disable 2fa endpoint

server/routers/auth/disable2fa.ts

@@ -0,0 +1,86 @@
+import { Request, Response, NextFunction } from "express";
+import { verifySession } from "@server/auth";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { fromError } from "zod-validation-error";
+import { unauthorized } from "@server/auth";
+import { z } from "zod";
+import { verify } from "@node-rs/argon2";
+import { db } from "@server/db";
+import { users } from "@server/db/schema";
+import { eq } from "drizzle-orm";
+import { response } from "@server/utils";
+
+export const disable2faBody = z.object({
+    password: z.string(),
+});
+
+export type Disable2faBody = z.infer<typeof disable2faBody>;
+
+export async function disable2fa(
+    req: Request,
+    res: Response,
+    next: NextFunction,
+): Promise<any> {
+    const parsedBody = disable2faBody.safeParse(req.body);
+
+    if (!parsedBody.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedBody.error).toString(),
+            ),
+        );
+    }
+
+    const { password } = parsedBody.data;
+
+    const { session, user } = await verifySession(req);
+    if (!session) {
+        return next(unauthorized());
+    }
+
+    const existingUser = await db
+        .select()
+        .from(users)
+        .where(eq(users.id, user.id));
+
+    if (!existingUser || !existingUser[0]) {
+        return next(
+            createHttpError(HttpCode.BAD_REQUEST, "User does not exist"),
+        );
+    }
+
+    const validPassword = await verify(existingUser[0].passwordHash, password, {
+        memoryCost: 19456,
+        timeCost: 2,
+        outputLen: 32,
+        parallelism: 1,
+    });
+    if (!validPassword) {
+        await new Promise((resolve) => setTimeout(resolve, 250)); // delay to prevent brute force attacks
+        return next(unauthorized());
+    }
+
+    if (!user.twoFactorEnabled) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                "Two-factor authentication is already disabled",
+            ),
+        );
+    }
+
+    await db
+        .update(users)
+        .set({ twoFactorEnabled: false })
+        .where(eq(users.id, user.id));
+
+    return response<null>(res, {
+        data: null,
+        success: true,
+        error: false,
+        message: "Two-factor authentication disabled",
+        status: HttpCode.OK,
+    });
+}

server/routers/auth/index.ts

@@ -3,3 +3,4 @@ export * from "./signup";
 export * from "./logout";
 export * from "./verifyTotp";
 export * from "./requestTotpSecret";
+export * from "./disable2fa";

server/routers/auth/verifyTotp.ts

@@ -80,7 +80,9 @@ export async function verifyTotp(
         data: { valid },
         success: true,
         error: false,
-        message: valid ? "Code is valid" : "Code is invalid",
+        message: valid
+            ? "Code is valid. Two-factor is now enabled"
+            : "Code is invalid",
         status: HttpCode.OK,
     });
 }

server/routers/external.ts

@@ -54,3 +54,4 @@ authRouter.post("/login", auth.login);
 authRouter.post("/logout", auth.logout);
 authRouter.post("/verify-totp", auth.verifyTotp);
 authRouter.post("/request-totp-secret", auth.requestTotpSecret);
+authRouter.post("/disable-2fa", auth.disable2fa);