From a3e5f804ad821f6979e8735b0569b1209986fedc Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Mon, 10 Oct 2022 11:12:23 +0200 Subject: Encrypt OTP secret --- server/controllers/api/users/two-factor.ts | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'server/controllers/api/users') diff --git a/server/controllers/api/users/two-factor.ts b/server/controllers/api/users/two-factor.ts index 79f63a62d..e6ae9e4dd 100644 --- a/server/controllers/api/users/two-factor.ts +++ b/server/controllers/api/users/two-factor.ts @@ -1,5 +1,7 @@ import express from 'express' import { generateOTPSecret, isOTPValid } from '@server/helpers/otp' +import { encrypt } from '@server/helpers/peertube-crypto' +import { CONFIG } from '@server/initializers/config' import { Redis } from '@server/lib/redis' import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares' import { @@ -44,7 +46,9 @@ async function requestTwoFactor (req: express.Request, res: express.Response) { const user = res.locals.user const { secret, uri } = generateOTPSecret(user.email) - const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, secret) + + const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE) + const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret) return res.json({ otpRequest: { @@ -60,22 +64,22 @@ async function confirmRequestTwoFactor (req: express.Request, res: express.Respo const otpToken = req.body.otpToken const user = res.locals.user - const secret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken) - if (!secret) { + const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken) + if (!encryptedSecret) { return res.fail({ message: 'Invalid request token', status: HttpStatusCode.FORBIDDEN_403 }) } - if (isOTPValid({ secret, token: otpToken }) !== true) { + if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) { return res.fail({ message: 'Invalid OTP token', status: HttpStatusCode.FORBIDDEN_403 }) } - user.otpSecret = secret + user.otpSecret = encryptedSecret await user.save() return res.sendStatus(HttpStatusCode.NO_CONTENT_204) -- cgit v1.2.3