Merge branch 'dev' into clients-pops-dev

2025-08-01 00:24:38 +02:00 · 2025-07-14 16:59:00 -07:00 · 2025-07-14 16:59:00 -07:00 · 3dc79da2fa
commit 3dc79da2fa
parent 83b00c1cfa d6fdb38c22
55 changed files with 5261 additions and 4194 deletions
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@ -535,6 +535,7 @@ unauthenticated.get("/resource/:resourceId/auth", resource.getResourceAuthInfo);
 unauthenticated.get("/user", verifySessionMiddleware, user.getUser);

 authenticated.get("/users", verifyUserIsServerAdmin, user.adminListUsers);
+authenticated.get("/user/:userId", verifyUserIsServerAdmin, user.adminGetUser);
 authenticated.delete(
    "/user/:userId",
    verifyUserIsServerAdmin,
@ -550,6 +551,12 @@ authenticated.put(

 authenticated.get("/org/:orgId/user/:userId", verifyOrgAccess, user.getOrgUser);

+authenticated.post(
+    "/user/:userId/2fa",
+    verifyUserIsServerAdmin,
+    user.updateUser2FA
+);
+
 authenticated.get(
    "/org/:orgId/users",
    verifyOrgAccess,
@ -795,12 +802,8 @@ authRouter.post("/logout", auth.logout);
 authRouter.post("/newt/get-token", getNewtToken);
 authRouter.post("/olm/get-token", getOlmToken);

-authRouter.post("/2fa/enable", verifySessionUserMiddleware, auth.verifyTotp);
-authRouter.post(
-    "/2fa/request",
-    verifySessionUserMiddleware,
-    auth.requestTotpSecret
-);
+authRouter.post("/2fa/enable", auth.verifyTotp);
+authRouter.post("/2fa/request", auth.requestTotpSecret);
 authRouter.post("/2fa/disable", verifySessionUserMiddleware, auth.disable2fa);
 authRouter.post("/verify-email", verifySessionMiddleware, auth.verifyEmail);

@ -874,3 +877,36 @@ authRouter.post("/idp/:idpId/oidc/validate-callback", idp.validateOidcCallback);

 authRouter.put("/set-server-admin", auth.setServerAdmin);
 authRouter.get("/initial-setup-complete", auth.initialSetupComplete);
+
+// Security Key routes
+authRouter.post(
+    "/security-key/register/start",
+    verifySessionUserMiddleware,
+    rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 5, // Allow 5 security key registrations per 15 minutes
+        keyGenerator: (req) => `securityKeyRegister:${req.user?.userId}`,
+        handler: (req, res, next) => {
+            const message = `You can only register ${5} security keys every ${15} minutes. Please try again later.`;
+            return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
+        }
+    }),
+    auth.startRegistration
+);
+authRouter.post("/security-key/register/verify", verifySessionUserMiddleware, auth.verifyRegistration);
+authRouter.post(
+    "/security-key/authenticate/start",
+    rateLimit({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        max: 10, // Allow 10 authentication attempts per 15 minutes per IP
+        keyGenerator: (req) => `securityKeyAuth:${req.ip}`,
+        handler: (req, res, next) => {
+            const message = `You can only attempt security key authentication ${10} times every ${15} minutes. Please try again later.`;
+            return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
+        }
+    }),
+    auth.startAuthentication
+);
+authRouter.post("/security-key/authenticate/verify", auth.verifyAuthentication);
+authRouter.get("/security-key/list", verifySessionUserMiddleware, auth.listSecurityKeys);
+authRouter.delete("/security-key/:credentialId", verifySessionUserMiddleware, auth.deleteSecurityKey);