lib/redis' |
4 | import { asyncMiddleware, authenticate, usersCheckCurrentPassword } from '@server/middlewares' | 4 | import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares' |
5 | import { | 5 | import { |
6 | confirmTwoFactorValidator, | 6 | confirmTwoFactorValidator, |
7 | disableTwoFactorValidator, | 7 | disableTwoFactorValidator, |
@@ -13,7 +13,7 @@ const twoFactorRouter = express.Router() | |||
13 | 13 | ||
14 | twoFactorRouter.post('/:id/two-factor/request', | 14 | twoFactorRouter.post('/:id/two-factor/request', |
15 | authenticate, | 15 | authenticate, |
16 | asyncMiddleware(usersCheckCurrentPassword), | 16 | asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)), |
17 | asyncMiddleware(requestOrConfirmTwoFactorValidator), | 17 | asyncMiddleware(requestOrConfirmTwoFactorValidator), |
18 | asyncMiddleware(requestTwoFactor) | 18 | asyncMiddleware(requestTwoFactor) |
19 | ) | 19 | ) |
@@ -27,7 +27,7 @@ twoFactorRouter.post('/:id/two-factor/confirm-request', | |||
27 | 27 | ||
28 | twoFactorRouter.post('/:id/two-factor/disable', | 28 | twoFactorRouter.post('/:id/two-factor/disable', |
29 | authenticate, | 29 | authenticate, |
30 | asyncMiddleware(usersCheckCurrentPassword), | 30 | asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)), |
31 | asyncMiddleware(disableTwoFactorValidator), | 31 | asyncMiddleware(disableTwoFactorValidator), |
32 | asyncMiddleware(disableTwoFactor) | 32 | asyncMiddleware(disableTwoFactor) |
33 | ) | 33 | ) |
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts index 8aca50900..dcf47ce76 100644 --- a/server/helpers/peertube-crypto.ts +++ b/server/helpers/peertube-crypto.ts | |||
@@ -24,6 +24,8 @@ function createPrivateAndPublicKeys () { | |||
24 | // User password checks | 24 | // User password checks |
25 | 25 | ||
26 | function comparePassword (plainPassword: string, hashPassword: string) { | 26 | function comparePassword (plainPassword: string, hashPassword: string) { |
27 | if (!plainPassword) return Promise.resolve(false) | ||
28 | |||
27 | return bcryptComparePromise(plainPassword, hashPassword) | 29 | return bcryptComparePromise(plainPassword, hashPassword) |
28 | } | 30 | } |
29 | 31 | ||
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index 046029547..055af3b64 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
@@ -506,23 +506,40 @@ const usersVerifyEmailValidator = [ | |||
506 | } | 506 | } |
507 | ] | 507 | ] |
508 | 508 | ||
509 | const usersCheckCurrentPassword = [ | 509 | const usersCheckCurrentPasswordFactory = (targetUserIdGetter: (req: express.Request) => number | string) => { |
510 | body('currentPassword').custom(exists), | 510 | return [ |
511 | body('currentPassword').optional().custom(exists), | ||
511 | 512 | ||
512 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { | 513 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
513 | if (areValidationErrors(req, res)) return | 514 | if (areValidationErrors(req, res)) return |
514 | 515 | ||
515 | const user = res.locals.oauth.token.User | 516 | const user = res.locals.oauth.token.User |
516 | if (await user.isPasswordMatch(req.body.currentPassword) !== true) { | 517 | const isAdminOrModerator = user.role === UserRole.ADMINISTRATOR || user.role === UserRole.MODERATOR |
517 | return res.fail({ | 518 | const targetUserId = parseInt(targetUserIdGetter(req) + '') |
518 | status: HttpStatusCode.FORBIDDEN_403, | ||
519 | message: 'currentPassword is invalid.' | ||
520 | }) | ||
521 | } | ||
522 | 519 | ||
523 | return next() | 520 | // Admin/moderator action on another user, skip the password check |
524 | } | 521 | if (isAdminOrModerator && targetUserId !== user.id) { |
525 | ] | 522 | return next() |
523 | } | ||
524 | |||
525 | if (!req.body.currentPassword) { | ||
526 | return res.fail({ | ||
527 | status: HttpStatusCode.BAD_REQUEST_400, | ||
528 | message: 'currentPassword is missing' | ||
529 | }) | ||
530 | } | ||
531 | |||
532 | if (await user.isPasswordMatch(req.body.currentPassword) !== true) { | ||
533 | return res.fail({ | ||
534 | status: HttpStatusCode.FORBIDDEN_403, | ||
535 | message: 'currentPassword is invalid.' | ||
536 | }) | ||
537 | } | ||
538 | |||
539 | return next() | ||
540 | } | ||
541 | ] | ||
542 | } | ||
526 | 543 | ||
527 | const userAutocompleteValidator = [ | 544 | const userAutocompleteValidator = [ |
528 | param('search') | 545 | param('search') |
@@ -591,7 +608,7 @@ export { | |||
591 | usersUpdateValidator, | 608 | usersUpdateValidator, |
592 | usersUpdateMeValidator, | 609 | usersUpdateMeValidator, |
593 | usersVideoRatingValidator, | 610 | usersVideoRatingValidator, |
594 | usersCheckCurrentPassword, | 611 | usersCheckCurrentPasswordFactory, |
595 | ensureUserRegistrationAllowed, | 612 | ensureUserRegistrationAllowed, |
596 | ensureUserRegistrationAllowedForIP, | 613 | ensureUserRegistrationAllowedForIP, |
597 | usersGetValidator, | 614 | usersGetValidator, |
diff --git a/server/tests/api/check-params/two-factor.ts b/server/tests/api/check-params/two-factor.ts index e7ca5490c..f8365f1b5 100644 --- a/server/tests/api/check-params/two-factor.ts +++ b/server/tests/api/check-params/two-factor.ts | |||
@@ -86,6 +86,15 @@ describe('Test two factor API validators', function () { | |||
86 | }) | 86 | }) |
87 | }) | 87 | }) |
88 | 88 | ||
89 | it('Should succeed to request two factor without a password when targeting a remote user with an admin account', async function () { | ||
90 | await server.twoFactor.request({ userId }) | ||
91 | }) | ||
92 | |||
93 | it('Should fail to request two factor without a password when targeting myself with an admin account', async function () { | ||
94 | await server.twoFactor.request({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | ||
95 | await server.twoFactor.request({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 }) | ||
96 | }) | ||
97 | |||
89 | it('Should succeed to request my two factor auth', async function () { | 98 | it('Should succeed to request my two factor auth', async function () { |
90 | { | 99 | { |
91 | const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword }) | 100 | const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword }) |
@@ -234,7 +243,7 @@ describe('Test two factor API validators', function () { | |||
234 | }) | 243 | }) |
235 | }) | 244 | }) |
236 | 245 | ||
237 | it('Should fail to disabled two factor with an incorrect password', async function () { | 246 | it('Should fail to disable two factor with an incorrect password', async function () { |
238 | await server.twoFactor.disable({ | 247 | await server.twoFactor.disable({ |
239 | userId, | 248 | userId, |
240 | token: userToken, | 249 | token: userToken, |
@@ -243,16 +252,20 @@ describe('Test two factor API validators', function () { | |||
243 | }) | 252 | }) |
244 | }) | 253 | }) |
245 | 254 | ||
255 | it('Should succeed to disable two factor without a password when targeting a remote user with an admin account', async function () { | ||
256 | await server.twoFactor.disable({ userId }) | ||
257 | await server.twoFactor.requestAndConfirm({ userId }) | ||
258 | }) | ||
259 | |||
260 | it('Should fail to disable two factor without a password when targeting myself with an admin account', async function () { | ||
261 | await server.twoFactor.disable({ userId: rootId, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | ||
262 | await server.twoFactor.disable({ userId: rootId, currentPassword: 'bad', expectedStatus: HttpStatusCode.FORBIDDEN_403 }) | ||
263 | }) | ||
264 | |||
246 | it('Should succeed to disable another user two factor with the appropriate rights', async function () { | 265 | it('Should succeed to disable another user two factor with the appropriate rights', async function () { |
247 | await server.twoFactor.disable({ userId, currentPassword: rootPassword }) | 266 | await server.twoFactor.disable({ userId, currentPassword: rootPassword }) |
248 | 267 | ||
249 | // Reinit | 268 | await server.twoFactor.requestAndConfirm({ userId }) |
250 | const { otpRequest } = await server.twoFactor.request({ userId, currentPassword: rootPassword }) | ||
251 | await server.twoFactor.confirmRequest({ | ||
252 | userId, | ||
253 | requestToken: otpRequest.requestToken, | ||
254 | otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate() | ||
255 | }) | ||
256 | }) | 269 | }) |
257 | 270 | ||
258 | it('Should succeed to update my two factor auth', async function () { | 271 | it('Should succeed to update my two factor auth', async function () { |
diff --git a/server/tests/api/users/two-factor.ts b/server/tests/api/users/two-factor.ts index 450aac4dc..0dcab9e17 100644 --- a/server/tests/api/users/two-factor.ts +++ b/server/tests/api/users/two-factor.ts | |||
@@ -7,13 +7,14 @@ import { cleanupTests, createSingleServer, PeerTubeServer, setAccessTokensToServ | |||
7 | 7 | ||
8 | async function login (options: { | 8 | async function login (options: { |
9 | server: PeerTubeServer | 9 | server: PeerTubeServer |
10 | password?: string | 10 | username: string |
11 | password: string | ||
11 | otpToken?: string | 12 | otpToken?: string |
12 | expectedStatus?: HttpStatusCode | 13 | expectedStatus?: HttpStatusCode |
13 | }) { | 14 | }) { |
14 | const { server, password = server.store.user.password, otpToken, expectedStatus } = options | 15 | const { server, username, password, otpToken, expectedStatus } = options |
15 | 16 | ||
16 | const user = { username: server.store.user.username, password } | 17 | const user = { username, password } |
17 | const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus }) | 18 | const { res, body: { access_token: token } } = await server.login.loginAndGetResponse({ user, otpToken, expectedStatus }) |
18 | 19 | ||
19 | return { res, token } | 20 | return { res, token } |
@@ -21,23 +22,28 @@ async function login (options: { | |||
21 | 22 | ||
22 | describe('Test users', function () { | 23 | describe('Test users', function () { |
23 | let server: PeerTubeServer | 24 | let server: PeerTubeServer |
24 | let rootId: number | ||
25 | let otpSecret: string | 25 | let otpSecret: string |
26 | let requestToken: string | 26 | let requestToken: string |
27 | 27 | ||
28 | const userUsername = 'user1' | ||
29 | let userId: number | ||
30 | let userPassword: string | ||
31 | let userToken: string | ||
32 | |||
28 | before(async function () { | 33 | before(async function () { |
29 | this.timeout(30000) | 34 | this.timeout(30000) |
30 | 35 | ||
31 | server = await createSingleServer(1) | 36 | server = await createSingleServer(1) |
32 | 37 | ||
33 | await setAccessTokensToServers([ server ]) | 38 | await setAccessTokensToServers([ server ]) |
34 | 39 | const res = await server.users.generate(userUsername) | |
35 | const { id } = await server.users.getMyInfo() | 40 | userId = res.userId |
36 | rootId = id | 41 | userPassword = res.password |
42 | userToken = res.token | ||
37 | }) | 43 | }) |
38 | 44 | ||
39 | it('Should not add the header on login if two factor is not enabled', async function () { | 45 | it('Should not add the header on login if two factor is not enabled', async function () { |
40 | const { res, token } = await login({ server }) | 46 | const { res, token } = await login({ server, username: userUsername, password: userPassword }) |
41 | 47 | ||
42 | expect(res.header['x-peertube-otp']).to.not.exist | 48 | expect(res.header['x-peertube-otp']).to.not.exist |
43 | 49 | ||
@@ -45,10 +51,7 @@ describe('Test users', function () { | |||
45 | }) | 51 | }) |
46 | 52 | ||
47 | it('Should request two factor and get the secret and uri', async function () { | 53 | it('Should request two factor and get the secret and uri', async function () { |
48 | const { otpRequest } = await server.twoFactor.request({ | 54 | const { otpRequest } = await server.twoFactor.request({ userId, token: userToken, currentPassword: userPassword }) |
49 | userId: rootId, | ||
50 | currentPassword: server.store.user.password | ||
51 | }) | ||
52 | 55 | ||
53 | expect(otpRequest.requestToken).to.exist | 56 | expect(otpRequest.requestToken).to.exist |
54 | 57 | ||
@@ -64,27 +67,33 @@ describe('Test users', function () { | |||
64 | }) | 67 | }) |
65 | 68 | ||
66 | it('Should not have two factor confirmed yet', async function () { | 69 | it('Should not have two factor confirmed yet', async function () { |
67 | const { twoFactorEnabled } = await server.users.getMyInfo() | 70 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) |
68 | expect(twoFactorEnabled).to.be.false | 71 | expect(twoFactorEnabled).to.be.false |
69 | }) | 72 | }) |
70 | 73 | ||
71 | it('Should confirm two factor', async function () { | 74 | it('Should confirm two factor', async function () { |
72 | await server.twoFactor.confirmRequest({ | 75 | await server.twoFactor.confirmRequest({ |
73 | userId: rootId, | 76 | userId, |
77 | token: userToken, | ||
74 | otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(), | 78 | otpToken: TwoFactorCommand.buildOTP({ secret: otpSecret }).generate(), |
75 | requestToken | 79 | requestToken |
76 | }) | 80 | }) |
77 | }) | 81 | }) |
78 | 82 | ||
79 | it('Should not add the header on login if two factor is enabled and password is incorrect', async function () { | 83 | it('Should not add the header on login if two factor is enabled and password is incorrect', async function () { |
80 | const { res, token } = await login({ server, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | 84 | const { res, token } = await login({ server, username: userUsername, password: 'fake', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) |
81 | 85 | ||
82 | expect(res.header['x-peertube-otp']).to.not.exist | 86 | expect(res.header['x-peertube-otp']).to.not.exist |
83 | expect(token).to.not.exist | 87 | expect(token).to.not.exist |
84 | }) | 88 | }) |
85 | 89 | ||
86 | it('Should add the header on login if two factor is enabled and password is correct', async function () { | 90 | it('Should add the header on login if two factor is enabled and password is correct', async function () { |
87 | const { res, token } = await login({ server, expectedStatus: HttpStatusCode.UNAUTHORIZED_401 }) | 91 | const { res, token } = await login({ |
92 | server, | ||
93 | username: userUsername, | ||
94 | password: userPassword, | ||
95 | expectedStatus: HttpStatusCode.UNAUTHORIZED_401 | ||
96 | }) | ||
88 | 97 | ||
89 | expect(res.header['x-peertube-otp']).to.exist | 98 | expect(res.header['x-peertube-otp']).to.exist |
90 | expect(token).to.not.exist | 99 | expect(token).to.not.exist |
@@ -95,14 +104,26 @@ describe('Test users', function () { | |||
95 | it('Should not login with correct password and incorrect otp secret', async function () { | 104 | it('Should not login with correct password and incorrect otp secret', async function () { |
96 | const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) }) | 105 | const otp = TwoFactorCommand.buildOTP({ secret: 'a'.repeat(32) }) |
97 | 106 | ||
98 | const { res, token } = await login({ server, otpToken: otp.generate(), expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | 107 | const { res, token } = await login({ |
108 | server, | ||
109 | username: userUsername, | ||
110 | password: userPassword, | ||
111 | otpToken: otp.generate(), | ||
112 | expectedStatus: HttpStatusCode.BAD_REQUEST_400 | ||
113 | }) | ||
99 | 114 | ||
100 | expect(res.header['x-peertube-otp']).to.not.exist | 115 | expect(res.header['x-peertube-otp']).to.not.exist |
101 | expect(token).to.not.exist | 116 | expect(token).to.not.exist |
102 | }) | 117 | }) |
103 | 118 | ||
104 | it('Should not login with correct password and incorrect otp code', async function () { | 119 | it('Should not login with correct password and incorrect otp code', async function () { |
105 | const { res, token } = await login({ server, otpToken: '123456', expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | 120 | const { res, token } = await login({ |
121 | server, | ||
122 | username: userUsername, | ||
123 | password: userPassword, | ||
124 | otpToken: '123456', | ||
125 | expectedStatus: HttpStatusCode.BAD_REQUEST_400 | ||
126 | }) | ||
106 | 127 | ||
107 | expect(res.header['x-peertube-otp']).to.not.exist | 128 | expect(res.header['x-peertube-otp']).to.not.exist |
108 | expect(token).to.not.exist | 129 | expect(token).to.not.exist |
@@ -111,7 +132,13 @@ describe('Test users', function () { | |||
111 | it('Should not login with incorrect password and correct otp code', async function () { | 132 | it('Should not login with incorrect password and correct otp code', async function () { |
112 | const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() | 133 | const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() |
113 | 134 | ||
114 | const { res, token } = await login({ server, password: 'fake', otpToken, expectedStatus: HttpStatusCode.BAD_REQUEST_400 }) | 135 | const { res, token } = await login({ |
136 | server, | ||
137 | username: userUsername, | ||
138 | password: 'fake', | ||
139 | otpToken, | ||
140 | expectedStatus: HttpStatusCode.BAD_REQUEST_400 | ||
141 | }) | ||
115 | 142 | ||
116 | expect(res.header['x-peertube-otp']).to.not.exist | 143 | expect(res.header['x-peertube-otp']).to.not.exist |
117 | expect(token).to.not.exist | 144 | expect(token).to.not.exist |
@@ -120,7 +147,7 @@ describe('Test users', function () { | |||
120 | it('Should correctly login with correct password and otp code', async function () { | 147 | it('Should correctly login with correct password and otp code', async function () { |
121 | const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() | 148 | const otpToken = TwoFactorCommand.buildOTP({ secret: otpSecret }).generate() |
122 | 149 | ||
123 | const { res, token } = await login({ server, otpToken }) | 150 | const { res, token } = await login({ server, username: userUsername, password: userPassword, otpToken }) |
124 | 151 | ||
125 | expect(res.header['x-peertube-otp']).to.not.exist | 152 | expect(res.header['x-peertube-otp']).to.not.exist |
126 | expect(token).to.exist | 153 | expect(token).to.exist |
@@ -129,21 +156,41 @@ describe('Test users', function () { | |||
129 | }) | 156 | }) |
130 | 157 | ||
131 | it('Should have two factor enabled when getting my info', async function () { | 158 | it('Should have two factor enabled when getting my info', async function () { |
132 | const { twoFactorEnabled } = await server.users.getMyInfo() | 159 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) |
133 | expect(twoFactorEnabled).to.be.true | 160 | expect(twoFactorEnabled).to.be.true |
134 | }) | 161 | }) |
135 | 162 | ||
136 | it('Should disable two factor and be able to login without otp token', async function () { | 163 | it('Should disable two factor and be able to login without otp token', async function () { |
137 | await server.twoFactor.disable({ userId: rootId, currentPassword: server.store.user.password }) | 164 | await server.twoFactor.disable({ userId, token: userToken, currentPassword: userPassword }) |
138 | 165 | ||
139 | const { res, token } = await login({ server }) | 166 | const { res, token } = await login({ server, username: userUsername, password: userPassword }) |
140 | expect(res.header['x-peertube-otp']).to.not.exist | 167 | expect(res.header['x-peertube-otp']).to.not.exist |
141 | 168 | ||
142 | await server.users.getMyInfo({ token }) | 169 | await server.users.getMyInfo({ token }) |
143 | }) | 170 | }) |
144 | 171 | ||
145 | it('Should have two factor disabled when getting my info', async function () { | 172 | it('Should have two factor disabled when getting my info', async function () { |
146 | const { twoFactorEnabled } = await server.users.getMyInfo() | 173 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) |
174 | expect(twoFactorEnabled).to.be.false | ||
175 | }) | ||
176 | |||
177 | it('Should enable two factor auth without password from an admin', async function () { | ||
178 | const { otpRequest } = await server.twoFactor.request({ userId }) | ||
179 | |||
180 | await server.twoFactor.confirmRequest({ | ||
181 | userId, | ||
182 | otpToken: TwoFactorCommand.buildOTP({ secret: otpRequest.secret }).generate(), | ||
183 | requestToken: otpRequest.requestToken | ||
184 | }) | ||
185 | |||
186 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) | ||
187 | expect(twoFactorEnabled).to.be.true | ||
188 | }) | ||
189 | |||
190 | it('Should disable two factor auth without password from an admin', async function () { | ||
191 | await server.twoFactor.disable({ userId }) | ||
192 | |||
193 | const { twoFactorEnabled } = await server.users.getMyInfo({ token: userToken }) | ||
147 | expect(twoFactorEnabled).to.be.false | 194 | expect(twoFactorEnabled).to.be.false |
148 | }) | 195 | }) |
149 | 196 | ||