This commit is contained in:
syuilo
@ -155,6 +155,14 @@ const endpoints: Endpoint[] = [
|
||||
name: 'i',
|
||||
withCredential: true
|
||||
},
|
||||
{
|
||||
name: 'i/2fa/register',
|
||||
withCredential: true
|
||||
},
|
||||
{
|
||||
name: 'i/2fa/done',
|
||||
withCredential: true
|
||||
},
|
||||
{
|
||||
name: 'i/update',
|
||||
withCredential: true,
|
||||
|
||||
37
src/api/endpoints/i/2fa/done.ts
Normal file
37
src/api/endpoints/i/2fa/done.ts
Normal file
@ -0,0 +1,37 @@
|
||||
/**
|
||||
* Module dependencies
|
||||
*/
|
||||
import $ from 'cafy';
|
||||
import * as speakeasy from 'speakeasy';
|
||||
import User from '../../../models/user';
|
||||
|
||||
module.exports = async (params, user) => new Promise(async (res, rej) => {
|
||||
// Get 'token' parameter
|
||||
const [token, tokenErr] = $(params.token).string().$;
|
||||
if (tokenErr) return rej('invalid token param');
|
||||
|
||||
const _token = token.replace(/\s/g, '');
|
||||
|
||||
if (user.two_factor_temp_secret == null) {
|
||||
return rej('二段階認証の設定が開始されていません');
|
||||
}
|
||||
|
||||
const verified = (speakeasy as any).totp.verify({
|
||||
secret: user.two_factor_temp_secret,
|
||||
encoding: 'base32',
|
||||
token: _token
|
||||
});
|
||||
|
||||
if (!verified) {
|
||||
return rej('not verified');
|
||||
}
|
||||
|
||||
await User.update(user._id, {
|
||||
$set: {
|
||||
two_factor_secret: user.two_factor_temp_secret,
|
||||
two_factor_enabled: true
|
||||
}
|
||||
});
|
||||
|
||||
res();
|
||||
});
|
||||
48
src/api/endpoints/i/2fa/register.ts
Normal file
48
src/api/endpoints/i/2fa/register.ts
Normal file
@ -0,0 +1,48 @@
|
||||
/**
|
||||
* Module dependencies
|
||||
*/
|
||||
import $ from 'cafy';
|
||||
import * as bcrypt from 'bcryptjs';
|
||||
import * as speakeasy from 'speakeasy';
|
||||
import * as QRCode from 'qrcode';
|
||||
import User from '../../../models/user';
|
||||
import config from '../../../../conf';
|
||||
|
||||
module.exports = async (params, user) => new Promise(async (res, rej) => {
|
||||
// Get 'password' parameter
|
||||
const [password, passwordErr] = $(params.password).string().$;
|
||||
if (passwordErr) return rej('invalid password param');
|
||||
|
||||
// Compare password
|
||||
const same = await bcrypt.compare(password, user.password);
|
||||
|
||||
if (!same) {
|
||||
return rej('incorrect password');
|
||||
}
|
||||
|
||||
// Generate user's secret key
|
||||
const secret = speakeasy.generateSecret({
|
||||
length: 32
|
||||
});
|
||||
|
||||
await User.update(user._id, {
|
||||
$set: {
|
||||
two_factor_temp_secret: secret.base32
|
||||
}
|
||||
});
|
||||
|
||||
// Get the data URL of the authenticator URL
|
||||
QRCode.toDataURL(speakeasy.otpauthURL({
|
||||
secret: secret.base32,
|
||||
encoding: 'base32',
|
||||
label: user.username,
|
||||
issuer: config.host
|
||||
}), (err, data_url) => {
|
||||
res({
|
||||
qr: data_url,
|
||||
secret: secret.base32,
|
||||
label: user.username,
|
||||
issuer: config.host
|
||||
});
|
||||
});
|
||||
});
|
||||
@ -72,6 +72,8 @@ export type IUser = {
|
||||
is_pro: boolean;
|
||||
is_suspended: boolean;
|
||||
keywords: string[];
|
||||
two_factor_secret: string;
|
||||
two_factor_enabled: boolean;
|
||||
};
|
||||
|
||||
export function init(user): IUser {
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
import * as express from 'express';
|
||||
import * as bcrypt from 'bcryptjs';
|
||||
import * as speakeasy from 'speakeasy';
|
||||
import { default as User, IUser } from '../models/user';
|
||||
import Signin from '../models/signin';
|
||||
import serialize from '../serializers/signin';
|
||||
@ -11,6 +12,7 @@ export default async (req: express.Request, res: express.Response) => {
|
||||
|
||||
const username = req.body['username'];
|
||||
const password = req.body['password'];
|
||||
const token = req.body['token'];
|
||||
|
||||
if (typeof username != 'string') {
|
||||
res.sendStatus(400);
|
||||
@ -22,6 +24,11 @@ export default async (req: express.Request, res: express.Response) => {
|
||||
return;
|
||||
}
|
||||
|
||||
if (token != null && typeof token != 'string') {
|
||||
res.sendStatus(400);
|
||||
return;
|
||||
}
|
||||
|
||||
// Fetch user
|
||||
const user: IUser = await User.findOne({
|
||||
username_lower: username.toLowerCase()
|
||||
@ -43,7 +50,23 @@ export default async (req: express.Request, res: express.Response) => {
|
||||
const same = await bcrypt.compare(password, user.password);
|
||||
|
||||
if (same) {
|
||||
signin(res, user, false);
|
||||
if (user.two_factor_enabled) {
|
||||
const verified = (speakeasy as any).totp.verify({
|
||||
secret: user.two_factor_secret,
|
||||
encoding: 'base32',
|
||||
token: token
|
||||
});
|
||||
|
||||
if (verified) {
|
||||
signin(res, user, false);
|
||||
} else {
|
||||
res.status(400).send({
|
||||
error: 'invalid token'
|
||||
});
|
||||
}
|
||||
} else {
|
||||
signin(res, user, false);
|
||||
}
|
||||
} else {
|
||||
res.status(400).send({
|
||||
error: 'incorrect password'
|
||||
|
||||
@ -78,6 +78,8 @@ export default (
|
||||
// Remove private properties
|
||||
delete _user.password;
|
||||
delete _user.token;
|
||||
delete _user.two_factor_temp_secret;
|
||||
delete _user.two_factor_secret;
|
||||
delete _user.username_lower;
|
||||
if (_user.twitter) {
|
||||
delete _user.twitter.access_token;
|
||||
@ -91,6 +93,10 @@ export default (
|
||||
delete _user.client_settings;
|
||||
}
|
||||
|
||||
if (!opts.detail) {
|
||||
delete _user.two_factor_enabled;
|
||||
}
|
||||
|
||||
_user.avatar_url = _user.avatar_id != null
|
||||
? `${config.drive_url}/${_user.avatar_id}`
|
||||
: `${config.drive_url}/default-avatar.jpg`;
|
||||
|
||||
Reference in New Issue
Block a user