aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/controllers/api/users/two-factor.ts
blob: e6ae9e4dd42b855528ce1feb9b2265ef6f5093e0 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import express from 'express'
import { generateOTPSecret, isOTPValid } from '@server/helpers/otp'
import { encrypt } from '@server/helpers/peertube-crypto'
import { CONFIG } from '@server/initializers/config'
import { Redis } from '@server/lib/redis'
import { asyncMiddleware, authenticate, usersCheckCurrentPasswordFactory } from '@server/middlewares'
import {
  confirmTwoFactorValidator,
  disableTwoFactorValidator,
  requestOrConfirmTwoFactorValidator
} from '@server/middlewares/validators/two-factor'
import { HttpStatusCode, TwoFactorEnableResult } from '@shared/models'

const twoFactorRouter = express.Router()

twoFactorRouter.post('/:id/two-factor/request',
  authenticate,
  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
  asyncMiddleware(requestOrConfirmTwoFactorValidator),
  asyncMiddleware(requestTwoFactor)
)

twoFactorRouter.post('/:id/two-factor/confirm-request',
  authenticate,
  asyncMiddleware(requestOrConfirmTwoFactorValidator),
  confirmTwoFactorValidator,
  asyncMiddleware(confirmRequestTwoFactor)
)

twoFactorRouter.post('/:id/two-factor/disable',
  authenticate,
  asyncMiddleware(usersCheckCurrentPasswordFactory(req => req.params.id)),
  asyncMiddleware(disableTwoFactorValidator),
  asyncMiddleware(disableTwoFactor)
)

// ---------------------------------------------------------------------------

export {
  twoFactorRouter
}

// ---------------------------------------------------------------------------

async function requestTwoFactor (req: express.Request, res: express.Response) {
  const user = res.locals.user

  const { secret, uri } = generateOTPSecret(user.email)

  const encryptedSecret = await encrypt(secret, CONFIG.SECRETS.PEERTUBE)
  const requestToken = await Redis.Instance.setTwoFactorRequest(user.id, encryptedSecret)

  return res.json({
    otpRequest: {
      requestToken,
      secret,
      uri
    }
  } as TwoFactorEnableResult)
}

async function confirmRequestTwoFactor (req: express.Request, res: express.Response) {
  const requestToken = req.body.requestToken
  const otpToken = req.body.otpToken
  const user = res.locals.user

  const encryptedSecret = await Redis.Instance.getTwoFactorRequestToken(user.id, requestToken)
  if (!encryptedSecret) {
    return res.fail({
      message: 'Invalid request token',
      status: HttpStatusCode.FORBIDDEN_403
    })
  }

  if (await isOTPValid({ encryptedSecret, token: otpToken }) !== true) {
    return res.fail({
      message: 'Invalid OTP token',
      status: HttpStatusCode.FORBIDDEN_403
    })
  }

  user.otpSecret = encryptedSecret
  await user.save()

  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
}

async function disableTwoFactor (req: express.Request, res: express.Response) {
  const user = res.locals.user

  user.otpSecret = null
  await user.save()

  return res.sendStatus(HttpStatusCode.NO_CONTENT_204)
}