mirror of
https://github.com/fosrl/pangolin.git
synced 2025-08-14 06:39:08 +02:00
require 2fa for disable 2fa
This commit is contained in:
Milo Schwartz
parent
76eeb335a3
commit
86fb43d570
1 changed files with 42 additions and 1 deletions
|
|
@ -9,13 +9,20 @@ import { db } from "@server/db";
|
||||||
import { User, users } from "@server/db/schema";
|
import { User, users } from "@server/db/schema";
|
||||||
import { eq } from "drizzle-orm";
|
import { eq } from "drizzle-orm";
|
||||||
import { response } from "@server/utils";
|
import { response } from "@server/utils";
|
||||||
|
import { decodeHex } from "oslo/encoding";
|
||||||
|
import { TOTPController } from "oslo/otp";
|
||||||
|
|
||||||
export const disable2faBody = z.object({
|
export const disable2faBody = z.object({
|
||||||
password: z.string(),
|
password: z.string(),
|
||||||
|
code: z.string().optional(),
|
||||||
});
|
});
|
||||||
|
|
||||||
export type Disable2faBody = z.infer<typeof disable2faBody>;
|
export type Disable2faBody = z.infer<typeof disable2faBody>;
|
||||||
|
|
||||||
|
export type Disable2faResponse = {
|
||||||
|
codeRequested?: boolean;
|
||||||
|
};
|
||||||
|
|
||||||
export async function disable2fa(
|
export async function disable2fa(
|
||||||
req: Request,
|
req: Request,
|
||||||
res: Response,
|
res: Response,
|
||||||
|
|
@ -32,7 +39,7 @@ export async function disable2fa(
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
const { password } = parsedBody.data;
|
const { password, code } = parsedBody.data;
|
||||||
const user = req.user as User;
|
const user = req.user as User;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
|
@ -54,6 +61,40 @@ export async function disable2fa(
|
||||||
"Two-factor authentication is already disabled",
|
"Two-factor authentication is already disabled",
|
||||||
),
|
),
|
||||||
);
|
);
|
||||||
|
} else {
|
||||||
|
if (!code) {
|
||||||
|
return response<{ codeRequested: boolean }>(res, {
|
||||||
|
data: { codeRequested: true },
|
||||||
|
success: true,
|
||||||
|
error: false,
|
||||||
|
message: "Two-factor authentication required",
|
||||||
|
status: HttpCode.ACCEPTED,
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!user.twoFactorSecret) {
|
||||||
|
return next(
|
||||||
|
createHttpError(
|
||||||
|
HttpCode.INTERNAL_SERVER_ERROR,
|
||||||
|
"Failed to authenticate user",
|
||||||
|
),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
const validOTP = await new TOTPController().verify(
|
||||||
|
code,
|
||||||
|
decodeHex(user.twoFactorSecret),
|
||||||
|
);
|
||||||
|
|
||||||
|
if (!validOTP) {
|
||||||
|
await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
|
||||||
|
return next(
|
||||||
|
createHttpError(
|
||||||
|
HttpCode.BAD_REQUEST,
|
||||||
|
"The two-factor code you entered is incorrect",
|
||||||
|
),
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
await db
|
await db
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue