mirror/fosrl.pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2025-08-18 08:18:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

added two factor to login endpoint

Browse source
This commit is contained in:
Milo Schwartz 2024-10-02 20:19:48 -04:00
parent d7e090e5b7
commit d1e198fe55
No known key found for this signature in database
5 changed files with 308 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

253
package-lock.json generated
View file

@ -21,6 +21,7 @@
"http-errors": "2.0.0", "http-errors": "2.0.0",
"lucia": "3.2.0", "lucia": "3.2.0",
"next": "14.2.13", "next": "14.2.13",
"oslo": "1.2.1",
"react": "^18", "react": "^18",
"react-dom": "^18", "react-dom": "^18",
"winston": "3.14.2", "winston": "3.14.2",
@ -11722,6 +11723,252 @@
"oslo": "1.2.0" "oslo": "1.2.0"
} }
}, },
"node_modules/lucia/node_modules/@node-rs/argon2": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2/-/argon2-1.7.0.tgz",
"integrity": "sha512-zfULc+/tmcWcxn+nHkbyY8vP3+MpEqKORbszt4UkpqZgBgDAAIYvuDN/zukfTgdmo6tmJKKVfzigZOPk4LlIog==",
"engines": {
"node": ">= 10"
},
"optionalDependencies": {
"@node-rs/argon2-android-arm-eabi": "1.7.0",
"@node-rs/argon2-android-arm64": "1.7.0",
"@node-rs/argon2-darwin-arm64": "1.7.0",
"@node-rs/argon2-darwin-x64": "1.7.0",
"@node-rs/argon2-freebsd-x64": "1.7.0",
"@node-rs/argon2-linux-arm-gnueabihf": "1.7.0",
"@node-rs/argon2-linux-arm64-gnu": "1.7.0",
"@node-rs/argon2-linux-arm64-musl": "1.7.0",
"@node-rs/argon2-linux-x64-gnu": "1.7.0",
"@node-rs/argon2-linux-x64-musl": "1.7.0",
"@node-rs/argon2-wasm32-wasi": "1.7.0",
"@node-rs/argon2-win32-arm64-msvc": "1.7.0",
"@node-rs/argon2-win32-ia32-msvc": "1.7.0",
"@node-rs/argon2-win32-x64-msvc": "1.7.0"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-android-arm-eabi": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-android-arm-eabi/-/argon2-android-arm-eabi-1.7.0.tgz",
"integrity": "sha512-udDqkr5P9E+wYX1SZwAVPdyfYvaF4ry9Tm+R9LkfSHbzWH0uhU6zjIwNRp7m+n4gx691rk+lqqDAIP8RLKwbhg==",
"cpu": [
"arm"
],
"optional": true,
"os": [
"android"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-android-arm64": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-android-arm64/-/argon2-android-arm64-1.7.0.tgz",
"integrity": "sha512-s9j/G30xKUx8WU50WIhF0fIl1EdhBGq0RQ06lEhZ0Gi0ap8lhqbE2Bn5h3/G2D1k0Dx+yjeVVNmt/xOQIRG38A==",
"cpu": [
"arm64"
],
"optional": true,
"os": [
"android"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-darwin-arm64": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-darwin-arm64/-/argon2-darwin-arm64-1.7.0.tgz",
"integrity": "sha512-ZIz4L6HGOB9U1kW23g+m7anGNuTZ0RuTw0vNp3o+2DWpb8u8rODq6A8tH4JRL79S+Co/Nq608m9uackN2pe0Rw==",
"cpu": [
"arm64"
],
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-darwin-x64": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-darwin-x64/-/argon2-darwin-x64-1.7.0.tgz",
"integrity": "sha512-5oi/pxqVhODW/pj1+3zElMTn/YukQeywPHHYDbcAW3KsojFjKySfhcJMd1DjKTc+CHQI+4lOxZzSUzK7mI14Hw==",
"cpu": [
"x64"
],
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-freebsd-x64": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-freebsd-x64/-/argon2-freebsd-x64-1.7.0.tgz",
"integrity": "sha512-Ify08683hA4QVXYoIm5SUWOY5DPIT/CMB0CQT+IdxQAg/F+qp342+lUkeAtD5bvStQuCx/dFO3bnnzoe2clMhA==",
"cpu": [
"x64"
],
"optional": true,
"os": [
"freebsd"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-linux-arm-gnueabihf": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-linux-arm-gnueabihf/-/argon2-linux-arm-gnueabihf-1.7.0.tgz",
"integrity": "sha512-7DjDZ1h5AUHAtRNjD19RnQatbhL+uuxBASuuXIBu4/w6Dx8n7YPxwTP4MXfsvuRgKuMWiOb/Ub/HJ3kXVCXRkg==",
"cpu": [
"arm"
],
"optional": true,
"os": [
"linux"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-linux-arm64-gnu": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-linux-arm64-gnu/-/argon2-linux-arm64-gnu-1.7.0.tgz",
"integrity": "sha512-nJDoMP4Y3YcqGswE4DvP080w6O24RmnFEDnL0emdI8Nou17kNYBzP2546Nasx9GCyLzRcYQwZOUjrtUuQ+od2g==",
"cpu": [
"arm64"
],
"optional": true,
"os": [
"linux"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-linux-arm64-musl": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-linux-arm64-musl/-/argon2-linux-arm64-musl-1.7.0.tgz",
"integrity": "sha512-BKWS8iVconhE3jrb9mj6t1J9vwUqQPpzCbUKxfTGJfc+kNL58F1SXHBoe2cDYGnHrFEHTY0YochzXoAfm4Dm/A==",
"cpu": [
"arm64"
],
"optional": true,
"os": [
"linux"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-linux-x64-gnu": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-linux-x64-gnu/-/argon2-linux-x64-gnu-1.7.0.tgz",
"integrity": "sha512-EmgqZOlf4Jurk/szW1iTsVISx25bKksVC5uttJDUloTgsAgIGReCpUUO1R24pBhu9ESJa47iv8NSf3yAfGv6jQ==",
"cpu": [
"x64"
],
"optional": true,
"os": [
"linux"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-linux-x64-musl": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-linux-x64-musl/-/argon2-linux-x64-musl-1.7.0.tgz",
"integrity": "sha512-/o1efYCYIxjfuoRYyBTi2Iy+1iFfhqHCvvVsnjNSgO1xWiWrX0Rrt/xXW5Zsl7vS2Y+yu8PL8KFWRzZhaVxfKA==",
"cpu": [
"x64"
],
"optional": true,
"os": [
"linux"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-wasm32-wasi": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-wasm32-wasi/-/argon2-wasm32-wasi-1.7.0.tgz",
"integrity": "sha512-Evmk9VcxqnuwQftfAfYEr6YZYSPLzmKUsbFIMep5nTt9PT4XYRFAERj7wNYp+rOcBenF3X4xoB+LhwcOMTNE5w==",
"cpu": [
"wasm32"
],
"optional": true,
"dependencies": {
"@emnapi/core": "^0.45.0",
"@emnapi/runtime": "^0.45.0",
"@tybys/wasm-util": "^0.8.1",
"memfs-browser": "^3.4.13000"
},
"engines": {
"node": ">=14.0.0"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-win32-arm64-msvc": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-win32-arm64-msvc/-/argon2-win32-arm64-msvc-1.7.0.tgz",
"integrity": "sha512-qgsU7T004COWWpSA0tppDqDxbPLgg8FaU09krIJ7FBl71Sz8SFO40h7fDIjfbTT5w7u6mcaINMQ5bSHu75PCaA==",
"cpu": [
"arm64"
],
"optional": true,
"os": [
"win32"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-win32-ia32-msvc": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-win32-ia32-msvc/-/argon2-win32-ia32-msvc-1.7.0.tgz",
"integrity": "sha512-JGafwWYQ/HpZ3XSwP4adQ6W41pRvhcdXvpzIWtKvX+17+xEXAe2nmGWM6s27pVkg1iV2ZtoYLRDkOUoGqZkCcg==",
"cpu": [
"ia32"
],
"optional": true,
"os": [
"win32"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/@node-rs/argon2-win32-x64-msvc": {
"version": "1.7.0",
"resolved": "https://registry.npmjs.org/@node-rs/argon2-win32-x64-msvc/-/argon2-win32-x64-msvc-1.7.0.tgz",
"integrity": "sha512-9oq4ShyFakw8AG3mRls0AoCpxBFcimYx7+jvXeAf2OqKNO+mSA6eZ9z7KQeVCi0+SOEUYxMGf5UiGiDb9R6+9Q==",
"cpu": [
"x64"
],
"optional": true,
"os": [
"win32"
],
"engines": {
"node": ">= 10"
}
},
"node_modules/lucia/node_modules/oslo": {
"version": "1.2.0",
"resolved": "https://registry.npmjs.org/oslo/-/oslo-1.2.0.tgz",
"integrity": "sha512-OoFX6rDsNcOQVAD2gQD/z03u4vEjWZLzJtwkmgfRF+KpQUXwdgEXErD7zNhyowmHwHefP+PM9Pw13pgpHMRlzw==",
"dependencies": {
"@node-rs/argon2": "1.7.0",
"@node-rs/bcrypt": "1.9.0"
}
},
"node_modules/make-dir": { "node_modules/make-dir": {
"version": "2.1.0", "version": "2.1.0",
"resolved": "https://registry.npmjs.org/make-dir/-/make-dir-2.1.0.tgz", "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-2.1.0.tgz",
@ -12740,9 +12987,9 @@
} }
}, },
"node_modules/oslo": { "node_modules/oslo": {
"version": "1.2.0", "version": "1.2.1",
"resolved": "https://registry.npmjs.org/oslo/-/oslo-1.2.0.tgz", "resolved": "https://registry.npmjs.org/oslo/-/oslo-1.2.1.tgz",
"integrity": "sha512-OoFX6rDsNcOQVAD2gQD/z03u4vEjWZLzJtwkmgfRF+KpQUXwdgEXErD7zNhyowmHwHefP+PM9Pw13pgpHMRlzw==", "integrity": "sha512-HfIhB5ruTdQv0XX2XlncWQiJ5SIHZ7NHZhVyHth0CSZ/xzge00etRyYy/3wp/Dsu+PkxMC+6+B2lS/GcKoewkA==",
"dependencies": { "dependencies": {
"@node-rs/argon2": "1.7.0", "@node-rs/argon2": "1.7.0",
"@node-rs/bcrypt": "1.9.0" "@node-rs/bcrypt": "1.9.0"

1
package.json
View file

@ -25,6 +25,7 @@
"http-errors": "2.0.0", "http-errors": "2.0.0",
"lucia": "3.2.0", "lucia": "3.2.0",
"next": "14.2.13", "next": "14.2.13",
"oslo": "1.2.1",
"react": "^18", "react": "^18",
"react-dom": "^18", "react-dom": "^18",
"winston": "3.14.2", "winston": "3.14.2",

4
server/auth/index.ts
View file

@ -10,6 +10,8 @@ export const lucia = new Lucia(adapter, {
getUserAttributes: (attributes) => { getUserAttributes: (attributes) => {
return { return {
email: attributes.email, email: attributes.email,
twoFactorEnabled: attributes.twoFactorEnabled,
twoFactorSecret: attributes.twoFactorSecret,
}; };
}, },
// getSessionAttributes: (attributes) => { // getSessionAttributes: (attributes) => {
@ -42,6 +44,8 @@ declare module "lucia" {
interface DatabaseUserAttributes { interface DatabaseUserAttributes {
email: string; email: string;
passwordHash: string; passwordHash: string;
twoFactorEnabled: boolean;
twoFactorSecret: string | null;
} }
interface DatabaseSessionAttributes { interface DatabaseSessionAttributes {

4
server/db/schema.ts
View file

@ -71,6 +71,10 @@ export const users = sqliteTable("user", {
id: text("id").primaryKey(), // has to be id not userId for lucia id: text("id").primaryKey(), // has to be id not userId for lucia
email: text("email").notNull().unique(), email: text("email").notNull().unique(),
passwordHash: text("passwordHash").notNull(), passwordHash: text("passwordHash").notNull(),
twoFactorEnabled: integer("twoFactorEnabled", { mode: "boolean" })
.notNull()
.default(false),
twoFactorSecret: text("twoFactorSecret"),
}); });
// Sessions table // Sessions table

52
server/routers/auth/login.ts
View file

@ -2,7 +2,6 @@ import { verify } from "@node-rs/argon2";
import lucia from "@server/auth"; import lucia from "@server/auth";
import db from "@server/db"; import db from "@server/db";
import { users } from "@server/db/schema"; import { users } from "@server/db/schema";
import logger from "@server/logger";
import HttpCode from "@server/types/HttpCode"; import HttpCode from "@server/types/HttpCode";
import response from "@server/utils/response"; import response from "@server/utils/response";
import { eq } from "drizzle-orm"; import { eq } from "drizzle-orm";
@ -10,12 +9,21 @@ import { NextFunction, Request, Response } from "express";
import createHttpError from "http-errors"; import createHttpError from "http-errors";
import { z } from "zod"; import { z } from "zod";
import { fromError } from "zod-validation-error"; import { fromError } from "zod-validation-error";
import { decodeHex } from "oslo/encoding";
import { TOTPController } from "oslo/otp";
export const loginBodySchema = z.object({ export const loginBodySchema = z.object({
email: z.string().email(), email: z.string().email(),
password: z.string(), password: z.string(),
code: z.string().optional(),
}); });
export type LoginBody = z.infer<typeof loginBodySchema>;
export type LoginResponse = {
codeRequested?: boolean;
};
export async function login( export async function login(
req: Request, req: Request,
res: Response, res: Response,
@ -32,7 +40,7 @@ export async function login(
); );
} }
const { email, password } = parsedBody.data; const { email, password, code } = parsedBody.data;
const sessionId = req.cookies[lucia.sessionCookieName]; const sessionId = req.cookies[lucia.sessionCookieName];
const { session: existingSession } = await lucia.validateSession(sessionId); const { session: existingSession } = await lucia.validateSession(sessionId);
@ -70,7 +78,7 @@ export async function login(
parallelism: 1, parallelism: 1,
}); });
if (!validPassword) { if (!validPassword) {
await new Promise((resolve) => setTimeout(resolve, 500)); // delay to prevent brute force attacks await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
return next( return next(
createHttpError( createHttpError(
HttpCode.BAD_REQUEST, HttpCode.BAD_REQUEST,
@ -79,6 +87,44 @@ export async function login(
); );
} }
if (existingUser.twoFactorEnabled) {
if (!code) {
return res.status(HttpCode.ACCEPTED).send(
response<{ codeRequested: boolean }>({
data: { codeRequested: true },
success: true,
error: false,
message: "Two-factor authentication required",
status: HttpCode.ACCEPTED,
}),
);
}
if (!existingUser.twoFactorSecret) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to authenticate user",
),
);
}
const validOTP = await new TOTPController().verify(
code,
decodeHex(existingUser.twoFactorSecret),
);
if (!validOTP) {
await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"The two-factor code you entered is incorrect",
),
);
}
}
const session = await lucia.createSession(existingUser.id, {}); const session = await lucia.createSession(existingUser.id, {});
res.appendHeader( res.appendHeader(
"Set-Cookie", "Set-Cookie",